Edit tour

Windows Analysis Report
Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe

Overview

General Information

Sample name:	Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe
Analysis ID:	1631486
MD5:	2ebec0083b5b2e5383a18b60facad07c
SHA1:	be16ecd499f895583cf3d4e7dec37d0bbe37db5c
SHA256:	cb3a38b5b53f478a2a83ea040885ccb2bea9d29e3d9db4af38914bcd21bf89db
Tags:	exeLokiuser-threatcat_ch
Infos:

Detection

Lokibot

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Lokibot

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe (PID: 6212 cmdline: "C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe" MD5: 2EBEC0083B5B2E5383A18B60FACAD07C)

powershell.exe (PID: 4092 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 6984 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe (PID: 2140 cmdline: "C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe" MD5: 2EBEC0083B5B2E5383A18B60FACAD07C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Loki Password Stealer (PWS), LokiBot	"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2	SWEED The Gorgon Group Cobalt	http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html http://reversing.fun/posts/2021/06/08/lokibot.html http://reversing.fun/reversing/2021/06/08/lokibot.html http://www.malware-traffic-analysis.net/2017/06/12/index.html https://0xmrmagnezi.github.io/malware%20analysis/LokiBot/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1738700817.0000000004042000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.1738700817.0000000004042000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.1738700817.0000000004042000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1738700817.0000000004042000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x17cc8:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.1738700817.0000000004042000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x5093:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.1738700817.0000000004042000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x138d7:$des3: 68 03 66 00 00 0x17cc8:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x17d94:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000000.00000002.1738700817.0000000004028000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.1738700817.0000000004028000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.1738700817.0000000004028000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1738700817.0000000004028000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x17ca8:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.1738700817.0000000004028000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x5073:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.1738700817.0000000004028000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x138b7:$des3: 68 03 66 00 00 0x17ca8:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x17d74:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000003.00000002.2939897653.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000003.00000002.2939897653.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000003.00000002.2939897653.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.2939897653.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000003.00000002.2939897653.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000003.00000002.2939897653.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
00000003.00000002.2939897653.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000003.00000002.2939897653.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
00000000.00000002.1736504866.000000000300E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.1736504866.000000000300E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.1736504866.000000000300E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1736504866.000000000300E000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x78ebc:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.1736504866.000000000300E000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x6626f:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.1736504866.000000000300E000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x74ab3:$des3: 68 03 66 00 00 0x78ebc:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x78f88:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
Process Memory Space: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe PID: 6212	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe PID: 6212	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe PID: 6212	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe PID: 6212	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x784fa:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0xa2e49:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0xc527b:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe PID: 2140	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe PID: 2140	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe PID: 2140	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x835d:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Click to see the 28 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40428d8.6.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40428d8.6.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40428d8.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40288b8.7.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40428d8.6.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40428d8.6.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40288b8.7.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40288b8.7.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40428d8.6.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40428d8.6.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40428d8.6.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40288b8.7.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40288b8.7.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40428d8.6.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40428d8.6.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40428d8.6.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40428d8.6.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40428d8.6.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40288b8.7.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40288b8.7.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40288b8.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40288b8.7.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40288b8.7.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40288b8.7.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40288b8.7.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40288b8.7.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
3.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.400000.0.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
3.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
3.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.400000.0.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
3.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.400000.0.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
3.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.400000.0.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
3.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.400000.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
3.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
3.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.400000.0.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
3.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.400000.0.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
3.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.400000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
3.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
3.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.400000.0.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
3.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.400000.0.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
3.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
Click to see the 37 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe", ParentImage: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, ParentProcessId: 6212, ParentProcessName: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe", ProcessId: 4092, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe", ParentImage: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, ParentProcessId: 6212, ParentProcessName: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe", ProcessId: 4092, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T08:24:15.952104+0100	2024312	1	A Network Trojan was detected	192.168.2.4	49736	104.21.112.1	80	TCP
2025-03-07T08:24:18.096044+0100	2024312	1	A Network Trojan was detected	192.168.2.4	49738	104.21.112.1	80	TCP

ET MALWARE LokiBot Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T08:24:15.016953+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49736	104.21.112.1	80	TCP
2025-03-07T08:24:17.286057+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49738	104.21.112.1	80	TCP
2025-03-07T08:24:18.203172+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49739	104.21.112.1	80	TCP
2025-03-07T08:24:20.253277+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49740	104.21.112.1	80	TCP
2025-03-07T08:24:22.262059+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.21.112.1	80	TCP
2025-03-07T08:24:24.280450+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49742	104.21.112.1	80	TCP
2025-03-07T08:24:26.201904+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49743	104.21.112.1	80	TCP
2025-03-07T08:24:28.252431+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49745	104.21.112.1	80	TCP
2025-03-07T08:24:30.261790+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49746	104.21.112.1	80	TCP
2025-03-07T08:24:32.144976+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49747	104.21.112.1	80	TCP
2025-03-07T08:24:34.171879+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49748	104.21.112.1	80	TCP
2025-03-07T08:24:36.223994+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49749	104.21.112.1	80	TCP
2025-03-07T08:24:38.286416+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49750	104.21.112.1	80	TCP
2025-03-07T08:24:40.256520+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49751	104.21.112.1	80	TCP
2025-03-07T08:24:42.436062+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49752	104.21.112.1	80	TCP
2025-03-07T08:24:44.492511+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49753	104.21.112.1	80	TCP
2025-03-07T08:24:46.435568+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49754	104.21.112.1	80	TCP
2025-03-07T08:24:48.342766+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49755	104.21.112.1	80	TCP
2025-03-07T08:24:50.571633+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49756	104.21.112.1	80	TCP
2025-03-07T08:24:52.611614+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49757	104.21.112.1	80	TCP
2025-03-07T08:24:54.471504+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49758	104.21.112.1	80	TCP
2025-03-07T08:24:56.531253+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49759	104.21.112.1	80	TCP
2025-03-07T08:24:58.517773+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49760	104.21.112.1	80	TCP
2025-03-07T08:25:00.654075+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49762	104.21.112.1	80	TCP
2025-03-07T08:25:02.564181+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49763	104.21.112.1	80	TCP
2025-03-07T08:25:04.503853+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49764	104.21.112.1	80	TCP
2025-03-07T08:25:06.454970+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49766	104.21.112.1	80	TCP
2025-03-07T08:25:08.384288+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49768	104.21.112.1	80	TCP
2025-03-07T08:25:10.286089+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49769	104.21.112.1	80	TCP
2025-03-07T08:25:12.156848+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49770	104.21.112.1	80	TCP
2025-03-07T08:25:14.107884+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49771	104.21.112.1	80	TCP
2025-03-07T08:25:16.002778+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49776	104.21.112.1	80	TCP
2025-03-07T08:25:17.904744+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49777	104.21.112.1	80	TCP
2025-03-07T08:25:19.830030+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49778	104.21.112.1	80	TCP
2025-03-07T08:25:21.749546+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49779	104.21.112.1	80	TCP
2025-03-07T08:25:23.671748+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49780	104.21.112.1	80	TCP
2025-03-07T08:25:25.749698+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49781	104.21.112.1	80	TCP
2025-03-07T08:25:27.653206+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49787	104.21.112.1	80	TCP
2025-03-07T08:25:29.562621+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49788	104.21.112.1	80	TCP
2025-03-07T08:25:31.357537+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49789	104.21.112.1	80	TCP
2025-03-07T08:25:33.311187+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49790	104.21.112.1	80	TCP
2025-03-07T08:25:36.249224+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49792	104.21.112.1	80	TCP
2025-03-07T08:25:38.308944+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49793	104.21.112.1	80	TCP
2025-03-07T08:25:40.250290+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49794	104.21.112.1	80	TCP
2025-03-07T08:25:42.075913+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49795	104.21.112.1	80	TCP
2025-03-07T08:25:44.013591+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49796	104.21.112.1	80	TCP
2025-03-07T08:25:45.812175+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49797	104.21.112.1	80	TCP
2025-03-07T08:25:47.967407+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49803	104.21.112.1	80	TCP
2025-03-07T08:25:49.967481+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49804	104.21.112.1	80	TCP
2025-03-07T08:25:51.857282+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49805	104.21.112.1	80	TCP
2025-03-07T08:25:53.826111+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49806	104.21.112.1	80	TCP
2025-03-07T08:25:55.717079+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49807	104.21.112.1	80	TCP
2025-03-07T08:25:57.675091+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49808	104.21.112.1	80	TCP
2025-03-07T08:25:59.470619+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49809	104.21.112.1	80	TCP
2025-03-07T08:26:01.372642+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49810	104.21.112.1	80	TCP
2025-03-07T08:26:03.435839+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49811	104.21.112.1	80	TCP
2025-03-07T08:26:05.350336+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49812	104.21.112.1	80	TCP
2025-03-07T08:26:07.171706+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49813	104.21.112.1	80	TCP
2025-03-07T08:26:09.225970+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49815	104.21.112.1	80	TCP
2025-03-07T08:26:11.148750+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49816	104.21.112.1	80	TCP
2025-03-07T08:26:13.761445+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49817	104.21.112.1	80	TCP
2025-03-07T08:26:15.675191+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49818	104.21.112.1	80	TCP
2025-03-07T08:26:17.570526+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49819	104.21.112.1	80	TCP

ET MALWARE LokiBot Fake 404 Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T08:24:21.111104+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49740	TCP
2025-03-07T08:24:23.132235+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49741	TCP
2025-03-07T08:24:27.096804+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49743	TCP
2025-03-07T08:24:29.058560+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49745	TCP
2025-03-07T08:24:30.988596+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49746	TCP
2025-03-07T08:24:35.054813+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49748	TCP
2025-03-07T08:24:37.123128+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49749	TCP
2025-03-07T08:24:41.163880+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49751	TCP
2025-03-07T08:24:43.330839+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49752	TCP
2025-03-07T08:24:47.181143+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49754	TCP
2025-03-07T08:24:49.157166+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49755	TCP
2025-03-07T08:24:51.456830+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49756	TCP
2025-03-07T08:24:53.322281+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49757	TCP
2025-03-07T08:24:55.381294+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49758	TCP
2025-03-07T08:24:57.356353+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49759	TCP
2025-03-07T08:25:05.304132+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49764	TCP
2025-03-07T08:25:12.954696+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49770	TCP
2025-03-07T08:25:18.680858+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49777	TCP
2025-03-07T08:25:20.592318+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49778	TCP
2025-03-07T08:25:22.522515+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49779	TCP
2025-03-07T08:25:24.438733+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49780	TCP
2025-03-07T08:25:30.207269+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49788	TCP
2025-03-07T08:25:32.153167+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49789	TCP
2025-03-07T08:25:37.060188+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49792	TCP
2025-03-07T08:25:39.093482+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49793	TCP
2025-03-07T08:25:40.907252+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49794	TCP
2025-03-07T08:25:42.860696+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49795	TCP
2025-03-07T08:25:44.654383+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49796	TCP
2025-03-07T08:25:46.654242+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49797	TCP
2025-03-07T08:25:48.800830+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49803	TCP
2025-03-07T08:25:50.701884+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49804	TCP
2025-03-07T08:25:52.667670+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49805	TCP
2025-03-07T08:25:56.497743+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49807	TCP
2025-03-07T08:25:58.316752+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49808	TCP
2025-03-07T08:26:02.206157+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49810	TCP
2025-03-07T08:26:05.998810+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49812	TCP
2025-03-07T08:26:12.607088+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49816	TCP
2025-03-07T08:26:14.538815+0100	2025483	1	A Network Trojan was detected	104.21.112.1	80	192.168.2.4	49817	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T08:24:19.082760+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49739	104.21.112.1	80	TCP
2025-03-07T08:24:21.106091+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49740	104.21.112.1	80	TCP
2025-03-07T08:24:23.125095+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.21.112.1	80	TCP
2025-03-07T08:24:25.039844+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49742	104.21.112.1	80	TCP
2025-03-07T08:24:27.091578+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49743	104.21.112.1	80	TCP
2025-03-07T08:24:29.053470+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49745	104.21.112.1	80	TCP
2025-03-07T08:24:30.983553+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49746	104.21.112.1	80	TCP
2025-03-07T08:24:32.988040+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49747	104.21.112.1	80	TCP
2025-03-07T08:24:35.048363+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49748	104.21.112.1	80	TCP
2025-03-07T08:24:37.117967+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49749	104.21.112.1	80	TCP
2025-03-07T08:24:39.078178+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49750	104.21.112.1	80	TCP
2025-03-07T08:24:41.143475+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49751	104.21.112.1	80	TCP
2025-03-07T08:24:43.325583+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49752	104.21.112.1	80	TCP
2025-03-07T08:24:45.280345+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49753	104.21.112.1	80	TCP
2025-03-07T08:24:47.175993+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49754	104.21.112.1	80	TCP
2025-03-07T08:24:49.150723+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49755	104.21.112.1	80	TCP
2025-03-07T08:24:51.451712+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49756	104.21.112.1	80	TCP
2025-03-07T08:24:53.316430+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49757	104.21.112.1	80	TCP
2025-03-07T08:24:55.376170+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49758	104.21.112.1	80	TCP
2025-03-07T08:24:57.351310+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49759	104.21.112.1	80	TCP
2025-03-07T08:24:59.260948+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49760	104.21.112.1	80	TCP
2025-03-07T08:25:01.390790+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49762	104.21.112.1	80	TCP
2025-03-07T08:25:03.339456+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49763	104.21.112.1	80	TCP
2025-03-07T08:25:05.299137+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49764	104.21.112.1	80	TCP
2025-03-07T08:25:07.200606+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49766	104.21.112.1	80	TCP
2025-03-07T08:25:09.121305+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49768	104.21.112.1	80	TCP
2025-03-07T08:25:10.998882+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49769	104.21.112.1	80	TCP
2025-03-07T08:25:12.949268+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49770	104.21.112.1	80	TCP
2025-03-07T08:25:14.847990+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49771	104.21.112.1	80	TCP
2025-03-07T08:25:16.748573+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49776	104.21.112.1	80	TCP
2025-03-07T08:25:18.675762+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49777	104.21.112.1	80	TCP
2025-03-07T08:25:20.587269+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49778	104.21.112.1	80	TCP
2025-03-07T08:25:22.517407+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49779	104.21.112.1	80	TCP
2025-03-07T08:25:24.433485+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49780	104.21.112.1	80	TCP
2025-03-07T08:25:26.488716+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49781	104.21.112.1	80	TCP
2025-03-07T08:25:28.391050+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49787	104.21.112.1	80	TCP
2025-03-07T08:25:30.201618+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49788	104.21.112.1	80	TCP
2025-03-07T08:25:32.148176+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49789	104.21.112.1	80	TCP
2025-03-07T08:25:35.070684+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49790	104.21.112.1	80	TCP
2025-03-07T08:25:37.055102+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49792	104.21.112.1	80	TCP
2025-03-07T08:25:39.088328+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49793	104.21.112.1	80	TCP
2025-03-07T08:25:40.902109+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49794	104.21.112.1	80	TCP
2025-03-07T08:25:42.855622+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49795	104.21.112.1	80	TCP
2025-03-07T08:25:44.649256+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49796	104.21.112.1	80	TCP
2025-03-07T08:25:46.646752+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49797	104.21.112.1	80	TCP
2025-03-07T08:25:48.795742+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49803	104.21.112.1	80	TCP
2025-03-07T08:25:50.696739+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49804	104.21.112.1	80	TCP
2025-03-07T08:25:52.662595+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49805	104.21.112.1	80	TCP
2025-03-07T08:25:54.557778+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49806	104.21.112.1	80	TCP
2025-03-07T08:25:56.492057+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49807	104.21.112.1	80	TCP
2025-03-07T08:25:58.311517+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49808	104.21.112.1	80	TCP
2025-03-07T08:26:00.211017+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49809	104.21.112.1	80	TCP
2025-03-07T08:26:02.145508+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49810	104.21.112.1	80	TCP
2025-03-07T08:26:04.185987+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49811	104.21.112.1	80	TCP
2025-03-07T08:26:05.993706+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49812	104.21.112.1	80	TCP
2025-03-07T08:26:07.911549+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49813	104.21.112.1	80	TCP
2025-03-07T08:26:09.978728+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49815	104.21.112.1	80	TCP
2025-03-07T08:26:12.602010+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49816	104.21.112.1	80	TCP
2025-03-07T08:26:14.533811+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49817	104.21.112.1	80	TCP
2025-03-07T08:26:16.409908+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49818	104.21.112.1	80	TCP
2025-03-07T08:26:18.339274+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49819	104.21.112.1	80	TCP

ET MALWARE LokiBot User-Agent (Charon/Inferno)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T08:24:15.016953+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49736	104.21.112.1	80	TCP
2025-03-07T08:24:17.286057+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49738	104.21.112.1	80	TCP
2025-03-07T08:24:18.203172+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49739	104.21.112.1	80	TCP
2025-03-07T08:24:20.253277+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49740	104.21.112.1	80	TCP
2025-03-07T08:24:22.262059+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49741	104.21.112.1	80	TCP
2025-03-07T08:24:24.280450+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49742	104.21.112.1	80	TCP
2025-03-07T08:24:26.201904+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49743	104.21.112.1	80	TCP
2025-03-07T08:24:28.252431+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49745	104.21.112.1	80	TCP
2025-03-07T08:24:30.261790+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49746	104.21.112.1	80	TCP
2025-03-07T08:24:32.144976+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49747	104.21.112.1	80	TCP
2025-03-07T08:24:34.171879+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49748	104.21.112.1	80	TCP
2025-03-07T08:24:36.223994+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49749	104.21.112.1	80	TCP
2025-03-07T08:24:38.286416+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49750	104.21.112.1	80	TCP
2025-03-07T08:24:40.256520+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49751	104.21.112.1	80	TCP
2025-03-07T08:24:42.436062+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49752	104.21.112.1	80	TCP
2025-03-07T08:24:44.492511+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49753	104.21.112.1	80	TCP
2025-03-07T08:24:46.435568+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49754	104.21.112.1	80	TCP
2025-03-07T08:24:48.342766+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49755	104.21.112.1	80	TCP
2025-03-07T08:24:50.571633+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49756	104.21.112.1	80	TCP
2025-03-07T08:24:52.611614+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49757	104.21.112.1	80	TCP
2025-03-07T08:24:54.471504+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49758	104.21.112.1	80	TCP
2025-03-07T08:24:56.531253+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49759	104.21.112.1	80	TCP
2025-03-07T08:24:58.517773+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49760	104.21.112.1	80	TCP
2025-03-07T08:25:00.654075+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49762	104.21.112.1	80	TCP
2025-03-07T08:25:02.564181+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49763	104.21.112.1	80	TCP
2025-03-07T08:25:04.503853+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49764	104.21.112.1	80	TCP
2025-03-07T08:25:06.454970+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49766	104.21.112.1	80	TCP
2025-03-07T08:25:08.384288+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49768	104.21.112.1	80	TCP
2025-03-07T08:25:10.286089+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49769	104.21.112.1	80	TCP
2025-03-07T08:25:12.156848+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49770	104.21.112.1	80	TCP
2025-03-07T08:25:14.107884+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49771	104.21.112.1	80	TCP
2025-03-07T08:25:16.002778+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49776	104.21.112.1	80	TCP
2025-03-07T08:25:17.904744+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49777	104.21.112.1	80	TCP
2025-03-07T08:25:19.830030+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49778	104.21.112.1	80	TCP
2025-03-07T08:25:21.749546+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49779	104.21.112.1	80	TCP
2025-03-07T08:25:23.671748+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49780	104.21.112.1	80	TCP
2025-03-07T08:25:25.749698+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49781	104.21.112.1	80	TCP
2025-03-07T08:25:27.653206+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49787	104.21.112.1	80	TCP
2025-03-07T08:25:29.562621+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49788	104.21.112.1	80	TCP
2025-03-07T08:25:31.357537+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49789	104.21.112.1	80	TCP
2025-03-07T08:25:33.311187+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49790	104.21.112.1	80	TCP
2025-03-07T08:25:36.249224+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49792	104.21.112.1	80	TCP
2025-03-07T08:25:38.308944+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49793	104.21.112.1	80	TCP
2025-03-07T08:25:40.250290+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49794	104.21.112.1	80	TCP
2025-03-07T08:25:42.075913+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49795	104.21.112.1	80	TCP
2025-03-07T08:25:44.013591+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49796	104.21.112.1	80	TCP
2025-03-07T08:25:45.812175+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49797	104.21.112.1	80	TCP
2025-03-07T08:25:47.967407+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49803	104.21.112.1	80	TCP
2025-03-07T08:25:49.967481+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49804	104.21.112.1	80	TCP
2025-03-07T08:25:51.857282+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49805	104.21.112.1	80	TCP
2025-03-07T08:25:53.826111+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49806	104.21.112.1	80	TCP
2025-03-07T08:25:55.717079+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49807	104.21.112.1	80	TCP
2025-03-07T08:25:57.675091+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49808	104.21.112.1	80	TCP
2025-03-07T08:25:59.470619+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49809	104.21.112.1	80	TCP
2025-03-07T08:26:01.372642+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49810	104.21.112.1	80	TCP
2025-03-07T08:26:03.435839+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49811	104.21.112.1	80	TCP
2025-03-07T08:26:05.350336+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49812	104.21.112.1	80	TCP
2025-03-07T08:26:07.171706+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49813	104.21.112.1	80	TCP
2025-03-07T08:26:09.225970+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49815	104.21.112.1	80	TCP
2025-03-07T08:26:11.148750+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49816	104.21.112.1	80	TCP
2025-03-07T08:26:13.761445+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49817	104.21.112.1	80	TCP
2025-03-07T08:26:15.675191+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49818	104.21.112.1	80	TCP
2025-03-07T08:26:17.570526+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49819	104.21.112.1	80	TCP

ETPRO MALWARE LokiBot Checkin M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T08:24:15.016953+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49736	104.21.112.1	80	TCP
2025-03-07T08:24:17.286057+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49738	104.21.112.1	80	TCP
2025-03-07T08:24:18.203172+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49739	104.21.112.1	80	TCP
2025-03-07T08:24:20.253277+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49740	104.21.112.1	80	TCP
2025-03-07T08:24:22.262059+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.21.112.1	80	TCP
2025-03-07T08:24:24.280450+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49742	104.21.112.1	80	TCP
2025-03-07T08:24:26.201904+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49743	104.21.112.1	80	TCP
2025-03-07T08:24:28.252431+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49745	104.21.112.1	80	TCP
2025-03-07T08:24:30.261790+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49746	104.21.112.1	80	TCP
2025-03-07T08:24:32.144976+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49747	104.21.112.1	80	TCP
2025-03-07T08:24:34.171879+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49748	104.21.112.1	80	TCP
2025-03-07T08:24:36.223994+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49749	104.21.112.1	80	TCP
2025-03-07T08:24:38.286416+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49750	104.21.112.1	80	TCP
2025-03-07T08:24:40.256520+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49751	104.21.112.1	80	TCP
2025-03-07T08:24:42.436062+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49752	104.21.112.1	80	TCP
2025-03-07T08:24:44.492511+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49753	104.21.112.1	80	TCP
2025-03-07T08:24:46.435568+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49754	104.21.112.1	80	TCP
2025-03-07T08:24:48.342766+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49755	104.21.112.1	80	TCP
2025-03-07T08:24:50.571633+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49756	104.21.112.1	80	TCP
2025-03-07T08:24:52.611614+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49757	104.21.112.1	80	TCP
2025-03-07T08:24:54.471504+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49758	104.21.112.1	80	TCP
2025-03-07T08:24:56.531253+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49759	104.21.112.1	80	TCP
2025-03-07T08:24:58.517773+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49760	104.21.112.1	80	TCP
2025-03-07T08:25:00.654075+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49762	104.21.112.1	80	TCP
2025-03-07T08:25:02.564181+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49763	104.21.112.1	80	TCP
2025-03-07T08:25:04.503853+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49764	104.21.112.1	80	TCP
2025-03-07T08:25:06.454970+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49766	104.21.112.1	80	TCP
2025-03-07T08:25:08.384288+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49768	104.21.112.1	80	TCP
2025-03-07T08:25:10.286089+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49769	104.21.112.1	80	TCP
2025-03-07T08:25:12.156848+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49770	104.21.112.1	80	TCP
2025-03-07T08:25:14.107884+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49771	104.21.112.1	80	TCP
2025-03-07T08:25:16.002778+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49776	104.21.112.1	80	TCP
2025-03-07T08:25:17.904744+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49777	104.21.112.1	80	TCP
2025-03-07T08:25:19.830030+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49778	104.21.112.1	80	TCP
2025-03-07T08:25:21.749546+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49779	104.21.112.1	80	TCP
2025-03-07T08:25:23.671748+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49780	104.21.112.1	80	TCP
2025-03-07T08:25:25.749698+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49781	104.21.112.1	80	TCP
2025-03-07T08:25:27.653206+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49787	104.21.112.1	80	TCP
2025-03-07T08:25:29.562621+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49788	104.21.112.1	80	TCP
2025-03-07T08:25:31.357537+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49789	104.21.112.1	80	TCP
2025-03-07T08:25:33.311187+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49790	104.21.112.1	80	TCP
2025-03-07T08:25:36.249224+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49792	104.21.112.1	80	TCP
2025-03-07T08:25:38.308944+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49793	104.21.112.1	80	TCP
2025-03-07T08:25:40.250290+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49794	104.21.112.1	80	TCP
2025-03-07T08:25:42.075913+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49795	104.21.112.1	80	TCP
2025-03-07T08:25:44.013591+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49796	104.21.112.1	80	TCP
2025-03-07T08:25:45.812175+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49797	104.21.112.1	80	TCP
2025-03-07T08:25:47.967407+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49803	104.21.112.1	80	TCP
2025-03-07T08:25:49.967481+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49804	104.21.112.1	80	TCP
2025-03-07T08:25:51.857282+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49805	104.21.112.1	80	TCP
2025-03-07T08:25:53.826111+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49806	104.21.112.1	80	TCP
2025-03-07T08:25:55.717079+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49807	104.21.112.1	80	TCP
2025-03-07T08:25:57.675091+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49808	104.21.112.1	80	TCP
2025-03-07T08:25:59.470619+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49809	104.21.112.1	80	TCP
2025-03-07T08:26:01.372642+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49810	104.21.112.1	80	TCP
2025-03-07T08:26:03.435839+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49811	104.21.112.1	80	TCP
2025-03-07T08:26:05.350336+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49812	104.21.112.1	80	TCP
2025-03-07T08:26:07.171706+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49813	104.21.112.1	80	TCP
2025-03-07T08:26:09.225970+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49815	104.21.112.1	80	TCP
2025-03-07T08:26:11.148750+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49816	104.21.112.1	80	TCP
2025-03-07T08:26:13.761445+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49817	104.21.112.1	80	TCP
2025-03-07T08:26:15.675191+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49818	104.21.112.1	80	TCP
2025-03-07T08:26:17.570526+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49819	104.21.112.1	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://kbfvzoboss.bid/alien/fre.php	Avira URL Cloud: Label: phishing
Source: http://alphastand.win/alien/fre.php	Avira URL Cloud: Label: malware
Source: http://alphastand.trade/alien/fre.php	Avira URL Cloud: Label: malware
Source: http://alphastand.top/alien/fre.php	Avira URL Cloud: Label: phishing

Found malware configuration

Source: 00000000.00000002.1738700817.0000000004042000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}

Multi AV Scanner detection for submitted file

Source: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Virustotal: Detection: 37%			Perma Link
Source: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	ReversingLabs: Detection: 31%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe

Code function: 3_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,

3_2_00403D74

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49764 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49764 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49764 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49747 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49747 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49747 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49771 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49757 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49771 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49757 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49757 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49755 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49755 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49750 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49755 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49750 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49750 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49771 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49738 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49750 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49771 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49742 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49797 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49797 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49764 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49738 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49742 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49760 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49738 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49739 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49749 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49742 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49749 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49749 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49793 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49793 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49742 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49793 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49776 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49776 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49749 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49776 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49769 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49769 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49769 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.4:49738 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49751 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49751 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49751 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49745 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49741 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49741 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49741 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49745 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49789 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49745 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49789 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49796 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49739 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49804 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49741 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49758 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49777 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49766 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49766 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49796 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49796 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49739 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49751 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49804 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49804 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49739 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49793 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49768 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49768 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49768 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49755 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49804 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49747 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49766 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49768 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49779 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49777 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49779 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49736 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49770 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49736 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49736 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49797 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49758 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49758 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49760 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49760 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49797 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49779 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49766 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49777 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49760 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49764
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49770 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49770 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49769 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49787 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.4:49736 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49789 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49770 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49776 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49758 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49745 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49779 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49743 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49743 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49796 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49743 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49789 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49749
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49809 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49777 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49790 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49793
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49757 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49763 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49763 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49763 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49787 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49763 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49770
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49759 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49787 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49759 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49759 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49787 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49796
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49759 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49743 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49755
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49797
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49811 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49811 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49811 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49813 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49813 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49813 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49746 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49746 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49746 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49811 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49813 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49748 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49748 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49746 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49748 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49790 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49790 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49804
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49819 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49790 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49819 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49819 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49757
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49789
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49819 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49740 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49740 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49740 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49740 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49746
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49748 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49743
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49803 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49803 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49803 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49756 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49756 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49756 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49745
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49756 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49810 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49810 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49803 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49777
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49810 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49758
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49780 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49740
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49780 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49779
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49810 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49780 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49795 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49792 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49792 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49792 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49795 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49792 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49795 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49756
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49809 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49809 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49780 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49748
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49778 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49778 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49778 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49795 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49752 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49752 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49752 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49808 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49808 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49808 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49781 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49781 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49781 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49778 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49809 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49752 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49792
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49759
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49781 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49810
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49751
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49752
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49754 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49754 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49754 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49754 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49803
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49812 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49812 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49812 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49812 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49754
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49780
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49805 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49805 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49753 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49808 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49805 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49753 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49753 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49741
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49762 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49762 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49762 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49805 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49762 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49753 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49778
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49788 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49788 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49788 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49807 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49807 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49807 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49805
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49807 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49788 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49795
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49794 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49794 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49794 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49794 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49807
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49815 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49815 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49815 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49815 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49808
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49806 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49806 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49806 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49806 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49788
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49817 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49817 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49817 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49817 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49818 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49818 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49818 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49818 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49794
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49816 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49816 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49816 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49816 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49812
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49816
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.112.1:80 -> 192.168.2.4:49817

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php

Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1

Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 176Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 176Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 149Connection: close

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe

Code function: 3_2_00404ED4 recv,

3_2_00404ED4

Source: global traffic

DNS traffic detected: DNS query: touxzw.ir

Source: unknown

HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 176Connection: close

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 07:24:15 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xPMazyWAjw2qvHYUTCu%2F1uEyKZKLF5%2BeKo5YyjcGfNhw9R59mO5MG5NuzFeRwfFdHW9fs477aZKOr9%2FVqmroWJSQVdSVo46bcN%2FPqDydfJ%2FfTz9rPL9tcJEeymY%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91c85a24fee84a1a-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=26441&min_rtt=26441&rtt_var=13220&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=414&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 07:24:18 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=N83Wbg6XaS82f7PDOdVzkrCdqHB0rknfJn%2FTUUvWXzwgfi5CHaz3K%2Ffy9%2FzehjeBZ3lzpTB4AvYFDxdxm0mQc23S1PsQPVN%2FaazkvHobOiee%2B6nvO%2Ba7Rz8udl4%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91c85a32a84b0f5b-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1680&min_rtt=1680&rtt_var=840&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=414&delivery_rate=0&cwnd=217&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 07:24:21 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TXv85QQSOQuu4DNsOeUcZJi3sx8HD2988h%2BzGR6PC0%2BzlKaKpnBJF%2FI4OyGIWac%2FyOiOPIqydHYDyRJ1JgqGw7Ntz59V9LTfYPjih7fa%2FL2lXL4eKYPg2t3yzDE%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91c85a4598b7424b-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1570&min_rtt=1570&rtt_var=785&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=194&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 07:24:23 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7NMOgnZzB1KoSDFXllUtOX1gQjmD1uz3R6TN%2B55zmvuw3l7iICfUSgH4TmroYisGNK3p460IPxSaDi92%2BA2zbrkGDzh0TFVHuayKkZBQevYGPDt2stpgXWerrjc%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91c85a522a95c34f-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1524&min_rtt=1524&rtt_var=762&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=185&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 07:24:27 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=N%2BckHlQ71RVxj98O8BtTWgTZinP54IXpGiIF5dykW8rZyQ155d1DfIGmWXLBUvy0tIIfMmq2y95jYsLxKZ5JrprOUYi9IwEZvchji2qZadNnc4ezle9h%2FwK9CCY%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91c85a6aee7e729f-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=51462&min_rtt=51462&rtt_var=25731&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=153&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 07:24:28 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3PhjASWH1WDGCZUN3UZXV9x00ChgNbrwv8ko4bXsNUYmlKSbHrRuDfkudrD1CEWpg4XKLGgVYMvSdV54sGafJ6leEiYHNFH7459sZDKpwaBdbH92Tk9SRrHWgXQ%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91c85a77398f0f5b-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1586&min_rtt=1586&rtt_var=793&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=217&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 07:24:30 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UYooWiG6Vtar01VTLv%2FWgmoo1iuleW2eiIbux3tVE6mYRA6IxT%2FVc%2FxQB13sSRKl0PzTkoQa3iinJ%2FzixjGXraKrutGVnFECG%2Fs6%2F3ayj%2B0u%2Bg95a8Up4EVdRMU%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91c85a844fa8c34f-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1422&min_rtt=1422&rtt_var=711&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=185&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 07:24:34 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EqGR0KgLN5c6cuU92f54YD9DQ5wBie%2FkM%2BR2VDzSGwm7CWCjdN%2FS9D4OZt4nLKZLhY4C6Q3SfVP4vhJMkY6ZNwlgUWtP6IweF7olQrQEADkhcOHZK93wQ9opFiI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91c85a9cca060f5b-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=7154&min_rtt=7154&rtt_var=3577&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=217&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 07:24:37 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4vo3XCJ4w6hGrNAWDI3G3WRHTLCcTKzsTDwEXHNt0U%2Fb1wZpBl79UElzCBs%2F1S6nvwP%2BzLfurXwvbsoNwdtBl8vZKtkRpstWTRS7RSKaxqsgrlKigD3XSdyf8qY%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91c85aa9abd414a8-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=21364&min_rtt=21364&rtt_var=10682&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=159&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 07:24:41 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gqRVp371OLqdLk1UMG1i%2F4F5cGiKjKmZMcWQL3%2BTWcJn4RzHeCVkvvEdpWIWHB2DZGfjdNrvD91qyMpkKF%2BSxAJUmqw%2BjlbGa59BzM0VOkPu%2FWgJbRqzD%2F8KvN4%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91c85ac2ea0a4a1a-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=47804&min_rtt=47804&rtt_var=23902&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 07:24:43 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=H%2BjCT%2BQaz5L4IgZcM6Tof9nEvCop00d1SqUuBtTbicK%2BoPJUOJuO16iWtxq73LLw7MFd6eRF2fbzTQg%2BRTQgWP7ZTjJonFr%2B8EhbRRxr%2BHwaBC2KmdqPJiWVHdQ%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91c85ad08fc80f5b-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=48767&min_rtt=48767&rtt_var=24383&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=217&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 07:24:47 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iDV03I74igz4KXniH7GEV9XCp89fR9cLhtMmhDsotQ80JOKT%2FXL3YkzBKaZQC91lSC4z9jhfn7Seqf8M32DWGMkosI7BcMqHBO1UOYZO55ZvRKnmseiEDVQ1N60%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91c85ae97efec34f-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=52363&min_rtt=52363&rtt_var=26181&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=185&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 07:24:49 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RDW5uyft%2FexaWOXMw9CKjPqZL6IkGXMdB8TTh7oDrfAIzkCqP6lPbVsBPIAcpUWoWJeEWY319AdZu2D5ydn%2FU1Mxy1pzktLjItC71BsXT4iZ2C77ABG0AOYaRFA%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91c85af4d9b1729f-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1975&min_rtt=1975&rtt_var=987&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=153&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 07:24:51 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DtRWjpdv0mvHGeftVBia8A9JQBKpH0GMUycTti2cNSAbcKHWSvxiBIbr82yy4VVTSarW5guak0nz8NVXe8XuwbSf1n4Hgs8kbIsi24gStpHOHTN4iF9DWBdqVqw%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91c85b033ef94a1a-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=41365&min_rtt=41365&rtt_var=20682&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 07:24:53 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kD0gsc9TZw9QaMwe93ntYFxiYtpBUY7ZA8TwIIp9IgG9Ij1r5mNQsdmOz2urrDznamazIJly5YkKIF4c%2Fy2xK%2Fnd%2BGLoF2dHWUY%2BrWhHB14fjwRkLR%2FpHrv5etc%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91c85b0f7b344a1a-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2035&min_rtt=2035&rtt_var=1017&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 07:24:55 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=u0hiqAXapVbz%2Bipj%2B7vEtRxLsgxucSDXAq6VVsqikOzvPo065FCqdLiQHIKdkgL1P8hlTS3iXS1rhJ09TKWubR4HtcQAJTrwQ51PWlSAl3NGYccKa3%2B9w%2BVxWXQ%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91c85b1bca2e424b-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=42135&min_rtt=42135&rtt_var=21067&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=194&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 07:24:57 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VU%2FP9kTp92xf1ec3gMiCNW91Q3qjJPcoosZuUkDG3pBc%2B8vxFiJXDpHggxkxO54i%2BBzTrb0h6pr%2FUxjdkF%2Fhp705WPCIWLqwBp4stvDZZq%2BrURIJq5iXvTHBV%2FE%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91c85b27fe2114a8-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1598&min_rtt=1598&rtt_var=799&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=159&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 07:25:05 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ga9X4zVJdVMOyTaOyBcIWR9PRqAZYl3XxaDRGoesw4ErxZ5j6KbYp48t%2F5B0WM5TKozGdaTV2EtqUID%2F3apYoM3qzS8%2BuH1PQiiapvvobAgvQG3eQxnF4GFDKuo%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91c85b59dfda0f5b-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1684&min_rtt=1684&rtt_var=842&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=217&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 07:25:12 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qvno77QQpsV8iCxUb1zhNxdxp54jghTP93tv78eBgKQRvrkxKrAqClbxzc%2FilT9kcQ5dqLeLzaNAhytffvsX5t%2F%2Fz9VPvb%2BBZWaMIxmWww8BtBaQskMPu6BnY6g%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91c85b8999dd727b-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1951&min_rtt=1951&rtt_var=975&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=195&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 07:25:18 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=61BeeYzD2dJtwxZV4ew05urAGyWQ29Vy%2FzqUdCS5geh0%2Fz9QP2tSLs5rxVeqnijc2FTXt5U5ekaDCjQHZTX9nqTvGwhonmunHBURANJ4oEF5ePjdDHE1E1wLEFc%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91c85bad6b3e727b-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1965&min_rtt=1965&rtt_var=982&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=195&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 07:25:20 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TW87pzhnztJODsoEMteBiwXPjkNH7GrDuMD%2F0m%2BDeNV4CqrLJ55cl4cXLqerANjOW9TfHX6nOi4EvNzRjYuvZLts5zYBgo%2FCXx%2B%2FSgqHwehStgCEuH4kBM7YskM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91c85bb97bba14a8-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1649&min_rtt=1649&rtt_var=824&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=159&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 07:25:22 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=57aNI%2Ftyng6fQEm8FOhZFvpF2ASGiBQWVPUsaQC6Af8841OZaT7QigcOD6GzL3rD3ckV%2FaB4qkXNTvrRfDFLJwpX69npSa6T6siG5PnJ5HbARRXByMWJKsBBRSI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91c85bc57ffe729f-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1944&min_rtt=1944&rtt_var=972&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=153&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 07:25:24 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JM0TdQtjMLsyA60%2FRChN9XthFn2Eg437HubQGBuVxVxy8%2B82CqBATD3rkKnTCAms5i3sjnC5ALGi3TQip4RetB9SHKYYuFp25PVklXe%2FAhvX6snVZZEDeYXhr8A%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91c85bd17827c34f-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1448&min_rtt=1448&rtt_var=724&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=185&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 07:25:30 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wWNmdZxgl3PyX41Uyp30MgmwzVvINU4JHP2AqAU2DgJnMFM%2FdWDiCixElii2plTgkr6%2FCR2SFxhlOgCeQQWqXXRDhXC4j9MKskNC3U1Lb71USy%2Bd2W3wNDaPz7o%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91c85bf648e94a1a-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1985&min_rtt=1985&rtt_var=992&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 07:25:32 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WxNqkeUTgwSMmhXx59tOSe2t%2B26JY2kp9xwyVFLdQlyqXKrc%2BYf9yacKmT3kB%2B%2FqSEb%2B9%2F6UHnHuJmB3rShK%2FwmCP33Cm1G0XVvm8mL2Z1Kpay4tpQ57%2FFdTrZQ%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91c85c018d8714a8-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1629&min_rtt=1629&rtt_var=814&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=159&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 07:25:37 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mgAYZqfhdaDjUuXw2ENqD%2Bxu4CMtIxVbaFgB3JU70Srqb9lzvXycWhndoINg0A70b7V3yDWcJa0aNyC2FKujLJchWAa%2Bin3EXfvRE42bo%2BKrnmLF%2Fo5G6IjufUA%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91c85c203e9a727b-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1928&min_rtt=1928&rtt_var=964&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=195&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 07:25:39 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JVgAACYC0ViAj0RE6osIqbXg0u1Ayav7ZhhdpqUBHcORPk75TYpSV6TYAQFFyhQA6CX1GxfCkRl0wxlhx3LVuqfVGfyxVo74Z2mkjMwPcOiPOzklpmK7ROwYybw%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91c85c2d0cc0729f-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1952&min_rtt=1952&rtt_var=976&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=153&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 07:25:40 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NGjH3r2PS6I1KeUR8tnBQ5%2F9I6TMldtjImt7vshlIc9gtNGtK2V7hLQwhOWzdCXyEBX90pXB7WtKYPBOJztHLSBwDMFbL9J7VUTPLyu9CFKCC2pwnkjfWFvb4Gg%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91c85c391c7d4a1a-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2009&min_rtt=2009&rtt_var=1004&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 07:25:42 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jye%2FIgbsnrPe6fVmoR8gQiJLm37XmkBBkCr0JwnyH7Qnchao4szkPkLYsQnrg4AijTHqg4D0HqIgS%2BbnfAD3Vb195%2BrbHsfZR0hR3OwGXyhQIqAQr6crYKYVGks%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91c85c448f42c34f-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1447&min_rtt=1447&rtt_var=723&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=185&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 07:25:44 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nin5mdfLsevAzSV9ziD5V4kWGZFRymiYgZcqXhkIx1wAXxPWSA7ajTq219POICP551rMkiE14PRNBh2LVBWipTmZ%2Bu%2FvFaMyfLJMjcQQnYLI77yoKi%2FhZDHnxyk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91c85c509dd44a1a-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2026&min_rtt=2026&rtt_var=1013&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 07:25:46 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=neVmduF%2Fky7m4Z5rVlJfUsJ4Qb%2FMkJSEIih3Mu2Mfk5WeGZTASBXSTmE94k0gOvx6Bp9qOw0mbrefpA2HhGADLf1piYa7R9R7L3nq0Em8C9m0xGd8gFfcIwQCxk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91c85c5bda69727b-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1946&min_rtt=1946&rtt_var=973&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=195&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 07:25:48 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dO7%2FeNaf1oFlvkPd19GAT9FFTCf6O%2FPthOCPDCMpnVPsXyKjcA%2FJhWp4b4bxkmzWsib4OydEGwYzXehyjGclslGWH%2FEnrbW0ILAlKfYh9XkdvUccmai%2FQzF1h%2FU%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91c85c697e770f5b-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1735&min_rtt=1735&rtt_var=867&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=217&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 07:25:50 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IaAePKi%2FtZ3NMgEUeSc4NInhczM6Q%2FH6TzeB1kEs28IOE8IEHuZHhMjT68EdazYT09IqVBBTe9xnboATp%2B%2FB6yQfZyUg9oPnJEfQ%2BQsPX8LphX%2FfBbqqU%2Bw3YYk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91c85c760a0dc34f-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1477&min_rtt=1477&rtt_var=738&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=185&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 07:25:52 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ipeJZR9PNQHy8NMqU%2FreTH6smvPF6kjao%2Bp11vy8bAgJtYuFDaBCc2MStgv8EKDrTtJ1PtMf2Ezrm6nVPSHIHPDDO4IHJgDHXdsSNqxfa44t%2FNZT2JnglDwiZbQ%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91c85c81b89d0f5b-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1648&min_rtt=1648&rtt_var=824&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=217&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 07:25:56 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VlVkNw0VXdOR3pVZCKma%2FZi7nEI6TmHyhZeW6JUvxfLUAc1zbYIY3D9HfjidD8ik9ZyipsDlZrcoaWVVOdVKvfjQw7oBLKYJNmYyPqgMBJ0XKHqfFgFIQ4AK0Zk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91c85c99ce87729f-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2073&min_rtt=2073&rtt_var=1036&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=153&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 07:25:58 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=I70OUFLp%2FwVQLPGURiPFbJSBHJbvmzy5TBu7yi%2BIA%2BiqMC%2BZkbmC5%2BWuw3ZweNxm23CB5Z0s9qHZkE%2BmFG%2BA7gFrYiVrkYcVrjujP7No9N1bR51slSWEIsyuuaw%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91c85ca60dd7727b-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1859&min_rtt=1859&rtt_var=929&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=195&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 07:26:02 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Vh%2Bdb6GyNUcOkWOlDsOld79TxpCvprQ%2FgFuLfnElYq8N9NfKX5OyEWnoyZQIR3%2Fzu9fVuAAEpOqJG%2F4qT37dV1vGLQ4iZjGUs70dp5kDiAab8ryPUkV5%2FEvgBIw%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91c85cbd290c14a8-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1650&min_rtt=1650&rtt_var=825&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=159&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 07:26:05 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9w3MnqKXMIQopoxdwTxJ3FPj2NDo6DxIRRyXiBNkOm4HFmhjFDQD1CUIShaeonMAGSBoF441Wy1J8GrQx30iEB1r2q9vwxnZtrqO0%2FVrMDof58MZjvo%2FXjh17hw%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91c85cd608914a1a-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2066&min_rtt=2066&rtt_var=1033&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 07:26:12 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=G8hk09Zfht9ZAzgAuxQvsZpZ%2BSkXKFH%2F%2FQYiWrViEtCoZHUM0qzTC%2F%2BZL%2BL%2BcmgTaz%2F5xn0tEv%2Blw405%2B0j0lHehFRBThM559c0zv%2FX9uPBQRLtN6zoxuWktGMs%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91c85cfa3d6f14a8-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1613&min_rtt=1613&rtt_var=806&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=159&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 07:26:14 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nFNyii3UmgIBahGqChRTtEBLfM9%2B9FUV8zEhPkm1nZUjQ1neO%2FFeulwtmTT7VJJCfPJSb83ArPEn6eSPvlcmUalErYkrQWwtCVsKqdw%2FApYnF3%2Bon3txiAyiSYU%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91c85d0a8e98424b-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1668&min_rtt=1668&rtt_var=834&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=387&delivery_rate=0&cwnd=194&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Source: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1736504866.000000000300E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1740440978.00000000071A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1740440978.00000000071A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1740440978.00000000071A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1740440978.00000000071A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1740440978.00000000071A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1740440978.00000000071A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1740440978.00000000071A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1740440978.00000000071A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1740440978.00000000071A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1740440978.00000000071A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1740440978.00000000071A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1740440978.00000000071A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1740440978.00000000071A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1740440978.00000000071A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1740440978.00000000071A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1740440978.00000000071A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1740440978.00000000071A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000003.00000002.2939897653.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.ibsensoftware.com/
Source: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1740440978.00000000071A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1740440978.00000000071A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1740440978.00000000071A2000.00000004.00000800.00020000.00000000.sdmp, Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1740399992.00000000059C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1740440978.00000000071A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1740440978.00000000071A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1740440978.00000000071A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1740440978.00000000071A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1740440978.00000000071A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40428d8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40428d8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40288b8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40288b8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40428d8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40428d8.6.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40428d8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40288b8.7.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40288b8.7.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40428d8.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40428d8.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40428d8.6.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40428d8.6.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40288b8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40288b8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40288b8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40288b8.7.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40288b8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 3.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 3.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 3.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 3.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 3.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 3.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 3.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 3.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1738700817.0000000004042000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.1738700817.0000000004042000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.1738700817.0000000004042000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1738700817.0000000004028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.1738700817.0000000004028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.1738700817.0000000004028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.2939897653.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000003.00000002.2939897653.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000003.00000002.2939897653.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000003.00000002.2939897653.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.2939897653.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1736504866.000000000300E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.1736504866.000000000300E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.1736504866.000000000300E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe PID: 6212, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe PID: 2140, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe

Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Code function: 0_2_02F73E40	0_2_02F73E40
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Code function: 0_2_02F76F90	0_2_02F76F90
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Code function: 0_2_02F7DA7C	0_2_02F7DA7C
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Code function: 0_2_05582131	0_2_05582131
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Code function: 0_2_05580518	0_2_05580518
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Code function: 0_2_05580509	0_2_05580509
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Code function: 0_2_0560B56C	0_2_0560B56C
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Code function: 0_2_056087C8	0_2_056087C8
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Code function: 0_2_056087D8	0_2_056087D8
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Code function: 0_2_0560D178	0_2_0560D178
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Code function: 0_2_0799E700	0_2_0799E700
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Code function: 0_2_0799C720	0_2_0799C720
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Code function: 0_2_0799E6F0	0_2_0799E6F0
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Code function: 0_2_0799C2B5	0_2_0799C2B5
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Code function: 0_2_0799C2E8	0_2_0799C2E8
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Code function: 0_2_0799EC10	0_2_0799EC10
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Code function: 0_2_0799CB58	0_2_0799CB58
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Code function: 0_2_07B732D8	0_2_07B732D8
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Code function: 3_2_0040549C	3_2_0040549C
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Code function: 3_2_004029D4	3_2_004029D4

Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Code function: String function: 0041219C appears 45 times
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Code function: String function: 00405B6F appears 42 times

Source: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1738700817.000000000405C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe
Source: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1736504866.0000000003139000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe
Source: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1736504866.000000000325B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe
Source: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1730608006.000000000110E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe
Source: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1741619317.0000000007A0A000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe
Source: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1741305661.00000000077C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe
Source: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1736504866.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe
Source: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000000.1683902951.0000000000D0E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLFgx.exe2 vs Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe
Source: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1741438908.000000000793A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe
Source: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Binary or memory string: OriginalFilenameLFgx.exe2 vs Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe

Source: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40428d8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40428d8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40288b8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40288b8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40428d8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40428d8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40428d8.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40288b8.7.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40288b8.7.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40428d8.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40428d8.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40428d8.6.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40428d8.6.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40288b8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40288b8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40288b8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40288b8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40288b8.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 3.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 3.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 3.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 3.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 3.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 3.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 3.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 3.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000000.00000002.1738700817.0000000004042000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.1738700817.0000000004042000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.1738700817.0000000004042000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1738700817.0000000004028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.1738700817.0000000004028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.1738700817.0000000004028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.2939897653.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000003.00000002.2939897653.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000003.00000002.2939897653.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000003.00000002.2939897653.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.2939897653.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000000.00000002.1736504866.000000000300E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.1736504866.000000000300E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.1736504866.000000000300E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe PID: 6212, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe PID: 2140, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23

Source: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.414ef80.4.raw.unpack, DJ0csheIXwfPODPuyJ.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.414ef80.4.raw.unpack, DJ0csheIXwfPODPuyJ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.41ad1a0.5.raw.unpack, E8mOPthvLlg3oa2bF7.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.41ad1a0.5.raw.unpack, E8mOPthvLlg3oa2bF7.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.41ad1a0.5.raw.unpack, E8mOPthvLlg3oa2bF7.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.414ef80.4.raw.unpack, E8mOPthvLlg3oa2bF7.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.414ef80.4.raw.unpack, E8mOPthvLlg3oa2bF7.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.414ef80.4.raw.unpack, E8mOPthvLlg3oa2bF7.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.41ad1a0.5.raw.unpack, DJ0csheIXwfPODPuyJ.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.41ad1a0.5.raw.unpack, DJ0csheIXwfPODPuyJ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/8@1/1

Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe

Code function: 3_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,

3_2_0040650A

Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe

Code function: 3_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,

3_2_0040434D

Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Mutant created: \Sessions\1\BaseNamedObjects\FDD42EE188E931437F4FBE2C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Mutant created: \Sessions\1\BaseNamedObjects\IDlLngTRSRAhnXQyjoNjdlkzs
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3320:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_svwdn54e.yc5.ps1

Jump to behavior

Source: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Virustotal: Detection: 37%
Source: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	ReversingLabs: Detection: 31%

Source: unknown	Process created: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe "C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe"
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe"
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process created: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe "C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process created: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe "C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Jump to behavior

Source: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.41ad1a0.5.raw.unpack, E8mOPthvLlg3oa2bF7.cs	.Net Code: OkVotAULVQZiJnT2ROR System.Reflection.Assembly.Load(byte[])
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.414ef80.4.raw.unpack, E8mOPthvLlg3oa2bF7.cs	.Net Code: OkVotAULVQZiJnT2ROR System.Reflection.Assembly.Load(byte[])

Yara detected aPLib compressed binary

Source: Yara match	File source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40428d8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40288b8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40428d8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40288b8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1738700817.0000000004042000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1738700817.0000000004028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2939897653.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1736504866.000000000300E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe PID: 6212, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe PID: 2140, type: MEMORYSTR

Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Code function: 0_2_05585F35 push dword ptr [ecx+ecx-75h]; iretd	0_2_05585F42
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Code function: 3_2_00402AC0 push eax; ret	3_2_00402AD4
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Code function: 3_2_00402AC0 push eax; ret	3_2_00402AFC

Source: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe

Static PE information: section name: .text entropy: 7.817160563060522

Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.41ad1a0.5.raw.unpack, LBaAs8IWyUS1ZF5LRb.cs	High entropy of concatenated method names: 'Tp7DoBEKKN', 'lQ4DCMWX0o', 'LGBDhrAjRI', 'TObDj1H6pj', 'rcvDAAEINv', 'KcdDZJrpCK', 'UhxDHTHdnI', 'PaIDeYZ6RB', 'xqQD7e1g83', 'uvLDPahsv2'
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.41ad1a0.5.raw.unpack, NhAKgY6c0GhGL3Za0H.cs	High entropy of concatenated method names: 'COAkvC7icW', 'pdJk6yMJEs', 'SxNkmfjCaK', 'BfckBbh9ZQ', 'ASBklPAY9H', 'jk1kYO5Sy4', 'aXTkbXN1Q9', 'b0rkU03LqG', 'OsTkiF96MZ', 'iRrkswh7Tl'
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.41ad1a0.5.raw.unpack, Xb7yYDqQdoemsexOEX.cs	High entropy of concatenated method names: 'NaPxliplwN', 'UpExbrxpiL', 'tKxShmQgfY', 'QcgSjiVKiI', 'uJ0SADllbw', 'oY0SZc65fs', 'JvgSH4t0Nr', 'cPPSeLVZm9', 'oM1S7vNl2W', 'CruSPktfCX'
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.41ad1a0.5.raw.unpack, uOuK02jv1JniKktPbS.cs	High entropy of concatenated method names: 'wEQwUTv4OF', 'QRSwiylntb', 'T0Kwoa4I4U', 'aeXwCw4A5V', 'iTAwjDkvpj', 'bpqwAbrMIP', 'SmJwHQ2Y1G', 'AP6we2EErX', 'lR8wP4vWHO', 'a27wq7HQkw'
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.41ad1a0.5.raw.unpack, gqLdhfgJ63wGeqV5ri.cs	High entropy of concatenated method names: 'HZR5R7fqXb', 'EgT5gBU7gR', 'FqufOf14Bl', 'CQwfIWkVVb', 'Iex5qah5ig', 'n5a5dqAY4I', 'YnH58NB4XA', 'VdZ5KWCpwD', 'vYd5WrGivt', 'PB05MWpAwb'
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.41ad1a0.5.raw.unpack, Rj270h1OduOm9AuxB1.cs	High entropy of concatenated method names: 'QuXVaLYktR', 'XAhVNbR7i6', 'qNuVx1llAt', 'cTHVktg0XW', 'IjbVu2CgxP', 'dUNx9bWkvi', 'Lb5xEPS2Zw', 'rPKxFkPibO', 'fQxxRnd2Uq', 'BBfxJ3qGHv'
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.41ad1a0.5.raw.unpack, orIOfZoiatv7Y7FWRVK.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'veCLDHThyx', 'HwALrSHeXi', 'w3eL1iaa8w', 'joiLLqW8Gs', 'TCpLc8psqN', 'CRZLTrgIQP', 'DMVLGC57dV'
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.41ad1a0.5.raw.unpack, BtxVL6N6x2r93u2V8L.cs	High entropy of concatenated method names: 'TA55XwHJbA', 's6p5tYYLvj', 'ToString', 'V925Q9cPFe', 'H2K5N5TeLI', 'd8s5Smdcbp', 'Mxn5xnyG4n', 'lZc5VxsTFR', 'juA5kq6FRP', 'KK25uv5paR'
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.41ad1a0.5.raw.unpack, MDK1m6on0YKcO7WEwW6.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'cKCrqy54Z1', 'pEGrdIHXex', 'aLer8yP1wE', 'fURrKXFRwy', 'RvOrWU9ASV', 'WI7rMf3IXm', 'kONr0ASLQV'
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.41ad1a0.5.raw.unpack, Fo6umtKCGA4WNV4MXU.cs	High entropy of concatenated method names: 'cThkQlpBGM', 'W1AkSA3L3T', 'W55kVmYmGq', 'oV0VggP3y7', 'QGVVzUviVB', 'EgDkOk7NMx', 'oT2kIR2iEL', 'hYYk2JPaSy', 'yq9kyHtQmn', 'vsQkndGVHZ'
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.41ad1a0.5.raw.unpack, DXaGUTz76nUUyhVnBy.cs	High entropy of concatenated method names: 'LxcrYg5yZ5', 'HuprUdXXW9', 'MVYri1sKBu', 'YnPro2nfc7', 'XECrCgbS4j', 'GMFrjVrdqs', 'D3HrArEYs8', 'rP5rG6CBog', 'noUrv6V9Zv', 'WIPr6t7R8N'
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.41ad1a0.5.raw.unpack, UOOjCHookCqG0Pmreqp.cs	High entropy of concatenated method names: 'ybNrgxVUGn', 'hYCrzGY2ET', 'isb1OpTBQC', 'bDx1IjpSFL', 'clO12yU6UV', 'uwB1yqnGN6', 'msw1nb50MY', 'hZF1aCvVao', 'vTE1QVIC74', 'CBh1NanFER'
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.41ad1a0.5.raw.unpack, GIv0XWHDlvbRlvtba3.cs	High entropy of concatenated method names: 'nl7SBhGYvE', 'mi3SYlNOXx', 'X7iSUGF12V', 'eRWSihAj6b', 'laSSpv4eJj', 'k8sS493Jy7', 'MtMS5OT7GA', 'hX4SffNx7C', 'Rp7SDniro8', 'PUcSrLQroV'
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.41ad1a0.5.raw.unpack, hciYJWBKSFLmRjsdYN.cs	High entropy of concatenated method names: 'i5tDpU0s6o', 'V28D5qr4sb', 'Qi6DDu2rJu', 'o1sD1Aw8ir', 'zE0DcAFrS9', 'PvHDGFc1tQ', 'Dispose', 'E0VfQFejOV', 'IeIfNjmKLT', 'X05fSZi07C'
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.41ad1a0.5.raw.unpack, DJ0csheIXwfPODPuyJ.cs	High entropy of concatenated method names: 'fiVNK7PWXm', 'bPFNW2VoDj', 'zslNMtUUOd', 'OPnN0CtSvA', 'bHKN9Uh9p4', 'WQhNElrdpg', 'LceNFL93Jb', 'PbjNRpDRTr', 'qFkNJTwGno', 'o7xNg3hwwo'
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.41ad1a0.5.raw.unpack, beLkqB3Iwvy8ogj8cp.cs	High entropy of concatenated method names: 'cj8mhsHqe', 'JwxBNf6eU', 'AuVYa6Smb', 'V5Fb3CseI', 'QGfi6T5wI', 'o3UsnoyGl', 'wZ5gysCQMQGZaxZQ8V', 'ENnkZnftsXws81vCOA', 'e25fmFrJ1', 'QY2rnWfmi'
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.41ad1a0.5.raw.unpack, Ehixfxl3yFifZpLnXF.cs	High entropy of concatenated method names: 'Dispose', 'e1fIJoUwqj', 'epr2C8ZyU3', 'vXmL9oHPf9', 'rBWIgsxCxk', 'NMKIzy14PK', 'ProcessDialogKey', 'uLU2OYgrmD', 'RIC2Ivg6MW', 'uLU22XJo7x'
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.41ad1a0.5.raw.unpack, VH68BuZJotZrA8x4Ij.cs	High entropy of concatenated method names: 'YrUrSsZdJm', 'nZ2rx1tPGK', 'DRDrV3EZ50', 'C4UrklIf3p', 'LJFrDJD34N', 'z4grup2LvL', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.41ad1a0.5.raw.unpack, cI4vZJi0iAhLScUQAq.cs	High entropy of concatenated method names: 'Wv2IkDX9fW', 'RxCIu4vj7r', 'lP4IXrCymp', 'J1UItHJIXM', 'nmFIpmb9Vb', 'LdMI4x9urY', 'Qn55WyohxXn9UwSey9', 'C5LePdZklWk8g2wv8y', 'Qi85aAENjAZNamw7kR', 'kpkIIwfHGj'
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.41ad1a0.5.raw.unpack, E8mOPthvLlg3oa2bF7.cs	High entropy of concatenated method names: 'IU0yahTD4G', 'aaYyQtxS7C', 'XpkyNcv8oF', 'zWuySoNFZa', 'QH3yx6WTDJ', 'rj8yVBkYDD', 'XOgyknMWTk', 'wlByudArjV', 'IfKy3F083G', 'yDgyXPm6n1'
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.414ef80.4.raw.unpack, LBaAs8IWyUS1ZF5LRb.cs	High entropy of concatenated method names: 'Tp7DoBEKKN', 'lQ4DCMWX0o', 'LGBDhrAjRI', 'TObDj1H6pj', 'rcvDAAEINv', 'KcdDZJrpCK', 'UhxDHTHdnI', 'PaIDeYZ6RB', 'xqQD7e1g83', 'uvLDPahsv2'
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.414ef80.4.raw.unpack, NhAKgY6c0GhGL3Za0H.cs	High entropy of concatenated method names: 'COAkvC7icW', 'pdJk6yMJEs', 'SxNkmfjCaK', 'BfckBbh9ZQ', 'ASBklPAY9H', 'jk1kYO5Sy4', 'aXTkbXN1Q9', 'b0rkU03LqG', 'OsTkiF96MZ', 'iRrkswh7Tl'
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.414ef80.4.raw.unpack, Xb7yYDqQdoemsexOEX.cs	High entropy of concatenated method names: 'NaPxliplwN', 'UpExbrxpiL', 'tKxShmQgfY', 'QcgSjiVKiI', 'uJ0SADllbw', 'oY0SZc65fs', 'JvgSH4t0Nr', 'cPPSeLVZm9', 'oM1S7vNl2W', 'CruSPktfCX'
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.414ef80.4.raw.unpack, uOuK02jv1JniKktPbS.cs	High entropy of concatenated method names: 'wEQwUTv4OF', 'QRSwiylntb', 'T0Kwoa4I4U', 'aeXwCw4A5V', 'iTAwjDkvpj', 'bpqwAbrMIP', 'SmJwHQ2Y1G', 'AP6we2EErX', 'lR8wP4vWHO', 'a27wq7HQkw'
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.414ef80.4.raw.unpack, gqLdhfgJ63wGeqV5ri.cs	High entropy of concatenated method names: 'HZR5R7fqXb', 'EgT5gBU7gR', 'FqufOf14Bl', 'CQwfIWkVVb', 'Iex5qah5ig', 'n5a5dqAY4I', 'YnH58NB4XA', 'VdZ5KWCpwD', 'vYd5WrGivt', 'PB05MWpAwb'
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.414ef80.4.raw.unpack, Rj270h1OduOm9AuxB1.cs	High entropy of concatenated method names: 'QuXVaLYktR', 'XAhVNbR7i6', 'qNuVx1llAt', 'cTHVktg0XW', 'IjbVu2CgxP', 'dUNx9bWkvi', 'Lb5xEPS2Zw', 'rPKxFkPibO', 'fQxxRnd2Uq', 'BBfxJ3qGHv'
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.414ef80.4.raw.unpack, orIOfZoiatv7Y7FWRVK.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'veCLDHThyx', 'HwALrSHeXi', 'w3eL1iaa8w', 'joiLLqW8Gs', 'TCpLc8psqN', 'CRZLTrgIQP', 'DMVLGC57dV'
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.414ef80.4.raw.unpack, BtxVL6N6x2r93u2V8L.cs	High entropy of concatenated method names: 'TA55XwHJbA', 's6p5tYYLvj', 'ToString', 'V925Q9cPFe', 'H2K5N5TeLI', 'd8s5Smdcbp', 'Mxn5xnyG4n', 'lZc5VxsTFR', 'juA5kq6FRP', 'KK25uv5paR'
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.414ef80.4.raw.unpack, MDK1m6on0YKcO7WEwW6.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'cKCrqy54Z1', 'pEGrdIHXex', 'aLer8yP1wE', 'fURrKXFRwy', 'RvOrWU9ASV', 'WI7rMf3IXm', 'kONr0ASLQV'
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.414ef80.4.raw.unpack, Fo6umtKCGA4WNV4MXU.cs	High entropy of concatenated method names: 'cThkQlpBGM', 'W1AkSA3L3T', 'W55kVmYmGq', 'oV0VggP3y7', 'QGVVzUviVB', 'EgDkOk7NMx', 'oT2kIR2iEL', 'hYYk2JPaSy', 'yq9kyHtQmn', 'vsQkndGVHZ'
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.414ef80.4.raw.unpack, DXaGUTz76nUUyhVnBy.cs	High entropy of concatenated method names: 'LxcrYg5yZ5', 'HuprUdXXW9', 'MVYri1sKBu', 'YnPro2nfc7', 'XECrCgbS4j', 'GMFrjVrdqs', 'D3HrArEYs8', 'rP5rG6CBog', 'noUrv6V9Zv', 'WIPr6t7R8N'
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.414ef80.4.raw.unpack, UOOjCHookCqG0Pmreqp.cs	High entropy of concatenated method names: 'ybNrgxVUGn', 'hYCrzGY2ET', 'isb1OpTBQC', 'bDx1IjpSFL', 'clO12yU6UV', 'uwB1yqnGN6', 'msw1nb50MY', 'hZF1aCvVao', 'vTE1QVIC74', 'CBh1NanFER'
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.414ef80.4.raw.unpack, GIv0XWHDlvbRlvtba3.cs	High entropy of concatenated method names: 'nl7SBhGYvE', 'mi3SYlNOXx', 'X7iSUGF12V', 'eRWSihAj6b', 'laSSpv4eJj', 'k8sS493Jy7', 'MtMS5OT7GA', 'hX4SffNx7C', 'Rp7SDniro8', 'PUcSrLQroV'
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.414ef80.4.raw.unpack, hciYJWBKSFLmRjsdYN.cs	High entropy of concatenated method names: 'i5tDpU0s6o', 'V28D5qr4sb', 'Qi6DDu2rJu', 'o1sD1Aw8ir', 'zE0DcAFrS9', 'PvHDGFc1tQ', 'Dispose', 'E0VfQFejOV', 'IeIfNjmKLT', 'X05fSZi07C'
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.414ef80.4.raw.unpack, DJ0csheIXwfPODPuyJ.cs	High entropy of concatenated method names: 'fiVNK7PWXm', 'bPFNW2VoDj', 'zslNMtUUOd', 'OPnN0CtSvA', 'bHKN9Uh9p4', 'WQhNElrdpg', 'LceNFL93Jb', 'PbjNRpDRTr', 'qFkNJTwGno', 'o7xNg3hwwo'
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.414ef80.4.raw.unpack, beLkqB3Iwvy8ogj8cp.cs	High entropy of concatenated method names: 'cj8mhsHqe', 'JwxBNf6eU', 'AuVYa6Smb', 'V5Fb3CseI', 'QGfi6T5wI', 'o3UsnoyGl', 'wZ5gysCQMQGZaxZQ8V', 'ENnkZnftsXws81vCOA', 'e25fmFrJ1', 'QY2rnWfmi'
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.414ef80.4.raw.unpack, Ehixfxl3yFifZpLnXF.cs	High entropy of concatenated method names: 'Dispose', 'e1fIJoUwqj', 'epr2C8ZyU3', 'vXmL9oHPf9', 'rBWIgsxCxk', 'NMKIzy14PK', 'ProcessDialogKey', 'uLU2OYgrmD', 'RIC2Ivg6MW', 'uLU22XJo7x'
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.414ef80.4.raw.unpack, VH68BuZJotZrA8x4Ij.cs	High entropy of concatenated method names: 'YrUrSsZdJm', 'nZ2rx1tPGK', 'DRDrV3EZ50', 'C4UrklIf3p', 'LJFrDJD34N', 'z4grup2LvL', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.414ef80.4.raw.unpack, cI4vZJi0iAhLScUQAq.cs	High entropy of concatenated method names: 'Wv2IkDX9fW', 'RxCIu4vj7r', 'lP4IXrCymp', 'J1UItHJIXM', 'nmFIpmb9Vb', 'LdMI4x9urY', 'Qn55WyohxXn9UwSey9', 'C5LePdZklWk8g2wv8y', 'Qi85aAENjAZNamw7kR', 'kpkIIwfHGj'
Source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.414ef80.4.raw.unpack, E8mOPthvLlg3oa2bF7.cs	High entropy of concatenated method names: 'IU0yahTD4G', 'aaYyQtxS7C', 'XpkyNcv8oF', 'zWuySoNFZa', 'QH3yx6WTDJ', 'rj8yVBkYDD', 'XOgyknMWTk', 'wlByudArjV', 'IfKy3F083G', 'yDgyXPm6n1'

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe PID: 6212, type: MEMORYSTR

Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Memory allocated: 2E20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Memory allocated: 2FC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Memory allocated: 4FC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Memory allocated: 7C10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Memory allocated: 8C10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Memory allocated: 8DB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Memory allocated: 9DB0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5841			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3934			Jump to behavior

Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe TID: 6228	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6640	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe TID: 5444	Thread sleep time: -240000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe

Code function: 3_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,

3_2_00403D74

Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Thread delayed: delay time: 60000	Jump to behavior

Source: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1730608006.0000000001141000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000003.00000002.2940251539.0000000000DA8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll4

Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe

Code function: 3_2_0040317B mov eax, dword ptr fs:[00000030h]

3_2_0040317B

Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe

Code function: 3_2_00402B7C GetProcessHeap,RtlAllocateHeap,

3_2_00402B7C

Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe"
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe

Memory written: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe"			Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Process created: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe "C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe"			Jump to behavior

Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match	File source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40428d8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40288b8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1738700817.0000000004042000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1738700817.0000000004028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2939897653.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1736504866.000000000300E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe PID: 6212, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe PID: 2140, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings	Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Code function: PopPassword		3_2_0040D069
Source: C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Code function: SmtpPassword		3_2_0040D069

Source: Yara match	File source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40428d8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.40288b8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1738700817.0000000004042000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1738700817.0000000004028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2939897653.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1736504866.000000000300E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	2 OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	111 Process Injection	11 Disable or Modify Tools	2 Credentials in Registry	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Data from Local System	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Access Token Manipulation	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	111 Process Injection	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	38%	Virustotal		Browse
Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	32%	ReversingLabs	ByteCode-MSIL.Trojan.Genie8DN
Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	100%	Avira	HEUR/AGEN.1307372

Source	Detection	Scanner	Label
http://kbfvzoboss.bid/alien/fre.php	100%	Avira URL Cloud	phishing
http://alphastand.win/alien/fre.php	100%	Avira URL Cloud	malware
http://www.ibsensoftware.com/	0%	Avira URL Cloud	safe
http://alphastand.trade/alien/fre.php	100%	Avira URL Cloud	malware
http://alphastand.top/alien/fre.php	100%	Avira URL Cloud	phishing

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
touxzw.ir	104.21.112.1	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://kbfvzoboss.bid/alien/fre.php	true	Avira URL Cloud: phishing	unknown
http://alphastand.top/alien/fre.php	true	Avira URL Cloud: phishing	unknown
http://alphastand.win/alien/fre.php	true	Avira URL Cloud: malware	unknown
http://alphastand.trade/alien/fre.php	true	Avira URL Cloud: malware	unknown
http://touxzw.ir/sccc/five/fre.php	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1740440978.00000000071A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1740440978.00000000071A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1740440978.00000000071A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1740440978.00000000071A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1740440978.00000000071A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1740440978.00000000071A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.ibsensoftware.com/	Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000003.00000002.2939897653.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1740440978.00000000071A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers	Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1740440978.00000000071A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1740440978.00000000071A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.coml	Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1740440978.00000000071A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.com	Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1740440978.00000000071A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.typography.netD	Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1740440978.00000000071A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1740440978.00000000071A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1740440978.00000000071A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htm	Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1740440978.00000000071A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1740440978.00000000071A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-user.html	Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1740440978.00000000071A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1740440978.00000000071A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/DPlease	Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1740440978.00000000071A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers8	Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1740440978.00000000071A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1740440978.00000000071A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1740440978.00000000071A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.urwpp.deDPlease	Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1740440978.00000000071A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cn	Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1740440978.00000000071A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1736504866.000000000300E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1740440978.00000000071A2000.00000004.00000800.00020000.00000000.sdmp, Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe, 00000000.00000002.1740399992.00000000059C4000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.112.1	touxzw.ir	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1631486
Start date and time:	2025-03-07 08:23:17 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/8@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 73 Number of non-executed functions: 15
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, ctldl.windowsupdate.com, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:24:11	API Interceptor	62x Sleep call for process: Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe modified
02:24:13	API Interceptor	18x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.112.1	ORDER-000291-XLSX.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/tking3/five/fre.php
	Quotation_Order_Request_pdf.bat.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sccc/five/fre.php
	CACUuGJw8e.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	loveme123ru.ru/PipeAuthmultiwordpress.php
	Udeladelsers21.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.tumbetgirislinki.fit/7tw6/
	http://onedrivesharedfiles.sbs/	Get hash	malicious	DarkCloud	Browse	onedrivesharedfiles.sbs/
	PAYMENT SWIFT COPY.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/6m32/
	scan_0219025_pdf.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sccc/five/fre.php
	gH68ux6XtG.exe	Get hash	malicious	FormBook	Browse	www.lucynoel6465.shop/jgkl/
	PO from tpc Type 34.1 34,2 35 Spec 1.js	Get hash	malicious	FormBook	Browse	www.lucynoel6465.shop/jgkl/
	SHIPMENT OF THE ORIGINAL DOCUMENTS.exe	Get hash	malicious	FormBook	Browse	www.sv3880.vip/zhdz/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
touxzw.ir	Payment Record.exe	Get hash	malicious	Lokibot	Browse	104.21.16.1
	Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Get hash	malicious	Lokibot	Browse	104.21.64.1
	ORDER-000291-XLSX.exe	Get hash	malicious	Lokibot	Browse	104.21.112.1
	Quotation_Order_Request_pdf.bat.exe	Get hash	malicious	Lokibot	Browse	104.21.112.1
	PRI_VTK250419A.exe	Get hash	malicious	Lokibot	Browse	104.21.32.1
	Payment.exe	Get hash	malicious	Lokibot	Browse	104.21.64.1
	ujXpculHYDYhc6i.exe	Get hash	malicious	Lokibot	Browse	104.21.16.1
	PRI_VTK250419A.exe	Get hash	malicious	Lokibot	Browse	104.21.80.1
	7RryusxiMtHBz80.exe	Get hash	malicious	Lokibot	Browse	104.21.64.1
	PO.exe	Get hash	malicious	Lokibot	Browse	104.21.96.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Payment Invoice ref0306252.exe	Get hash	malicious	FormBook	Browse	104.21.32.1
	Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	104.21.112.1
	xworm.exe	Get hash	malicious	XWorm	Browse	104.20.3.235
	bkHLzNaNMS.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	bkHLzNaNMS.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	ba.bat	Get hash	malicious	Unknown	Browse	162.159.134.42
	datasheet.pdf.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	desaremix.exe	Get hash	malicious	KillMBR	Browse	162.159.61.3
	CV Jennyfer Rojas.exe	Get hash	malicious	FormBook	Browse	172.67.130.15
	ATT9668233.htm	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14

Process:	C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379460230152629
Encrypted:	false
SSDEEP:	48:fWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//ZeUyus:fLHyIFKL3IZ2KRH9Ougos
MD5:	28F8623974ADE7FF0B49C3406E91E372
SHA1:	739F9DD671D9788B182A7A2D506A3919CA1C6098
SHA-256:	3CFE86C229FC35A9886CD7D5A46DFF98C0389C9294C35AA82FA4F907A72E8269
SHA-512:	93E2DC72E86EE4006A29687F845FA384C4B3DF320191C77E64CF3EF751D641BB51328F5F36F31FF781F07233A4D3BF24DBC57CCE9B943756257D0A1E0912AB32
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5bl4klug.ogk.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c0ukadga.zaw.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hyjtwjbp.vhz.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_svwdn54e.yc5.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\188E93\31437F.lck

Download File

Process:	C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Users\user\Desktop\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	46
Entropy (8bit):	1.0424600748477153
Encrypted:	false
SSDEEP:	3:/lbq:4
MD5:	8CB7B7F28464C3FCBAE8A10C46204572
SHA1:	767FE80969EC2E67F54CC1B6D383C76E7859E2DE
SHA-256:	ED5E3DCEB0A1D68803745084985051C1ED41E11AC611DF8600B1A471F3752E96
SHA-512:	9BA84225FDB6C0FD69AD99B69824EC5B8D2B8FD3BB4610576DB4AD79ADF381F7F82C4C9522EC89F7171907577FAF1B4E70B82364F516CF8BBFED99D2ADEA43AF
Malicious:	false
Preview:	........................................user.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.804274709362841
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe
File size:	508'928 bytes
MD5:	2ebec0083b5b2e5383a18b60facad07c
SHA1:	be16ecd499f895583cf3d4e7dec37d0bbe37db5c
SHA256:	cb3a38b5b53f478a2a83ea040885ccb2bea9d29e3d9db4af38914bcd21bf89db
SHA512:	89eccaf2a4eb4d38be68f50bd236224786ea4f361f1fbe233a995a5418121b7b50c77cfd2ccf5a26a1bca641aa32fd610e293e80e5d654fd0cc7a9b3d75752dd
SSDEEP:	12288:vqX+0LeY8o+62ZxHFz/d6PSEKuN8bTF8QjlN5Eeg62r:vu++eYJ+62ZxBd+kHaQP5Ett
TLSH:	07B401E97A98CD22DEE81B700632E37A4378AE9DE411E3475AED9CEF74213347518352
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...lo.g..............0.................. ........@.. ....................... ............@................................

File Icon


Icon Hash:	7549656d6d398e8d

Static PE Info

General

Entrypoint:	0x47cc16
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67CA6F6C [Fri Mar 7 04:00:44 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7cbc4	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7e000	0x10c4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x80000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x7ac1c	0x7ae00	473a746f79fd4c8d5c382372162ba506	False	0.918634362283825	data	7.817160563060522	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x7e000	0x10c4	0x1200	c744f2099483a370d2ac6c7db0bf7f13	False	0.7135416666666666	data	6.446198374007925	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x80000	0xc	0x200	e3d10071989b1b23f8462a47a50d0ede	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x7e0c8	0xc7a	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.8810269254852849
RT_GROUP_ICON	0x7ed54	0x14	data	1.05
RT_VERSION	0x7ed78	0x348	data	0.4357142857142857

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
Comments	ExternalDSL
CompanyName	WF_SINCOS
FileDescription	WF LOGIN
FileVersion	1.1.2.2
InternalName	LFgx.exe
LegalCopyright	WF_SINCOS 2024 (C)
LegalTrademarks	ExternalDSL
OriginalFilename	LFgx.exe
ProductName	WF-LOGIN
ProductVersion	1.1.2.2
Assembly Version	1.1.0.0

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-07T08:24:15.016953+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49736	104.21.112.1	80	TCP
2025-03-07T08:24:15.016953+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49736	104.21.112.1	80	TCP
2025-03-07T08:24:15.016953+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49736	104.21.112.1	80	TCP
2025-03-07T08:24:15.952104+0100	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	192.168.2.4	49736	104.21.112.1	80	TCP
2025-03-07T08:24:17.286057+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49738	104.21.112.1	80	TCP
2025-03-07T08:24:17.286057+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49738	104.21.112.1	80	TCP
2025-03-07T08:24:17.286057+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49738	104.21.112.1	80	TCP
2025-03-07T08:24:18.096044+0100	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	192.168.2.4	49738	104.21.112.1	80	TCP
2025-03-07T08:24:18.203172+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49739	104.21.112.1	80	TCP
2025-03-07T08:24:18.203172+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49739	104.21.112.1	80	TCP
2025-03-07T08:24:18.203172+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49739	104.21.112.1	80	TCP
2025-03-07T08:24:19.082760+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49739	104.21.112.1	80	TCP
2025-03-07T08:24:20.253277+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49740	104.21.112.1	80	TCP
2025-03-07T08:24:20.253277+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49740	104.21.112.1	80	TCP
2025-03-07T08:24:20.253277+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49740	104.21.112.1	80	TCP
2025-03-07T08:24:21.106091+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49740	104.21.112.1	80	TCP
2025-03-07T08:24:21.111104+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.112.1	80	192.168.2.4	49740	TCP
2025-03-07T08:24:22.262059+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49741	104.21.112.1	80	TCP
2025-03-07T08:24:22.262059+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49741	104.21.112.1	80	TCP
2025-03-07T08:24:22.262059+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49741	104.21.112.1	80	TCP
2025-03-07T08:24:23.125095+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49741	104.21.112.1	80	TCP
2025-03-07T08:24:23.132235+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.112.1	80	192.168.2.4	49741	TCP
2025-03-07T08:24:24.280450+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49742	104.21.112.1	80	TCP
2025-03-07T08:24:24.280450+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49742	104.21.112.1	80	TCP
2025-03-07T08:24:24.280450+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49742	104.21.112.1	80	TCP
2025-03-07T08:24:25.039844+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49742	104.21.112.1	80	TCP
2025-03-07T08:24:26.201904+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49743	104.21.112.1	80	TCP
2025-03-07T08:24:26.201904+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49743	104.21.112.1	80	TCP
2025-03-07T08:24:26.201904+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49743	104.21.112.1	80	TCP
2025-03-07T08:24:27.091578+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49743	104.21.112.1	80	TCP
2025-03-07T08:24:27.096804+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.112.1	80	192.168.2.4	49743	TCP
2025-03-07T08:24:28.252431+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49745	104.21.112.1	80	TCP
2025-03-07T08:24:28.252431+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49745	104.21.112.1	80	TCP
2025-03-07T08:24:28.252431+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49745	104.21.112.1	80	TCP
2025-03-07T08:24:29.053470+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49745	104.21.112.1	80	TCP
2025-03-07T08:24:29.058560+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.112.1	80	192.168.2.4	49745	TCP
2025-03-07T08:24:30.261790+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49746	104.21.112.1	80	TCP
2025-03-07T08:24:30.261790+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49746	104.21.112.1	80	TCP
2025-03-07T08:24:30.261790+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49746	104.21.112.1	80	TCP
2025-03-07T08:24:30.983553+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49746	104.21.112.1	80	TCP
2025-03-07T08:24:30.988596+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.112.1	80	192.168.2.4	49746	TCP
2025-03-07T08:24:32.144976+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49747	104.21.112.1	80	TCP
2025-03-07T08:24:32.144976+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49747	104.21.112.1	80	TCP
2025-03-07T08:24:32.144976+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49747	104.21.112.1	80	TCP
2025-03-07T08:24:32.988040+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49747	104.21.112.1	80	TCP
2025-03-07T08:24:34.171879+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49748	104.21.112.1	80	TCP
2025-03-07T08:24:34.171879+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49748	104.21.112.1	80	TCP
2025-03-07T08:24:34.171879+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49748	104.21.112.1	80	TCP
2025-03-07T08:24:35.048363+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49748	104.21.112.1	80	TCP
2025-03-07T08:24:35.054813+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.112.1	80	192.168.2.4	49748	TCP
2025-03-07T08:24:36.223994+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49749	104.21.112.1	80	TCP
2025-03-07T08:24:36.223994+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49749	104.21.112.1	80	TCP
2025-03-07T08:24:36.223994+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49749	104.21.112.1	80	TCP
2025-03-07T08:24:37.117967+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49749	104.21.112.1	80	TCP
2025-03-07T08:24:37.123128+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.112.1	80	192.168.2.4	49749	TCP
2025-03-07T08:24:38.286416+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49750	104.21.112.1	80	TCP
2025-03-07T08:24:38.286416+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49750	104.21.112.1	80	TCP
2025-03-07T08:24:38.286416+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49750	104.21.112.1	80	TCP
2025-03-07T08:24:39.078178+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49750	104.21.112.1	80	TCP
2025-03-07T08:24:40.256520+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49751	104.21.112.1	80	TCP
2025-03-07T08:24:40.256520+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49751	104.21.112.1	80	TCP
2025-03-07T08:24:40.256520+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49751	104.21.112.1	80	TCP
2025-03-07T08:24:41.143475+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49751	104.21.112.1	80	TCP
2025-03-07T08:24:41.163880+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.112.1	80	192.168.2.4	49751	TCP
2025-03-07T08:24:42.436062+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49752	104.21.112.1	80	TCP
2025-03-07T08:24:42.436062+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49752	104.21.112.1	80	TCP
2025-03-07T08:24:42.436062+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49752	104.21.112.1	80	TCP
2025-03-07T08:24:43.325583+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49752	104.21.112.1	80	TCP
2025-03-07T08:24:43.330839+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.112.1	80	192.168.2.4	49752	TCP
2025-03-07T08:24:44.492511+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49753	104.21.112.1	80	TCP
2025-03-07T08:24:44.492511+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49753	104.21.112.1	80	TCP
2025-03-07T08:24:44.492511+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49753	104.21.112.1	80	TCP
2025-03-07T08:24:45.280345+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49753	104.21.112.1	80	TCP
2025-03-07T08:24:46.435568+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49754	104.21.112.1	80	TCP
2025-03-07T08:24:46.435568+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49754	104.21.112.1	80	TCP
2025-03-07T08:24:46.435568+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49754	104.21.112.1	80	TCP
2025-03-07T08:24:47.175993+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49754	104.21.112.1	80	TCP
2025-03-07T08:24:47.181143+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.112.1	80	192.168.2.4	49754	TCP
2025-03-07T08:24:48.342766+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49755	104.21.112.1	80	TCP
2025-03-07T08:24:48.342766+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49755	104.21.112.1	80	TCP
2025-03-07T08:24:48.342766+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49755	104.21.112.1	80	TCP
2025-03-07T08:24:49.150723+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49755	104.21.112.1	80	TCP
2025-03-07T08:24:49.157166+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.112.1	80	192.168.2.4	49755	TCP
2025-03-07T08:24:50.571633+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49756	104.21.112.1	80	TCP
2025-03-07T08:24:50.571633+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49756	104.21.112.1	80	TCP
2025-03-07T08:24:50.571633+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49756	104.21.112.1	80	TCP
2025-03-07T08:24:51.451712+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49756	104.21.112.1	80	TCP
2025-03-07T08:24:51.456830+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.112.1	80	192.168.2.4	49756	TCP
2025-03-07T08:24:52.611614+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49757	104.21.112.1	80	TCP
2025-03-07T08:24:52.611614+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49757	104.21.112.1	80	TCP
2025-03-07T08:24:52.611614+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49757	104.21.112.1	80	TCP
2025-03-07T08:24:53.316430+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49757	104.21.112.1	80	TCP
2025-03-07T08:24:53.322281+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.112.1	80	192.168.2.4	49757	TCP
2025-03-07T08:24:54.471504+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49758	104.21.112.1	80	TCP
2025-03-07T08:24:54.471504+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49758	104.21.112.1	80	TCP
2025-03-07T08:24:54.471504+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49758	104.21.112.1	80	TCP
2025-03-07T08:24:55.376170+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49758	104.21.112.1	80	TCP
2025-03-07T08:24:55.381294+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.112.1	80	192.168.2.4	49758	TCP
2025-03-07T08:24:56.531253+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49759	104.21.112.1	80	TCP
2025-03-07T08:24:56.531253+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49759	104.21.112.1	80	TCP
2025-03-07T08:24:56.531253+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49759	104.21.112.1	80	TCP
2025-03-07T08:24:57.351310+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49759	104.21.112.1	80	TCP
2025-03-07T08:24:57.356353+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.112.1	80	192.168.2.4	49759	TCP
2025-03-07T08:24:58.517773+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49760	104.21.112.1	80	TCP
2025-03-07T08:24:58.517773+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49760	104.21.112.1	80	TCP
2025-03-07T08:24:58.517773+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49760	104.21.112.1	80	TCP
2025-03-07T08:24:59.260948+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49760	104.21.112.1	80	TCP
2025-03-07T08:25:00.654075+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49762	104.21.112.1	80	TCP
2025-03-07T08:25:00.654075+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49762	104.21.112.1	80	TCP
2025-03-07T08:25:00.654075+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49762	104.21.112.1	80	TCP
2025-03-07T08:25:01.390790+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49762	104.21.112.1	80	TCP
2025-03-07T08:25:02.564181+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49763	104.21.112.1	80	TCP
2025-03-07T08:25:02.564181+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49763	104.21.112.1	80	TCP
2025-03-07T08:25:02.564181+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49763	104.21.112.1	80	TCP
2025-03-07T08:25:03.339456+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49763	104.21.112.1	80	TCP
2025-03-07T08:25:04.503853+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49764	104.21.112.1	80	TCP
2025-03-07T08:25:04.503853+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49764	104.21.112.1	80	TCP
2025-03-07T08:25:04.503853+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49764	104.21.112.1	80	TCP
2025-03-07T08:25:05.299137+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49764	104.21.112.1	80	TCP
2025-03-07T08:25:05.304132+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.112.1	80	192.168.2.4	49764	TCP
2025-03-07T08:25:06.454970+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49766	104.21.112.1	80	TCP
2025-03-07T08:25:06.454970+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49766	104.21.112.1	80	TCP
2025-03-07T08:25:06.454970+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49766	104.21.112.1	80	TCP
2025-03-07T08:25:07.200606+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49766	104.21.112.1	80	TCP
2025-03-07T08:25:08.384288+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49768	104.21.112.1	80	TCP
2025-03-07T08:25:08.384288+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49768	104.21.112.1	80	TCP
2025-03-07T08:25:08.384288+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49768	104.21.112.1	80	TCP
2025-03-07T08:25:09.121305+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49768	104.21.112.1	80	TCP
2025-03-07T08:25:10.286089+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49769	104.21.112.1	80	TCP
2025-03-07T08:25:10.286089+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49769	104.21.112.1	80	TCP
2025-03-07T08:25:10.286089+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49769	104.21.112.1	80	TCP
2025-03-07T08:25:10.998882+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49769	104.21.112.1	80	TCP
2025-03-07T08:25:12.156848+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49770	104.21.112.1	80	TCP
2025-03-07T08:25:12.156848+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49770	104.21.112.1	80	TCP
2025-03-07T08:25:12.156848+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49770	104.21.112.1	80	TCP
2025-03-07T08:25:12.949268+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49770	104.21.112.1	80	TCP
2025-03-07T08:25:12.954696+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.112.1	80	192.168.2.4	49770	TCP
2025-03-07T08:25:14.107884+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49771	104.21.112.1	80	TCP
2025-03-07T08:25:14.107884+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49771	104.21.112.1	80	TCP
2025-03-07T08:25:14.107884+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49771	104.21.112.1	80	TCP
2025-03-07T08:25:14.847990+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49771	104.21.112.1	80	TCP
2025-03-07T08:25:16.002778+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49776	104.21.112.1	80	TCP
2025-03-07T08:25:16.002778+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49776	104.21.112.1	80	TCP
2025-03-07T08:25:16.002778+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49776	104.21.112.1	80	TCP
2025-03-07T08:25:16.748573+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49776	104.21.112.1	80	TCP
2025-03-07T08:25:17.904744+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49777	104.21.112.1	80	TCP
2025-03-07T08:25:17.904744+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49777	104.21.112.1	80	TCP
2025-03-07T08:25:17.904744+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49777	104.21.112.1	80	TCP
2025-03-07T08:25:18.675762+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49777	104.21.112.1	80	TCP
2025-03-07T08:25:18.680858+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.112.1	80	192.168.2.4	49777	TCP
2025-03-07T08:25:19.830030+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49778	104.21.112.1	80	TCP
2025-03-07T08:25:19.830030+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49778	104.21.112.1	80	TCP
2025-03-07T08:25:19.830030+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49778	104.21.112.1	80	TCP
2025-03-07T08:25:20.587269+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49778	104.21.112.1	80	TCP
2025-03-07T08:25:20.592318+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.112.1	80	192.168.2.4	49778	TCP
2025-03-07T08:25:21.749546+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49779	104.21.112.1	80	TCP
2025-03-07T08:25:21.749546+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49779	104.21.112.1	80	TCP
2025-03-07T08:25:21.749546+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49779	104.21.112.1	80	TCP
2025-03-07T08:25:22.517407+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49779	104.21.112.1	80	TCP
2025-03-07T08:25:22.522515+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.112.1	80	192.168.2.4	49779	TCP
2025-03-07T08:25:23.671748+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49780	104.21.112.1	80	TCP
2025-03-07T08:25:23.671748+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49780	104.21.112.1	80	TCP
2025-03-07T08:25:23.671748+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49780	104.21.112.1	80	TCP
2025-03-07T08:25:24.433485+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49780	104.21.112.1	80	TCP
2025-03-07T08:25:24.438733+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.112.1	80	192.168.2.4	49780	TCP
2025-03-07T08:25:25.749698+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49781	104.21.112.1	80	TCP
2025-03-07T08:25:25.749698+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49781	104.21.112.1	80	TCP
2025-03-07T08:25:25.749698+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49781	104.21.112.1	80	TCP
2025-03-07T08:25:26.488716+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49781	104.21.112.1	80	TCP
2025-03-07T08:25:27.653206+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49787	104.21.112.1	80	TCP
2025-03-07T08:25:27.653206+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49787	104.21.112.1	80	TCP
2025-03-07T08:25:27.653206+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49787	104.21.112.1	80	TCP
2025-03-07T08:25:28.391050+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49787	104.21.112.1	80	TCP
2025-03-07T08:25:29.562621+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49788	104.21.112.1	80	TCP
2025-03-07T08:25:29.562621+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49788	104.21.112.1	80	TCP
2025-03-07T08:25:29.562621+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49788	104.21.112.1	80	TCP
2025-03-07T08:25:30.201618+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49788	104.21.112.1	80	TCP
2025-03-07T08:25:30.207269+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.112.1	80	192.168.2.4	49788	TCP
2025-03-07T08:25:31.357537+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49789	104.21.112.1	80	TCP
2025-03-07T08:25:31.357537+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49789	104.21.112.1	80	TCP
2025-03-07T08:25:31.357537+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49789	104.21.112.1	80	TCP
2025-03-07T08:25:32.148176+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49789	104.21.112.1	80	TCP
2025-03-07T08:25:32.153167+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.112.1	80	192.168.2.4	49789	TCP
2025-03-07T08:25:33.311187+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49790	104.21.112.1	80	TCP
2025-03-07T08:25:33.311187+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49790	104.21.112.1	80	TCP
2025-03-07T08:25:33.311187+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49790	104.21.112.1	80	TCP
2025-03-07T08:25:35.070684+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49790	104.21.112.1	80	TCP
2025-03-07T08:25:36.249224+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49792	104.21.112.1	80	TCP
2025-03-07T08:25:36.249224+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49792	104.21.112.1	80	TCP
2025-03-07T08:25:36.249224+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49792	104.21.112.1	80	TCP
2025-03-07T08:25:37.055102+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49792	104.21.112.1	80	TCP
2025-03-07T08:25:37.060188+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.112.1	80	192.168.2.4	49792	TCP
2025-03-07T08:25:38.308944+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49793	104.21.112.1	80	TCP
2025-03-07T08:25:38.308944+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49793	104.21.112.1	80	TCP
2025-03-07T08:25:38.308944+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49793	104.21.112.1	80	TCP
2025-03-07T08:25:39.088328+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49793	104.21.112.1	80	TCP
2025-03-07T08:25:39.093482+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.112.1	80	192.168.2.4	49793	TCP
2025-03-07T08:25:40.250290+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49794	104.21.112.1	80	TCP
2025-03-07T08:25:40.250290+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49794	104.21.112.1	80	TCP
2025-03-07T08:25:40.250290+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49794	104.21.112.1	80	TCP
2025-03-07T08:25:40.902109+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49794	104.21.112.1	80	TCP
2025-03-07T08:25:40.907252+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.112.1	80	192.168.2.4	49794	TCP
2025-03-07T08:25:42.075913+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49795	104.21.112.1	80	TCP
2025-03-07T08:25:42.075913+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49795	104.21.112.1	80	TCP
2025-03-07T08:25:42.075913+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49795	104.21.112.1	80	TCP
2025-03-07T08:25:42.855622+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49795	104.21.112.1	80	TCP
2025-03-07T08:25:42.860696+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.112.1	80	192.168.2.4	49795	TCP
2025-03-07T08:25:44.013591+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49796	104.21.112.1	80	TCP
2025-03-07T08:25:44.013591+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49796	104.21.112.1	80	TCP
2025-03-07T08:25:44.013591+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49796	104.21.112.1	80	TCP
2025-03-07T08:25:44.649256+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49796	104.21.112.1	80	TCP
2025-03-07T08:25:44.654383+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.112.1	80	192.168.2.4	49796	TCP
2025-03-07T08:25:45.812175+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49797	104.21.112.1	80	TCP
2025-03-07T08:25:45.812175+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49797	104.21.112.1	80	TCP
2025-03-07T08:25:45.812175+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49797	104.21.112.1	80	TCP
2025-03-07T08:25:46.646752+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49797	104.21.112.1	80	TCP
2025-03-07T08:25:46.654242+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.112.1	80	192.168.2.4	49797	TCP
2025-03-07T08:25:47.967407+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49803	104.21.112.1	80	TCP
2025-03-07T08:25:47.967407+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49803	104.21.112.1	80	TCP
2025-03-07T08:25:47.967407+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49803	104.21.112.1	80	TCP
2025-03-07T08:25:48.795742+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49803	104.21.112.1	80	TCP
2025-03-07T08:25:48.800830+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.112.1	80	192.168.2.4	49803	TCP
2025-03-07T08:25:49.967481+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49804	104.21.112.1	80	TCP
2025-03-07T08:25:49.967481+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49804	104.21.112.1	80	TCP
2025-03-07T08:25:49.967481+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49804	104.21.112.1	80	TCP
2025-03-07T08:25:50.696739+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49804	104.21.112.1	80	TCP
2025-03-07T08:25:50.701884+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.112.1	80	192.168.2.4	49804	TCP
2025-03-07T08:25:51.857282+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49805	104.21.112.1	80	TCP
2025-03-07T08:25:51.857282+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49805	104.21.112.1	80	TCP
2025-03-07T08:25:51.857282+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49805	104.21.112.1	80	TCP
2025-03-07T08:25:52.662595+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49805	104.21.112.1	80	TCP
2025-03-07T08:25:52.667670+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.112.1	80	192.168.2.4	49805	TCP
2025-03-07T08:25:53.826111+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49806	104.21.112.1	80	TCP
2025-03-07T08:25:53.826111+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49806	104.21.112.1	80	TCP
2025-03-07T08:25:53.826111+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49806	104.21.112.1	80	TCP
2025-03-07T08:25:54.557778+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49806	104.21.112.1	80	TCP
2025-03-07T08:25:55.717079+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49807	104.21.112.1	80	TCP
2025-03-07T08:25:55.717079+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49807	104.21.112.1	80	TCP
2025-03-07T08:25:55.717079+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49807	104.21.112.1	80	TCP
2025-03-07T08:25:56.492057+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49807	104.21.112.1	80	TCP
2025-03-07T08:25:56.497743+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.112.1	80	192.168.2.4	49807	TCP
2025-03-07T08:25:57.675091+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49808	104.21.112.1	80	TCP
2025-03-07T08:25:57.675091+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49808	104.21.112.1	80	TCP
2025-03-07T08:25:57.675091+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49808	104.21.112.1	80	TCP
2025-03-07T08:25:58.311517+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49808	104.21.112.1	80	TCP
2025-03-07T08:25:58.316752+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.112.1	80	192.168.2.4	49808	TCP
2025-03-07T08:25:59.470619+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49809	104.21.112.1	80	TCP
2025-03-07T08:25:59.470619+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49809	104.21.112.1	80	TCP
2025-03-07T08:25:59.470619+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49809	104.21.112.1	80	TCP
2025-03-07T08:26:00.211017+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49809	104.21.112.1	80	TCP
2025-03-07T08:26:01.372642+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49810	104.21.112.1	80	TCP
2025-03-07T08:26:01.372642+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49810	104.21.112.1	80	TCP
2025-03-07T08:26:01.372642+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49810	104.21.112.1	80	TCP
2025-03-07T08:26:02.145508+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49810	104.21.112.1	80	TCP
2025-03-07T08:26:02.206157+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.112.1	80	192.168.2.4	49810	TCP
2025-03-07T08:26:03.435839+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49811	104.21.112.1	80	TCP
2025-03-07T08:26:03.435839+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49811	104.21.112.1	80	TCP
2025-03-07T08:26:03.435839+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49811	104.21.112.1	80	TCP
2025-03-07T08:26:04.185987+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49811	104.21.112.1	80	TCP
2025-03-07T08:26:05.350336+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49812	104.21.112.1	80	TCP
2025-03-07T08:26:05.350336+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49812	104.21.112.1	80	TCP
2025-03-07T08:26:05.350336+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49812	104.21.112.1	80	TCP
2025-03-07T08:26:05.993706+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49812	104.21.112.1	80	TCP
2025-03-07T08:26:05.998810+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.112.1	80	192.168.2.4	49812	TCP
2025-03-07T08:26:07.171706+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49813	104.21.112.1	80	TCP
2025-03-07T08:26:07.171706+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49813	104.21.112.1	80	TCP
2025-03-07T08:26:07.171706+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49813	104.21.112.1	80	TCP
2025-03-07T08:26:07.911549+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49813	104.21.112.1	80	TCP
2025-03-07T08:26:09.225970+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49815	104.21.112.1	80	TCP
2025-03-07T08:26:09.225970+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49815	104.21.112.1	80	TCP
2025-03-07T08:26:09.225970+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49815	104.21.112.1	80	TCP
2025-03-07T08:26:09.978728+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49815	104.21.112.1	80	TCP
2025-03-07T08:26:11.148750+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49816	104.21.112.1	80	TCP
2025-03-07T08:26:11.148750+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49816	104.21.112.1	80	TCP
2025-03-07T08:26:11.148750+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49816	104.21.112.1	80	TCP
2025-03-07T08:26:12.602010+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49816	104.21.112.1	80	TCP
2025-03-07T08:26:12.607088+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.112.1	80	192.168.2.4	49816	TCP
2025-03-07T08:26:13.761445+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49817	104.21.112.1	80	TCP
2025-03-07T08:26:13.761445+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49817	104.21.112.1	80	TCP
2025-03-07T08:26:13.761445+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49817	104.21.112.1	80	TCP
2025-03-07T08:26:14.533811+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49817	104.21.112.1	80	TCP
2025-03-07T08:26:14.538815+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.112.1	80	192.168.2.4	49817	TCP
2025-03-07T08:26:15.675191+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49818	104.21.112.1	80	TCP
2025-03-07T08:26:15.675191+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49818	104.21.112.1	80	TCP
2025-03-07T08:26:15.675191+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49818	104.21.112.1	80	TCP
2025-03-07T08:26:16.409908+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49818	104.21.112.1	80	TCP
2025-03-07T08:26:17.570526+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49819	104.21.112.1	80	TCP
2025-03-07T08:26:17.570526+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49819	104.21.112.1	80	TCP
2025-03-07T08:26:17.570526+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49819	104.21.112.1	80	TCP
2025-03-07T08:26:18.339274+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49819	104.21.112.1	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 7, 2025 08:24:15.004122972 CET	49736	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:15.009285927 CET	80	49736	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:15.009426117 CET	49736	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:15.011795998 CET	49736	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:15.016875982 CET	80	49736	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:15.016952991 CET	49736	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:15.021989107 CET	80	49736	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:15.951647997 CET	80	49736	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:15.952039957 CET	80	49736	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:15.952104092 CET	49736	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:15.954407930 CET	49736	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:15.959448099 CET	80	49736	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:17.271826982 CET	49738	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:17.278059959 CET	80	49738	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:17.278151989 CET	49738	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:17.281002998 CET	49738	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:17.286003113 CET	80	49738	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:17.286056995 CET	49738	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:17.291102886 CET	80	49738	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:18.095915079 CET	80	49738	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:18.096044064 CET	49738	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:18.096714020 CET	80	49738	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:18.096770048 CET	49738	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:18.101087093 CET	80	49738	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:18.188363075 CET	49739	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:18.193470001 CET	80	49739	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:18.193550110 CET	49739	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:18.197801113 CET	49739	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:18.202980042 CET	80	49739	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:18.203171968 CET	49739	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:18.208273888 CET	80	49739	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:19.082623005 CET	80	49739	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:19.082760096 CET	49739	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:19.083045006 CET	80	49739	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:19.083105087 CET	49739	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:19.089262009 CET	80	49739	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:20.239495993 CET	49740	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:20.244755983 CET	80	49740	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:20.244843006 CET	49740	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:20.248239040 CET	49740	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:20.253200054 CET	80	49740	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:20.253277063 CET	49740	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:20.258395910 CET	80	49740	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:21.105022907 CET	80	49740	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:21.105885983 CET	80	49740	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:21.106091022 CET	49740	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:21.106122017 CET	49740	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:21.111104012 CET	80	49740	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:22.249970913 CET	49741	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:22.255109072 CET	80	49741	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:22.255239964 CET	49741	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:22.257050037 CET	49741	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:22.261991978 CET	80	49741	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:22.262058973 CET	49741	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:22.267061949 CET	80	49741	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:23.124923944 CET	80	49741	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:23.125094891 CET	49741	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:23.125858068 CET	80	49741	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:23.125911951 CET	49741	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:23.132235050 CET	80	49741	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:24.267960072 CET	49742	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:24.273185015 CET	80	49742	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:24.273288012 CET	49742	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:24.275347948 CET	49742	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:24.280378103 CET	80	49742	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:24.280450106 CET	49742	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:24.286236048 CET	80	49742	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:25.039501905 CET	80	49742	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:25.039844036 CET	49742	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:25.040375948 CET	80	49742	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:25.040481091 CET	49742	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:25.044989109 CET	80	49742	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:26.189235926 CET	49743	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:26.194439888 CET	80	49743	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:26.194535971 CET	49743	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:26.196770906 CET	49743	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:26.201848030 CET	80	49743	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:26.201904058 CET	49743	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:26.206913948 CET	80	49743	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:27.091362953 CET	80	49743	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:27.091578007 CET	49743	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:27.092073917 CET	80	49743	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:27.092166901 CET	49743	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:27.096803904 CET	80	49743	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:28.239829063 CET	49745	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:28.245106936 CET	80	49745	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:28.245199919 CET	49745	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:28.247355938 CET	49745	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:28.252373934 CET	80	49745	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:28.252430916 CET	49745	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:28.257504940 CET	80	49745	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:29.053229094 CET	80	49745	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:29.053405046 CET	80	49745	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:29.053469896 CET	49745	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:29.053864002 CET	49745	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:29.058559895 CET	80	49745	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:30.249460936 CET	49746	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:30.254545927 CET	80	49746	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:30.254617929 CET	49746	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:30.256750107 CET	49746	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:30.261728048 CET	80	49746	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:30.261790037 CET	49746	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:30.266776085 CET	80	49746	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:30.983320951 CET	80	49746	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:30.983552933 CET	49746	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:30.984126091 CET	80	49746	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:30.984196901 CET	49746	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:30.988595963 CET	80	49746	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:32.131572962 CET	49747	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:32.136722088 CET	80	49747	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:32.136795998 CET	49747	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:32.139805079 CET	49747	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:32.144929886 CET	80	49747	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:32.144975901 CET	49747	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:32.149980068 CET	80	49747	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:32.987624884 CET	80	49747	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:32.988012075 CET	80	49747	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:32.988039970 CET	49747	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:32.988152981 CET	49747	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:32.993113995 CET	80	49747	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:34.159343958 CET	49748	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:34.164499044 CET	80	49748	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:34.164592981 CET	49748	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:34.166776896 CET	49748	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:34.171813965 CET	80	49748	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:34.171879053 CET	49748	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:34.176935911 CET	80	49748	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:35.048249960 CET	80	49748	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:35.048362970 CET	49748	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:35.049088001 CET	80	49748	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:35.049431086 CET	49748	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:35.054812908 CET	80	49748	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:36.210815907 CET	49749	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:36.216572046 CET	80	49749	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:36.216779947 CET	49749	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:36.218920946 CET	49749	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:36.223927975 CET	80	49749	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:36.223994017 CET	49749	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:36.228990078 CET	80	49749	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:37.117856026 CET	80	49749	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:37.117966890 CET	49749	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:37.118242025 CET	80	49749	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:37.118309021 CET	49749	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:37.123127937 CET	80	49749	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:38.272823095 CET	49750	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:38.278172970 CET	80	49750	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:38.278274059 CET	49750	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:38.281239986 CET	49750	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:38.286356926 CET	80	49750	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:38.286416054 CET	49750	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:38.291850090 CET	80	49750	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:39.078057051 CET	80	49750	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:39.078177929 CET	49750	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:39.079180002 CET	80	49750	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:39.079236984 CET	49750	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:39.083285093 CET	80	49750	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:40.243923903 CET	49751	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:40.249145985 CET	80	49751	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:40.249253988 CET	49751	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:40.251280069 CET	49751	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:40.256378889 CET	80	49751	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:40.256520033 CET	49751	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:40.261665106 CET	80	49751	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:41.142829895 CET	80	49751	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:41.143013000 CET	80	49751	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:41.143475056 CET	49751	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:41.158804893 CET	49751	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:41.163880110 CET	80	49751	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:42.423628092 CET	49752	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:42.428761959 CET	80	49752	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:42.428857088 CET	49752	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:42.430962086 CET	49752	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:42.436006069 CET	80	49752	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:42.436062098 CET	49752	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:42.441097021 CET	80	49752	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:43.325476885 CET	80	49752	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:43.325582981 CET	49752	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:43.326230049 CET	80	49752	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:43.326304913 CET	49752	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:43.330838919 CET	80	49752	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:44.479937077 CET	49753	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:44.485059977 CET	80	49753	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:44.485141039 CET	49753	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:44.487422943 CET	49753	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:44.492434025 CET	80	49753	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:44.492511034 CET	49753	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:44.497673988 CET	80	49753	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:45.280227900 CET	80	49753	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:45.280344963 CET	49753	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:45.280565023 CET	80	49753	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:45.280621052 CET	49753	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:45.285410881 CET	80	49753	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:46.422513008 CET	49754	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:46.427756071 CET	80	49754	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:46.427886009 CET	49754	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:46.429946899 CET	49754	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:46.435506105 CET	80	49754	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:46.435568094 CET	49754	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:46.440668106 CET	80	49754	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:47.175766945 CET	80	49754	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:47.175992966 CET	49754	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:47.176251888 CET	80	49754	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:47.176345110 CET	49754	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:47.181143045 CET	80	49754	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:48.330306053 CET	49755	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:48.335428953 CET	80	49755	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:48.335598946 CET	49755	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:48.337697029 CET	49755	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:48.342664957 CET	80	49755	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:48.342766047 CET	49755	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:48.347748041 CET	80	49755	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:49.150516033 CET	80	49755	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:49.150722980 CET	49755	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:49.151443005 CET	80	49755	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:49.151514053 CET	49755	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:49.157166004 CET	80	49755	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:50.557974100 CET	49756	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:50.563265085 CET	80	49756	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:50.563357115 CET	49756	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:50.566477060 CET	49756	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:50.571557045 CET	80	49756	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:50.571633101 CET	49756	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:50.576807022 CET	80	49756	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:51.451486111 CET	80	49756	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:51.451711893 CET	49756	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:51.452732086 CET	80	49756	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:51.452814102 CET	49756	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:51.456830025 CET	80	49756	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:52.599116087 CET	49757	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:52.604325056 CET	80	49757	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:52.604413033 CET	49757	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:52.606384039 CET	49757	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:52.611566067 CET	80	49757	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:52.611613989 CET	49757	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:52.616904974 CET	80	49757	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:53.316329002 CET	80	49757	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:53.316356897 CET	80	49757	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:53.316430092 CET	49757	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:53.316431046 CET	49757	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:53.322280884 CET	80	49757	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:54.457858086 CET	49758	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:54.463099003 CET	80	49758	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:54.463217020 CET	49758	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:54.466336012 CET	49758	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:54.471400023 CET	80	49758	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:54.471503973 CET	49758	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:54.476525068 CET	80	49758	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:55.375991106 CET	80	49758	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:55.376169920 CET	49758	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:55.376575947 CET	80	49758	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:55.376630068 CET	49758	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:55.381294012 CET	80	49758	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:56.518755913 CET	49759	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:56.523899078 CET	80	49759	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:56.524010897 CET	49759	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:56.526103973 CET	49759	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:56.531188011 CET	80	49759	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:56.531253099 CET	49759	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:56.536345005 CET	80	49759	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:57.351206064 CET	80	49759	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:57.351310015 CET	49759	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:57.352010012 CET	80	49759	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:57.352057934 CET	49759	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:57.356353045 CET	80	49759	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:58.501465082 CET	49760	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:58.510590076 CET	80	49760	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:58.510695934 CET	49760	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:58.512675047 CET	49760	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:58.517710924 CET	80	49760	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:58.517772913 CET	49760	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:58.523937941 CET	80	49760	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:59.260788918 CET	80	49760	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:59.260947943 CET	49760	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:59.261038065 CET	80	49760	104.21.112.1	192.168.2.4
Mar 7, 2025 08:24:59.261101007 CET	49760	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:24:59.266035080 CET	80	49760	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:00.641539097 CET	49762	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:00.646687031 CET	80	49762	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:00.646785021 CET	49762	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:00.648854017 CET	49762	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:00.654017925 CET	80	49762	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:00.654074907 CET	49762	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:00.659328938 CET	80	49762	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:01.389893055 CET	80	49762	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:01.390650988 CET	80	49762	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:01.390789986 CET	49762	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:01.391308069 CET	49762	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:01.396315098 CET	80	49762	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:02.550986052 CET	49763	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:02.556325912 CET	80	49763	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:02.556416035 CET	49763	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:02.558373928 CET	49763	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:02.564105034 CET	80	49763	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:02.564181089 CET	49763	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:02.569252014 CET	80	49763	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:03.339343071 CET	80	49763	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:03.339396954 CET	80	49763	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:03.339456081 CET	49763	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:03.339488983 CET	49763	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:03.344578981 CET	80	49763	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:04.491497040 CET	49764	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:04.496587038 CET	80	49764	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:04.496680021 CET	49764	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:04.498773098 CET	49764	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:04.503792048 CET	80	49764	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:04.503853083 CET	49764	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:04.508908987 CET	80	49764	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:05.299025059 CET	80	49764	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:05.299137115 CET	49764	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:05.299664021 CET	80	49764	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:05.299715996 CET	49764	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:05.304131985 CET	80	49764	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:06.441013098 CET	49766	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:06.446089983 CET	80	49766	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:06.446393013 CET	49766	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:06.449342012 CET	49766	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:06.454412937 CET	80	49766	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:06.454969883 CET	49766	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:06.459995031 CET	80	49766	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:07.200463057 CET	80	49766	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:07.200606108 CET	49766	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:07.201373100 CET	80	49766	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:07.201432943 CET	49766	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:07.205641985 CET	80	49766	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:08.369751930 CET	49768	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:08.376800060 CET	80	49768	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:08.376887083 CET	49768	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:08.378922939 CET	49768	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:08.384191036 CET	80	49768	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:08.384288073 CET	49768	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:08.389628887 CET	80	49768	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:09.121170998 CET	80	49768	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:09.121304989 CET	49768	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:09.121414900 CET	80	49768	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:09.121469975 CET	49768	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:09.126338005 CET	80	49768	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:10.268779039 CET	49769	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:10.273947954 CET	80	49769	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:10.274080038 CET	49769	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:10.276015997 CET	49769	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:10.280985117 CET	80	49769	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:10.286088943 CET	49769	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:10.291150093 CET	80	49769	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:10.998694897 CET	80	49769	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:10.998882055 CET	49769	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:10.998892069 CET	80	49769	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:10.998939991 CET	49769	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:11.003917933 CET	80	49769	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:12.140743017 CET	49770	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:12.145848989 CET	80	49770	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:12.148416996 CET	49770	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:12.151772976 CET	49770	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:12.156774998 CET	80	49770	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:12.156847954 CET	49770	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:12.161885977 CET	80	49770	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:12.949110985 CET	80	49770	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:12.949268103 CET	49770	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:12.949754953 CET	80	49770	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:12.949812889 CET	49770	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:12.954695940 CET	80	49770	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:14.095247984 CET	49771	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:14.100586891 CET	80	49771	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:14.100806952 CET	49771	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:14.102811098 CET	49771	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:14.107810020 CET	80	49771	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:14.107883930 CET	49771	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:14.112940073 CET	80	49771	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:14.847697973 CET	80	49771	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:14.847990036 CET	49771	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:14.849046946 CET	80	49771	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:14.849121094 CET	49771	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:14.853151083 CET	80	49771	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:15.990397930 CET	49776	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:15.995769978 CET	80	49776	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:15.995883942 CET	49776	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:15.997627020 CET	49776	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:16.002702951 CET	80	49776	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:16.002778053 CET	49776	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:16.007841110 CET	80	49776	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:16.748437881 CET	80	49776	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:16.748573065 CET	49776	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:16.748599052 CET	80	49776	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:16.748672009 CET	49776	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:16.753803968 CET	80	49776	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:17.892467022 CET	49777	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:17.897658110 CET	80	49777	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:17.897774935 CET	49777	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:17.899532080 CET	49777	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:17.904670000 CET	80	49777	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:17.904743910 CET	49777	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:17.909862041 CET	80	49777	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:18.675611973 CET	80	49777	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:18.675761938 CET	49777	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:18.675956011 CET	80	49777	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:18.676023960 CET	49777	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:18.680857897 CET	80	49777	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:19.817620039 CET	49778	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:19.822829962 CET	80	49778	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:19.823103905 CET	49778	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:19.824899912 CET	49778	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:19.829938889 CET	80	49778	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:19.830029964 CET	49778	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:19.834999084 CET	80	49778	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:20.587040901 CET	80	49778	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:20.587250948 CET	80	49778	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:20.587269068 CET	49778	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:20.587313890 CET	49778	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:20.592318058 CET	80	49778	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:21.736988068 CET	49779	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:21.742186069 CET	80	49779	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:21.742273092 CET	49779	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:21.744376898 CET	49779	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:21.749469042 CET	80	49779	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:21.749546051 CET	49779	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:21.754602909 CET	80	49779	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:22.517296076 CET	80	49779	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:22.517406940 CET	49779	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:22.517498016 CET	80	49779	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:22.517576933 CET	49779	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:22.522515059 CET	80	49779	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:23.656856060 CET	49780	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:23.663157940 CET	80	49780	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:23.663242102 CET	49780	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:23.665292025 CET	49780	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:23.671678066 CET	80	49780	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:23.671747923 CET	49780	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:23.677361012 CET	80	49780	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:24.433320999 CET	80	49780	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:24.433485031 CET	49780	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:24.434286118 CET	80	49780	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:24.434351921 CET	49780	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:24.438733101 CET	80	49780	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:25.731313944 CET	49781	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:25.736450911 CET	80	49781	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:25.736535072 CET	49781	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:25.744610071 CET	49781	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:25.749635935 CET	80	49781	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:25.749697924 CET	49781	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:25.754720926 CET	80	49781	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:26.488351107 CET	80	49781	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:26.488715887 CET	49781	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:26.489084959 CET	80	49781	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:26.489203930 CET	49781	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:26.493721962 CET	80	49781	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:27.640124083 CET	49787	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:27.645333052 CET	80	49787	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:27.645442009 CET	49787	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:27.647439003 CET	49787	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:27.653136969 CET	80	49787	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:27.653206110 CET	49787	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:27.658611059 CET	80	49787	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:28.390536070 CET	80	49787	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:28.390985966 CET	80	49787	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:28.391050100 CET	49787	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:28.405308962 CET	49787	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:28.410365105 CET	80	49787	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:29.549964905 CET	49788	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:29.555212021 CET	80	49788	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:29.555337906 CET	49788	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:29.557399988 CET	49788	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:29.562508106 CET	80	49788	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:29.562621117 CET	49788	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:29.567791939 CET	80	49788	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:30.201138973 CET	80	49788	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:30.201617956 CET	49788	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:30.201697111 CET	80	49788	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:30.201766968 CET	49788	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:30.207268953 CET	80	49788	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:31.344387054 CET	49789	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:31.350107908 CET	80	49789	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:31.350271940 CET	49789	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:31.352372885 CET	49789	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:31.357471943 CET	80	49789	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:31.357537031 CET	49789	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:31.362680912 CET	80	49789	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:32.148036957 CET	80	49789	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:32.148175955 CET	49789	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:32.148459911 CET	80	49789	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:32.148519039 CET	49789	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:32.153167009 CET	80	49789	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:33.298305988 CET	49790	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:33.303504944 CET	80	49790	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:33.303586960 CET	49790	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:33.305759907 CET	49790	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:33.311012030 CET	80	49790	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:33.311187029 CET	49790	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:33.316447020 CET	80	49790	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:35.070525885 CET	80	49790	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:35.070630074 CET	80	49790	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:35.070683956 CET	49790	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:35.074131966 CET	49790	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:35.075731039 CET	80	49790	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:36.236746073 CET	49792	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:36.241894960 CET	80	49792	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:36.242002010 CET	49792	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:36.244128942 CET	49792	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:36.249162912 CET	80	49792	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:36.249223948 CET	49792	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:36.254283905 CET	80	49792	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:37.054687023 CET	80	49792	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:37.055012941 CET	80	49792	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:37.055102110 CET	49792	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:37.055147886 CET	49792	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:37.060188055 CET	80	49792	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:38.296657085 CET	49793	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:38.301757097 CET	80	49793	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:38.301862001 CET	49793	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:38.303913116 CET	49793	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:38.308892012 CET	80	49793	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:38.308943987 CET	49793	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:38.314141989 CET	80	49793	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:39.088191032 CET	80	49793	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:39.088327885 CET	49793	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:39.088407040 CET	80	49793	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:39.088459969 CET	49793	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:39.093482018 CET	80	49793	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:40.237452030 CET	49794	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:40.242649078 CET	80	49794	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:40.242758036 CET	49794	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:40.244874954 CET	49794	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:40.250214100 CET	80	49794	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:40.250289917 CET	49794	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:40.255404949 CET	80	49794	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:40.901906013 CET	80	49794	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:40.902028084 CET	80	49794	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:40.902108908 CET	49794	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:40.902110100 CET	49794	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:40.907252073 CET	80	49794	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:42.063433886 CET	49795	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:42.068689108 CET	80	49795	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:42.068804979 CET	49795	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:42.070841074 CET	49795	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:42.075824976 CET	80	49795	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:42.075912952 CET	49795	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:42.081012964 CET	80	49795	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:42.855292082 CET	80	49795	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:42.855622053 CET	49795	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:42.856211901 CET	80	49795	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:42.856280088 CET	49795	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:42.860696077 CET	80	49795	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:44.000328064 CET	49796	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:44.006071091 CET	80	49796	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:44.006196022 CET	49796	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:44.008277893 CET	49796	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:44.013514996 CET	80	49796	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:44.013591051 CET	49796	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:44.018651962 CET	80	49796	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:44.649130106 CET	80	49796	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:44.649255991 CET	49796	80	192.168.2.4	104.21.112.1
Mar 7, 2025 08:25:44.649602890 CET	80	49796	104.21.112.1	192.168.2.4
Mar 7, 2025 08:25:44.649660110 CET	49796	80

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Lokibot

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5bl4klug.ogk.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c0ukadga.zaw.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hyjtwjbp.vhz.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_svwdn54e.yc5.ps1

C:\Users\user\AppData\Roaming\188E93\31437F.lck

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Windows Analysis Report
Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe